/// Encapsulates settings provided to GetIamPolicy. #[derive(Clone, PartialEq, ::prost::Message)] pub struct GetPolicyOptions { /// Optional. The policy format version to be returned. /// /// Valid values are 0, 1, and 3. Requests specifying an invalid value will be /// rejected. /// /// Requests for policies with any conditional bindings must specify version 3. /// Policies without any conditional bindings may specify any valid value or /// leave the field unset. #[prost(int32, tag = "1")] pub requested_policy_version: i32, } /// Defines an Identity and Access Management (IAM) policy. It is used to /// specify access control policies for Cloud Platform resources. /// /// /// A `Policy` is a collection of `bindings`. A `binding` binds one or more /// `members` to a single `role`. Members can be user accounts, service accounts, /// Google groups, and domains (such as G Suite). A `role` is a named list of /// permissions (defined by IAM or configured by users). A `binding` can /// optionally specify a `condition`, which is a logic expression that further /// constrains the role binding based on attributes about the request and/or /// target resource. /// /// **JSON Example** /// /// { /// "bindings": [ /// { /// "role": "roles/resourcemanager.organizationAdmin", /// "members": [ /// "user:mike@example.com", /// "group:admins@example.com", /// "domain:google.com", /// "serviceAccount:my-project-id@appspot.gserviceaccount.com" /// ] /// }, /// { /// "role": "roles/resourcemanager.organizationViewer", /// "members": \["user:eve@example.com"\], /// "condition": { /// "title": "expirable access", /// "description": "Does not grant access after Sep 2020", /// "expression": "request.time < /// timestamp('2020-10-01T00:00:00.000Z')", /// } /// } /// ] /// } /// /// **YAML Example** /// /// bindings: /// - members: /// - user:mike@example.com /// - group:admins@example.com /// - domain:google.com /// - serviceAccount:my-project-id@appspot.gserviceaccount.com /// role: roles/resourcemanager.organizationAdmin /// - members: /// - user:eve@example.com /// role: roles/resourcemanager.organizationViewer /// condition: /// title: expirable access /// description: Does not grant access after Sep 2020 /// expression: request.time < timestamp('2020-10-01T00:00:00.000Z') /// /// For a description of IAM and its features, see the /// [IAM developer's guide](). #[derive(Clone, PartialEq, ::prost::Message)] pub struct Policy { /// Specifies the format of the policy. /// /// Valid values are 0, 1, and 3. Requests specifying an invalid value will be /// rejected. /// /// Operations affecting conditional bindings must specify version 3. This can /// be either setting a conditional policy, modifying a conditional binding, /// or removing a binding (conditional or unconditional) from the stored /// conditional policy. /// Operations on non-conditional policies may specify any valid value or /// leave the field unset. /// /// If no etag is provided in the call to `setIamPolicy`, version compliance /// checks against the stored policy is skipped. #[prost(int32, tag = "1")] pub version: i32, /// Associates a list of `members` to a `role`. Optionally may specify a /// `condition` that determines when binding is in effect. /// `bindings` with no members will result in an error. #[prost(message, repeated, tag = "4")] pub bindings: ::prost::alloc::vec::Vec, /// `etag` is used for optimistic concurrency control as a way to help /// prevent simultaneous updates of a policy from overwriting each other. /// It is strongly suggested that systems make use of the `etag` in the /// read-modify-write cycle to perform policy updates in order to avoid race /// conditions: An `etag` is returned in the response to `getIamPolicy`, and /// systems are expected to put that etag in the request to `setIamPolicy` to /// ensure that their change will be applied to the same version of the policy. /// /// If no `etag` is provided in the call to `setIamPolicy`, then the existing /// policy is overwritten. Due to blind-set semantics of an etag-less policy, /// 'setIamPolicy' will not fail even if the incoming policy version does not /// meet the requirements for modifying the stored policy. #[prost(bytes = "vec", tag = "3")] pub etag: ::prost::alloc::vec::Vec, } /// Associates `members` with a `role`. #[derive(Clone, PartialEq, ::prost::Message)] pub struct Binding { /// Role that is assigned to `members`. /// For example, `roles/viewer`, `roles/editor`, or `roles/owner`. #[prost(string, tag = "1")] pub role: ::prost::alloc::string::String, /// Specifies the identities requesting access for a Cloud Platform resource. /// `members` can have the following values: /// /// * `allUsers`: A special identifier that represents anyone who is /// on the internet; with or without a Google account. /// /// * `allAuthenticatedUsers`: A special identifier that represents anyone /// who is authenticated with a Google account or a service account. /// /// * `user:{emailid}`: An email address that represents a specific Google /// account. For example, `alice@example.com` . /// /// /// * `serviceAccount:{emailid}`: An email address that represents a service /// account. For example, `my-other-app@appspot.gserviceaccount.com`. /// /// * `group:{emailid}`: An email address that represents a Google group. /// For example, `admins@example.com`. /// /// /// * `domain:{domain}`: The G Suite domain (primary) that represents all the /// users of that domain. For example, `google.com` or `example.com`. /// /// #[prost(string, repeated, tag = "2")] pub members: ::prost::alloc::vec::Vec<::prost::alloc::string::String>, /// The condition that is associated with this binding. /// NOTE: An unsatisfied condition will not allow user access via current /// binding. Different bindings, including their conditions, are examined /// independently. #[prost(message, optional, tag = "3")] pub condition: ::core::option::Option, } /// The difference delta between two policies. #[derive(Clone, PartialEq, ::prost::Message)] pub struct PolicyDelta { /// The delta for Bindings between two policies. #[prost(message, repeated, tag = "1")] pub binding_deltas: ::prost::alloc::vec::Vec, /// The delta for AuditConfigs between two policies. #[prost(message, repeated, tag = "2")] pub audit_config_deltas: ::prost::alloc::vec::Vec, } /// One delta entry for Binding. Each individual change (only one member in each /// entry) to a binding will be a separate entry. #[derive(Clone, PartialEq, ::prost::Message)] pub struct BindingDelta { /// The action that was performed on a Binding. /// Required #[prost(enumeration = "binding_delta::Action", tag = "1")] pub action: i32, /// Role that is assigned to `members`. /// For example, `roles/viewer`, `roles/editor`, or `roles/owner`. /// Required #[prost(string, tag = "2")] pub role: ::prost::alloc::string::String, /// A single identity requesting access for a Cloud Platform resource. /// Follows the same format of Binding.members. /// Required #[prost(string, tag = "3")] pub member: ::prost::alloc::string::String, /// The condition that is associated with this binding. #[prost(message, optional, tag = "4")] pub condition: ::core::option::Option, } /// Nested message and enum types in `BindingDelta`. pub mod binding_delta { /// The type of action performed on a Binding in a policy. #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] #[repr(i32)] pub enum Action { /// Unspecified. Unspecified = 0, /// Addition of a Binding. Add = 1, /// Removal of a Binding. Remove = 2, } } /// One delta entry for AuditConfig. Each individual change (only one /// exempted_member in each entry) to a AuditConfig will be a separate entry. #[derive(Clone, PartialEq, ::prost::Message)] pub struct AuditConfigDelta { /// The action that was performed on an audit configuration in a policy. /// Required #[prost(enumeration = "audit_config_delta::Action", tag = "1")] pub action: i32, /// Specifies a service that was configured for Cloud Audit Logging. /// For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. /// `allServices` is a special value that covers all services. /// Required #[prost(string, tag = "2")] pub service: ::prost::alloc::string::String, /// A single identity that is exempted from "data access" audit /// logging for the `service` specified above. /// Follows the same format of Binding.members. #[prost(string, tag = "3")] pub exempted_member: ::prost::alloc::string::String, /// Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always /// enabled, and cannot be configured. /// Required #[prost(string, tag = "4")] pub log_type: ::prost::alloc::string::String, } /// Nested message and enum types in `AuditConfigDelta`. pub mod audit_config_delta { /// The type of action performed on an audit configuration in a policy. #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] #[repr(i32)] pub enum Action { /// Unspecified. Unspecified = 0, /// Addition of an audit configuration. Add = 1, /// Removal of an audit configuration. Remove = 2, } } /// Request message for `SetIamPolicy` method. #[derive(Clone, PartialEq, ::prost::Message)] pub struct SetIamPolicyRequest { /// REQUIRED: The resource for which the policy is being specified. /// See the operation documentation for the appropriate value for this field. #[prost(string, tag = "1")] pub resource: ::prost::alloc::string::String, /// REQUIRED: The complete policy to be applied to the `resource`. The size of /// the policy is limited to a few 10s of KB. An empty policy is a /// valid policy but certain Cloud Platform services (such as Projects) /// might reject them. #[prost(message, optional, tag = "2")] pub policy: ::core::option::Option, } /// Request message for `GetIamPolicy` method. #[derive(Clone, PartialEq, ::prost::Message)] pub struct GetIamPolicyRequest { /// REQUIRED: The resource for which the policy is being requested. /// See the operation documentation for the appropriate value for this field. #[prost(string, tag = "1")] pub resource: ::prost::alloc::string::String, /// OPTIONAL: A `GetPolicyOptions` object for specifying options to /// `GetIamPolicy`. This field is only used by Cloud IAM. #[prost(message, optional, tag = "2")] pub options: ::core::option::Option, } /// Request message for `TestIamPermissions` method. #[derive(Clone, PartialEq, ::prost::Message)] pub struct TestIamPermissionsRequest { /// REQUIRED: The resource for which the policy detail is being requested. /// See the operation documentation for the appropriate value for this field. #[prost(string, tag = "1")] pub resource: ::prost::alloc::string::String, /// The set of permissions to check for the `resource`. Permissions with /// wildcards (such as '*' or 'storage.*') are not allowed. For more /// information see /// [IAM Overview](). #[prost(string, repeated, tag = "2")] pub permissions: ::prost::alloc::vec::Vec<::prost::alloc::string::String>, } /// Response message for `TestIamPermissions` method. #[derive(Clone, PartialEq, ::prost::Message)] pub struct TestIamPermissionsResponse { /// A subset of `TestPermissionsRequest.permissions` that the caller is /// allowed. #[prost(string, repeated, tag = "1")] pub permissions: ::prost::alloc::vec::Vec<::prost::alloc::string::String>, } #[doc = r" Generated client implementations."] pub mod iam_policy_client { #![allow(unused_variables, dead_code, missing_docs, clippy::let_unit_value)] use tonic::codegen::*; #[doc = " ## API Overview"] #[doc = ""] #[doc = " Manages Identity and Access Management (IAM) policies."] #[doc = ""] #[doc = " Any implementation of an API that offers access control features"] #[doc = " implements the google.iam.v1.IAMPolicy interface."] #[doc = ""] #[doc = " ## Data model"] #[doc = ""] #[doc = " Access control is applied when a principal (user or service account), takes"] #[doc = " some action on a resource exposed by a service. Resources, identified by"] #[doc = " URI-like names, are the unit of access control specification. Service"] #[doc = " implementations can choose the granularity of access control and the"] #[doc = " supported permissions for their resources."] #[doc = " For example one database service may allow access control to be"] #[doc = " specified only at the Table level, whereas another might allow access control"] #[doc = " to also be specified at the Column level."] #[doc = ""] #[doc = " ## Policy Structure"] #[doc = ""] #[doc = " See google.iam.v1.Policy"] #[doc = ""] #[doc = " This is intentionally not a CRUD style API because access control policies"] #[doc = " are created and deleted implicitly with the resources to which they are"] #[doc = " attached."] #[derive(Debug, Clone)] pub struct IamPolicyClient { inner: tonic::client::Grpc, } impl IamPolicyClient where T: tonic::client::GrpcService, T::ResponseBody: Body + Send + 'static, T::Error: Into, ::Error: Into + Send, { pub fn new(inner: T) -> Self { let inner = tonic::client::Grpc::new(inner); Self { inner } } pub fn with_interceptor( inner: T, interceptor: F, ) -> IamPolicyClient> where F: tonic::service::Interceptor, T: tonic::codegen::Service< http::Request, Response = http::Response< >::ResponseBody, >, >, >>::Error: Into + Send + Sync, { IamPolicyClient::new(InterceptedService::new(inner, interceptor)) } #[doc = r" Compress requests with `gzip`."] #[doc = r""] #[doc = r" This requires the server to support it otherwise it might respond with an"] #[doc = r" error."] pub fn send_gzip(mut self) -> Self { self.inner = self.inner.send_gzip(); self } #[doc = r" Enable decompressing responses with `gzip`."] pub fn accept_gzip(mut self) -> Self { self.inner = self.inner.accept_gzip(); self } #[doc = " Sets the access control policy on the specified resource. Replaces any"] #[doc = " existing policy."] pub async fn set_iam_policy( &mut self, request: impl tonic::IntoRequest, ) -> Result, tonic::Status> { self.inner.ready().await.map_err(|e| { tonic::Status::new( tonic::Code::Unknown, format!("Service was not ready: {}", e.into()), ) })?; let codec = tonic::codec::ProstCodec::default(); let path = http::uri::PathAndQuery::from_static("/google.iam.v1.IAMPolicy/SetIamPolicy"); self.inner.unary(request.into_request(), path, codec).await } #[doc = " Gets the access control policy for a resource."] #[doc = " Returns an empty policy if the resource exists and does not have a policy"] #[doc = " set."] pub async fn get_iam_policy( &mut self, request: impl tonic::IntoRequest, ) -> Result, tonic::Status> { self.inner.ready().await.map_err(|e| { tonic::Status::new( tonic::Code::Unknown, format!("Service was not ready: {}", e.into()), ) })?; let codec = tonic::codec::ProstCodec::default(); let path = http::uri::PathAndQuery::from_static("/google.iam.v1.IAMPolicy/GetIamPolicy"); self.inner.unary(request.into_request(), path, codec).await } #[doc = " Returns permissions that a caller has on the specified resource."] #[doc = " If the resource does not exist, this will return an empty set of"] #[doc = " permissions, not a NOT_FOUND error."] #[doc = ""] #[doc = " Note: This operation is designed to be used for building permission-aware"] #[doc = " UIs and command-line tools, not for authorization checking. This operation"] #[doc = " may \"fail open\" without warning."] pub async fn test_iam_permissions( &mut self, request: impl tonic::IntoRequest, ) -> Result, tonic::Status> { self.inner.ready().await.map_err(|e| { tonic::Status::new( tonic::Code::Unknown, format!("Service was not ready: {}", e.into()), ) })?; let codec = tonic::codec::ProstCodec::default(); let path = http::uri::PathAndQuery::from_static("/google.iam.v1.IAMPolicy/TestIamPermissions"); self.inner.unary(request.into_request(), path, codec).await } } }