google_cloud_googleapis/google.iam.v1.rs
1// This file is @generated by prost-build.
2/// Encapsulates settings provided to GetIamPolicy.
3#[allow(clippy::derive_partial_eq_without_eq)]
4#[derive(Clone, Copy, PartialEq, ::prost::Message)]
5pub struct GetPolicyOptions {
6 /// Optional. The maximum policy version that will be used to format the
7 /// policy.
8 ///
9 /// Valid values are 0, 1, and 3. Requests specifying an invalid value will be
10 /// rejected.
11 ///
12 /// Requests for policies with any conditional role bindings must specify
13 /// version 3. Policies with no conditional role bindings may specify any valid
14 /// value or leave the field unset.
15 ///
16 /// The policy in the response might use the policy version that you specified,
17 /// or it might use a lower policy version. For example, if you specify version
18 /// 3, but the policy has no conditional role bindings, the response uses
19 /// version 1.
20 ///
21 /// To learn which resources support conditions in their IAM policies, see the
22 /// [IAM
23 /// documentation](<https://cloud.google.com/iam/help/conditions/resource-policies>).
24 #[prost(int32, tag = "1")]
25 pub requested_policy_version: i32,
26}
27/// An Identity and Access Management (IAM) policy, which specifies access
28/// controls for Google Cloud resources.
29///
30///
31/// A `Policy` is a collection of `bindings`. A `binding` binds one or more
32/// `members`, or principals, to a single `role`. Principals can be user
33/// accounts, service accounts, Google groups, and domains (such as G Suite). A
34/// `role` is a named list of permissions; each `role` can be an IAM predefined
35/// role or a user-created custom role.
36///
37/// For some types of Google Cloud resources, a `binding` can also specify a
38/// `condition`, which is a logical expression that allows access to a resource
39/// only if the expression evaluates to `true`. A condition can add constraints
40/// based on attributes of the request, the resource, or both. To learn which
41/// resources support conditions in their IAM policies, see the
42/// [IAM
43/// documentation](<https://cloud.google.com/iam/help/conditions/resource-policies>).
44///
45/// **JSON example:**
46///
47/// ```
48/// {
49/// "bindings": [
50/// {
51/// "role": "roles/resourcemanager.organizationAdmin",
52/// "members": [
53/// "user:mike@example.com",
54/// "group:admins@example.com",
55/// "domain:google.com",
56/// "serviceAccount:my-project-id@appspot.gserviceaccount.com"
57/// ]
58/// },
59/// {
60/// "role": "roles/resourcemanager.organizationViewer",
61/// "members": [
62/// "user:eve@example.com"
63/// ],
64/// "condition": {
65/// "title": "expirable access",
66/// "description": "Does not grant access after Sep 2020",
67/// "expression": "request.time <
68/// timestamp('2020-10-01T00:00:00.000Z')",
69/// }
70/// }
71/// ],
72/// "etag": "BwWWja0YfJA=",
73/// "version": 3
74/// }
75/// ```
76///
77/// **YAML example:**
78///
79/// ```
80/// bindings:
81/// - members:
82/// - user:mike@example.com
83/// - group:admins@example.com
84/// - domain:google.com
85/// - serviceAccount:my-project-id@appspot.gserviceaccount.com
86/// role: roles/resourcemanager.organizationAdmin
87/// - members:
88/// - user:eve@example.com
89/// role: roles/resourcemanager.organizationViewer
90/// condition:
91/// title: expirable access
92/// description: Does not grant access after Sep 2020
93/// expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
94/// etag: BwWWja0YfJA=
95/// version: 3
96/// ```
97///
98/// For a description of IAM and its features, see the
99/// [IAM documentation](<https://cloud.google.com/iam/docs/>).
100#[allow(clippy::derive_partial_eq_without_eq)]
101#[derive(Clone, PartialEq, ::prost::Message)]
102pub struct Policy {
103 /// Specifies the format of the policy.
104 ///
105 /// Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
106 /// are rejected.
107 ///
108 /// Any operation that affects conditional role bindings must specify version
109 /// `3`. This requirement applies to the following operations:
110 ///
111 /// * Getting a policy that includes a conditional role binding
112 /// * Adding a conditional role binding to a policy
113 /// * Changing a conditional role binding in a policy
114 /// * Removing any role binding, with or without a condition, from a policy
115 /// that includes conditions
116 ///
117 /// **Important:** If you use IAM Conditions, you must include the `etag` field
118 /// whenever you call `setIamPolicy`. If you omit this field, then IAM allows
119 /// you to overwrite a version `3` policy with a version `1` policy, and all of
120 /// the conditions in the version `3` policy are lost.
121 ///
122 /// If a policy does not include any conditions, operations on that policy may
123 /// specify any valid version or leave the field unset.
124 ///
125 /// To learn which resources support conditions in their IAM policies, see the
126 /// [IAM
127 /// documentation](<https://cloud.google.com/iam/help/conditions/resource-policies>).
128 #[prost(int32, tag = "1")]
129 pub version: i32,
130 /// Associates a list of `members`, or principals, with a `role`. Optionally,
131 /// may specify a `condition` that determines how and when the `bindings` are
132 /// applied. Each of the `bindings` must contain at least one principal.
133 ///
134 /// The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
135 /// of these principals can be Google groups. Each occurrence of a principal
136 /// counts towards these limits. For example, if the `bindings` grant 50
137 /// different roles to `user:alice@example.com`, and not to any other
138 /// principal, then you can add another 1,450 principals to the `bindings` in
139 /// the `Policy`.
140 #[prost(message, repeated, tag = "4")]
141 pub bindings: ::prost::alloc::vec::Vec<Binding>,
142 /// Specifies cloud audit logging configuration for this policy.
143 #[prost(message, repeated, tag = "6")]
144 pub audit_configs: ::prost::alloc::vec::Vec<AuditConfig>,
145 /// `etag` is used for optimistic concurrency control as a way to help
146 /// prevent simultaneous updates of a policy from overwriting each other.
147 /// It is strongly suggested that systems make use of the `etag` in the
148 /// read-modify-write cycle to perform policy updates in order to avoid race
149 /// conditions: An `etag` is returned in the response to `getIamPolicy`, and
150 /// systems are expected to put that etag in the request to `setIamPolicy` to
151 /// ensure that their change will be applied to the same version of the policy.
152 ///
153 /// **Important:** If you use IAM Conditions, you must include the `etag` field
154 /// whenever you call `setIamPolicy`. If you omit this field, then IAM allows
155 /// you to overwrite a version `3` policy with a version `1` policy, and all of
156 /// the conditions in the version `3` policy are lost.
157 #[prost(bytes = "vec", tag = "3")]
158 pub etag: ::prost::alloc::vec::Vec<u8>,
159}
160/// Associates `members`, or principals, with a `role`.
161#[allow(clippy::derive_partial_eq_without_eq)]
162#[derive(Clone, PartialEq, ::prost::Message)]
163pub struct Binding {
164 /// Role that is assigned to the list of `members`, or principals.
165 /// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
166 #[prost(string, tag = "1")]
167 pub role: ::prost::alloc::string::String,
168 /// Specifies the principals requesting access for a Google Cloud resource.
169 /// `members` can have the following values:
170 ///
171 /// * `allUsers`: A special identifier that represents anyone who is
172 /// on the internet; with or without a Google account.
173 ///
174 /// * `allAuthenticatedUsers`: A special identifier that represents anyone
175 /// who is authenticated with a Google account or a service account.
176 ///
177 /// * `user:{emailid}`: An email address that represents a specific Google
178 /// account. For example, `alice@example.com` .
179 ///
180 ///
181 /// * `serviceAccount:{emailid}`: An email address that represents a service
182 /// account. For example, `my-other-app@appspot.gserviceaccount.com`.
183 ///
184 /// * `group:{emailid}`: An email address that represents a Google group.
185 /// For example, `admins@example.com`.
186 ///
187 /// * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
188 /// identifier) representing a user that has been recently deleted. For
189 /// example, `alice@example.com?uid=123456789012345678901`. If the user is
190 /// recovered, this value reverts to `user:{emailid}` and the recovered user
191 /// retains the role in the binding.
192 ///
193 /// * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
194 /// unique identifier) representing a service account that has been recently
195 /// deleted. For example,
196 /// `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
197 /// If the service account is undeleted, this value reverts to
198 /// `serviceAccount:{emailid}` and the undeleted service account retains the
199 /// role in the binding.
200 ///
201 /// * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
202 /// identifier) representing a Google group that has been recently
203 /// deleted. For example, `admins@example.com?uid=123456789012345678901`. If
204 /// the group is recovered, this value reverts to `group:{emailid}` and the
205 /// recovered group retains the role in the binding.
206 ///
207 ///
208 /// * `domain:{domain}`: The G Suite domain (primary) that represents all the
209 /// users of that domain. For example, `google.com` or `example.com`.
210 ///
211 ///
212 #[prost(string, repeated, tag = "2")]
213 pub members: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
214 /// The condition that is associated with this binding.
215 ///
216 /// If the condition evaluates to `true`, then this binding applies to the
217 /// current request.
218 ///
219 /// If the condition evaluates to `false`, then this binding does not apply to
220 /// the current request. However, a different role binding might grant the same
221 /// role to one or more of the principals in this binding.
222 ///
223 /// To learn which resources support conditions in their IAM policies, see the
224 /// [IAM
225 /// documentation](<https://cloud.google.com/iam/help/conditions/resource-policies>).
226 #[prost(message, optional, tag = "3")]
227 pub condition: ::core::option::Option<super::super::r#type::Expr>,
228}
229/// Specifies the audit configuration for a service.
230/// The configuration determines which permission types are logged, and what
231/// identities, if any, are exempted from logging.
232/// An AuditConfig must have one or more AuditLogConfigs.
233///
234/// If there are AuditConfigs for both `allServices` and a specific service,
235/// the union of the two AuditConfigs is used for that service: the log_types
236/// specified in each AuditConfig are enabled, and the exempted_members in each
237/// AuditLogConfig are exempted.
238///
239/// Example Policy with multiple AuditConfigs:
240///
241/// {
242/// "audit_configs": [
243/// {
244/// "service": "allServices",
245/// "audit_log_configs": [
246/// {
247/// "log_type": "DATA_READ",
248/// "exempted_members": [
249/// "user:jose@example.com"
250/// ]
251/// },
252/// {
253/// "log_type": "DATA_WRITE"
254/// },
255/// {
256/// "log_type": "ADMIN_READ"
257/// }
258/// ]
259/// },
260/// {
261/// "service": "sampleservice.googleapis.com",
262/// "audit_log_configs": [
263/// {
264/// "log_type": "DATA_READ"
265/// },
266/// {
267/// "log_type": "DATA_WRITE",
268/// "exempted_members": [
269/// "user:aliya@example.com"
270/// ]
271/// }
272/// ]
273/// }
274/// ]
275/// }
276///
277/// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
278/// logging. It also exempts `jose@example.com` from DATA_READ logging, and
279/// `aliya@example.com` from DATA_WRITE logging.
280#[allow(clippy::derive_partial_eq_without_eq)]
281#[derive(Clone, PartialEq, ::prost::Message)]
282pub struct AuditConfig {
283 /// Specifies a service that will be enabled for audit logging.
284 /// For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
285 /// `allServices` is a special value that covers all services.
286 #[prost(string, tag = "1")]
287 pub service: ::prost::alloc::string::String,
288 /// The configuration for logging of each type of permission.
289 #[prost(message, repeated, tag = "3")]
290 pub audit_log_configs: ::prost::alloc::vec::Vec<AuditLogConfig>,
291}
292/// Provides the configuration for logging a type of permissions.
293/// Example:
294///
295/// {
296/// "audit_log_configs": [
297/// {
298/// "log_type": "DATA_READ",
299/// "exempted_members": [
300/// "user:jose@example.com"
301/// ]
302/// },
303/// {
304/// "log_type": "DATA_WRITE"
305/// }
306/// ]
307/// }
308///
309/// This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
310/// jose@example.com from DATA_READ logging.
311#[allow(clippy::derive_partial_eq_without_eq)]
312#[derive(Clone, PartialEq, ::prost::Message)]
313pub struct AuditLogConfig {
314 /// The log type that this config enables.
315 #[prost(enumeration = "audit_log_config::LogType", tag = "1")]
316 pub log_type: i32,
317 /// Specifies the identities that do not cause logging for this type of
318 /// permission.
319 /// Follows the same format of
320 /// [Binding.members][google.iam.v1.Binding.members].
321 #[prost(string, repeated, tag = "2")]
322 pub exempted_members: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
323}
324/// Nested message and enum types in `AuditLogConfig`.
325pub mod audit_log_config {
326 /// The list of valid permission types for which logging can be configured.
327 /// Admin writes are always logged, and are not configurable.
328 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
329 #[repr(i32)]
330 pub enum LogType {
331 /// Default case. Should never be this.
332 Unspecified = 0,
333 /// Admin reads. Example: CloudIAM getIamPolicy
334 AdminRead = 1,
335 /// Data writes. Example: CloudSQL Users create
336 DataWrite = 2,
337 /// Data reads. Example: CloudSQL Users list
338 DataRead = 3,
339 }
340 impl LogType {
341 /// String value of the enum field names used in the ProtoBuf definition.
342 ///
343 /// The values are not transformed in any way and thus are considered stable
344 /// (if the ProtoBuf definition does not change) and safe for programmatic use.
345 pub fn as_str_name(&self) -> &'static str {
346 match self {
347 LogType::Unspecified => "LOG_TYPE_UNSPECIFIED",
348 LogType::AdminRead => "ADMIN_READ",
349 LogType::DataWrite => "DATA_WRITE",
350 LogType::DataRead => "DATA_READ",
351 }
352 }
353 /// Creates an enum from field names used in the ProtoBuf definition.
354 pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
355 match value {
356 "LOG_TYPE_UNSPECIFIED" => Some(Self::Unspecified),
357 "ADMIN_READ" => Some(Self::AdminRead),
358 "DATA_WRITE" => Some(Self::DataWrite),
359 "DATA_READ" => Some(Self::DataRead),
360 _ => None,
361 }
362 }
363 }
364}
365/// The difference delta between two policies.
366#[allow(clippy::derive_partial_eq_without_eq)]
367#[derive(Clone, PartialEq, ::prost::Message)]
368pub struct PolicyDelta {
369 /// The delta for Bindings between two policies.
370 #[prost(message, repeated, tag = "1")]
371 pub binding_deltas: ::prost::alloc::vec::Vec<BindingDelta>,
372 /// The delta for AuditConfigs between two policies.
373 #[prost(message, repeated, tag = "2")]
374 pub audit_config_deltas: ::prost::alloc::vec::Vec<AuditConfigDelta>,
375}
376/// One delta entry for Binding. Each individual change (only one member in each
377/// entry) to a binding will be a separate entry.
378#[allow(clippy::derive_partial_eq_without_eq)]
379#[derive(Clone, PartialEq, ::prost::Message)]
380pub struct BindingDelta {
381 /// The action that was performed on a Binding.
382 /// Required
383 #[prost(enumeration = "binding_delta::Action", tag = "1")]
384 pub action: i32,
385 /// Role that is assigned to `members`.
386 /// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
387 /// Required
388 #[prost(string, tag = "2")]
389 pub role: ::prost::alloc::string::String,
390 /// A single identity requesting access for a Google Cloud resource.
391 /// Follows the same format of Binding.members.
392 /// Required
393 #[prost(string, tag = "3")]
394 pub member: ::prost::alloc::string::String,
395 /// The condition that is associated with this binding.
396 #[prost(message, optional, tag = "4")]
397 pub condition: ::core::option::Option<super::super::r#type::Expr>,
398}
399/// Nested message and enum types in `BindingDelta`.
400pub mod binding_delta {
401 /// The type of action performed on a Binding in a policy.
402 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
403 #[repr(i32)]
404 pub enum Action {
405 /// Unspecified.
406 Unspecified = 0,
407 /// Addition of a Binding.
408 Add = 1,
409 /// Removal of a Binding.
410 Remove = 2,
411 }
412 impl Action {
413 /// String value of the enum field names used in the ProtoBuf definition.
414 ///
415 /// The values are not transformed in any way and thus are considered stable
416 /// (if the ProtoBuf definition does not change) and safe for programmatic use.
417 pub fn as_str_name(&self) -> &'static str {
418 match self {
419 Action::Unspecified => "ACTION_UNSPECIFIED",
420 Action::Add => "ADD",
421 Action::Remove => "REMOVE",
422 }
423 }
424 /// Creates an enum from field names used in the ProtoBuf definition.
425 pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
426 match value {
427 "ACTION_UNSPECIFIED" => Some(Self::Unspecified),
428 "ADD" => Some(Self::Add),
429 "REMOVE" => Some(Self::Remove),
430 _ => None,
431 }
432 }
433 }
434}
435/// One delta entry for AuditConfig. Each individual change (only one
436/// exempted_member in each entry) to a AuditConfig will be a separate entry.
437#[allow(clippy::derive_partial_eq_without_eq)]
438#[derive(Clone, PartialEq, ::prost::Message)]
439pub struct AuditConfigDelta {
440 /// The action that was performed on an audit configuration in a policy.
441 /// Required
442 #[prost(enumeration = "audit_config_delta::Action", tag = "1")]
443 pub action: i32,
444 /// Specifies a service that was configured for Cloud Audit Logging.
445 /// For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
446 /// `allServices` is a special value that covers all services.
447 /// Required
448 #[prost(string, tag = "2")]
449 pub service: ::prost::alloc::string::String,
450 /// A single identity that is exempted from "data access" audit
451 /// logging for the `service` specified above.
452 /// Follows the same format of Binding.members.
453 #[prost(string, tag = "3")]
454 pub exempted_member: ::prost::alloc::string::String,
455 /// Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
456 /// enabled, and cannot be configured.
457 /// Required
458 #[prost(string, tag = "4")]
459 pub log_type: ::prost::alloc::string::String,
460}
461/// Nested message and enum types in `AuditConfigDelta`.
462pub mod audit_config_delta {
463 /// The type of action performed on an audit configuration in a policy.
464 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
465 #[repr(i32)]
466 pub enum Action {
467 /// Unspecified.
468 Unspecified = 0,
469 /// Addition of an audit configuration.
470 Add = 1,
471 /// Removal of an audit configuration.
472 Remove = 2,
473 }
474 impl Action {
475 /// String value of the enum field names used in the ProtoBuf definition.
476 ///
477 /// The values are not transformed in any way and thus are considered stable
478 /// (if the ProtoBuf definition does not change) and safe for programmatic use.
479 pub fn as_str_name(&self) -> &'static str {
480 match self {
481 Action::Unspecified => "ACTION_UNSPECIFIED",
482 Action::Add => "ADD",
483 Action::Remove => "REMOVE",
484 }
485 }
486 /// Creates an enum from field names used in the ProtoBuf definition.
487 pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
488 match value {
489 "ACTION_UNSPECIFIED" => Some(Self::Unspecified),
490 "ADD" => Some(Self::Add),
491 "REMOVE" => Some(Self::Remove),
492 _ => None,
493 }
494 }
495 }
496}
497/// Request message for `SetIamPolicy` method.
498#[allow(clippy::derive_partial_eq_without_eq)]
499#[derive(Clone, PartialEq, ::prost::Message)]
500pub struct SetIamPolicyRequest {
501 /// REQUIRED: The resource for which the policy is being specified.
502 /// See the operation documentation for the appropriate value for this field.
503 #[prost(string, tag = "1")]
504 pub resource: ::prost::alloc::string::String,
505 /// REQUIRED: The complete policy to be applied to the `resource`. The size of
506 /// the policy is limited to a few 10s of KB. An empty policy is a
507 /// valid policy but certain Cloud Platform services (such as Projects)
508 /// might reject them.
509 #[prost(message, optional, tag = "2")]
510 pub policy: ::core::option::Option<Policy>,
511 /// OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
512 /// the fields in the mask will be modified. If no mask is provided, the
513 /// following default mask is used:
514 ///
515 /// `paths: "bindings, etag"`
516 #[prost(message, optional, tag = "3")]
517 pub update_mask: ::core::option::Option<::prost_types::FieldMask>,
518}
519/// Request message for `GetIamPolicy` method.
520#[allow(clippy::derive_partial_eq_without_eq)]
521#[derive(Clone, PartialEq, ::prost::Message)]
522pub struct GetIamPolicyRequest {
523 /// REQUIRED: The resource for which the policy is being requested.
524 /// See the operation documentation for the appropriate value for this field.
525 #[prost(string, tag = "1")]
526 pub resource: ::prost::alloc::string::String,
527 /// OPTIONAL: A `GetPolicyOptions` object for specifying options to
528 /// `GetIamPolicy`.
529 #[prost(message, optional, tag = "2")]
530 pub options: ::core::option::Option<GetPolicyOptions>,
531}
532/// Request message for `TestIamPermissions` method.
533#[allow(clippy::derive_partial_eq_without_eq)]
534#[derive(Clone, PartialEq, ::prost::Message)]
535pub struct TestIamPermissionsRequest {
536 /// REQUIRED: The resource for which the policy detail is being requested.
537 /// See the operation documentation for the appropriate value for this field.
538 #[prost(string, tag = "1")]
539 pub resource: ::prost::alloc::string::String,
540 /// The set of permissions to check for the `resource`. Permissions with
541 /// wildcards (such as '*' or 'storage.*') are not allowed. For more
542 /// information see
543 /// [IAM Overview](<https://cloud.google.com/iam/docs/overview#permissions>).
544 #[prost(string, repeated, tag = "2")]
545 pub permissions: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
546}
547/// Response message for `TestIamPermissions` method.
548#[allow(clippy::derive_partial_eq_without_eq)]
549#[derive(Clone, PartialEq, ::prost::Message)]
550pub struct TestIamPermissionsResponse {
551 /// A subset of `TestPermissionsRequest.permissions` that the caller is
552 /// allowed.
553 #[prost(string, repeated, tag = "1")]
554 pub permissions: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
555}
556/// Generated client implementations.
557pub mod iam_policy_client {
558 #![allow(unused_variables, dead_code, missing_docs, clippy::let_unit_value)]
559 use tonic::codegen::http::Uri;
560 use tonic::codegen::*;
561 /// API Overview
562 ///
563 ///
564 /// Manages Identity and Access Management (IAM) policies.
565 ///
566 /// Any implementation of an API that offers access control features
567 /// implements the google.iam.v1.IAMPolicy interface.
568 ///
569 /// ## Data model
570 ///
571 /// Access control is applied when a principal (user or service account), takes
572 /// some action on a resource exposed by a service. Resources, identified by
573 /// URI-like names, are the unit of access control specification. Service
574 /// implementations can choose the granularity of access control and the
575 /// supported permissions for their resources.
576 /// For example one database service may allow access control to be
577 /// specified only at the Table level, whereas another might allow access control
578 /// to also be specified at the Column level.
579 ///
580 /// ## Policy Structure
581 ///
582 /// See google.iam.v1.Policy
583 ///
584 /// This is intentionally not a CRUD style API because access control policies
585 /// are created and deleted implicitly with the resources to which they are
586 /// attached.
587 #[derive(Debug, Clone)]
588 pub struct IamPolicyClient<T> {
589 inner: tonic::client::Grpc<T>,
590 }
591 impl IamPolicyClient<tonic::transport::Channel> {
592 /// Attempt to create a new client by connecting to a given endpoint.
593 pub async fn connect<D>(dst: D) -> Result<Self, tonic::transport::Error>
594 where
595 D: TryInto<tonic::transport::Endpoint>,
596 D::Error: Into<StdError>,
597 {
598 let conn = tonic::transport::Endpoint::new(dst)?.connect().await?;
599 Ok(Self::new(conn))
600 }
601 }
602 impl<T> IamPolicyClient<T>
603 where
604 T: tonic::client::GrpcService<tonic::body::BoxBody>,
605 T::Error: Into<StdError>,
606 T::ResponseBody: Body<Data = Bytes> + Send + 'static,
607 <T::ResponseBody as Body>::Error: Into<StdError> + Send,
608 {
609 pub fn new(inner: T) -> Self {
610 let inner = tonic::client::Grpc::new(inner);
611 Self { inner }
612 }
613 pub fn with_origin(inner: T, origin: Uri) -> Self {
614 let inner = tonic::client::Grpc::with_origin(inner, origin);
615 Self { inner }
616 }
617 pub fn with_interceptor<F>(inner: T, interceptor: F) -> IamPolicyClient<InterceptedService<T, F>>
618 where
619 F: tonic::service::Interceptor,
620 T::ResponseBody: Default,
621 T: tonic::codegen::Service<
622 http::Request<tonic::body::BoxBody>,
623 Response = http::Response<<T as tonic::client::GrpcService<tonic::body::BoxBody>>::ResponseBody>,
624 >,
625 <T as tonic::codegen::Service<http::Request<tonic::body::BoxBody>>>::Error: Into<StdError> + Send + Sync,
626 {
627 IamPolicyClient::new(InterceptedService::new(inner, interceptor))
628 }
629 /// Compress requests with the given encoding.
630 ///
631 /// This requires the server to support it otherwise it might respond with an
632 /// error.
633 #[must_use]
634 pub fn send_compressed(mut self, encoding: CompressionEncoding) -> Self {
635 self.inner = self.inner.send_compressed(encoding);
636 self
637 }
638 /// Enable decompressing responses.
639 #[must_use]
640 pub fn accept_compressed(mut self, encoding: CompressionEncoding) -> Self {
641 self.inner = self.inner.accept_compressed(encoding);
642 self
643 }
644 /// Limits the maximum size of a decoded message.
645 ///
646 /// Default: `4MB`
647 #[must_use]
648 pub fn max_decoding_message_size(mut self, limit: usize) -> Self {
649 self.inner = self.inner.max_decoding_message_size(limit);
650 self
651 }
652 /// Limits the maximum size of an encoded message.
653 ///
654 /// Default: `usize::MAX`
655 #[must_use]
656 pub fn max_encoding_message_size(mut self, limit: usize) -> Self {
657 self.inner = self.inner.max_encoding_message_size(limit);
658 self
659 }
660 /// Sets the access control policy on the specified resource. Replaces any
661 /// existing policy.
662 ///
663 /// Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
664 pub async fn set_iam_policy(
665 &mut self,
666 request: impl tonic::IntoRequest<super::SetIamPolicyRequest>,
667 ) -> std::result::Result<tonic::Response<super::Policy>, tonic::Status> {
668 self.inner.ready().await.map_err(|e| {
669 tonic::Status::new(tonic::Code::Unknown, format!("Service was not ready: {}", e.into()))
670 })?;
671 let codec = tonic::codec::ProstCodec::default();
672 let path = http::uri::PathAndQuery::from_static("/google.iam.v1.IAMPolicy/SetIamPolicy");
673 let mut req = request.into_request();
674 req.extensions_mut()
675 .insert(GrpcMethod::new("google.iam.v1.IAMPolicy", "SetIamPolicy"));
676 self.inner.unary(req, path, codec).await
677 }
678 /// Gets the access control policy for a resource.
679 /// Returns an empty policy if the resource exists and does not have a policy
680 /// set.
681 pub async fn get_iam_policy(
682 &mut self,
683 request: impl tonic::IntoRequest<super::GetIamPolicyRequest>,
684 ) -> std::result::Result<tonic::Response<super::Policy>, tonic::Status> {
685 self.inner.ready().await.map_err(|e| {
686 tonic::Status::new(tonic::Code::Unknown, format!("Service was not ready: {}", e.into()))
687 })?;
688 let codec = tonic::codec::ProstCodec::default();
689 let path = http::uri::PathAndQuery::from_static("/google.iam.v1.IAMPolicy/GetIamPolicy");
690 let mut req = request.into_request();
691 req.extensions_mut()
692 .insert(GrpcMethod::new("google.iam.v1.IAMPolicy", "GetIamPolicy"));
693 self.inner.unary(req, path, codec).await
694 }
695 /// Returns permissions that a caller has on the specified resource.
696 /// If the resource does not exist, this will return an empty set of
697 /// permissions, not a `NOT_FOUND` error.
698 ///
699 /// Note: This operation is designed to be used for building permission-aware
700 /// UIs and command-line tools, not for authorization checking. This operation
701 /// may "fail open" without warning.
702 pub async fn test_iam_permissions(
703 &mut self,
704 request: impl tonic::IntoRequest<super::TestIamPermissionsRequest>,
705 ) -> std::result::Result<tonic::Response<super::TestIamPermissionsResponse>, tonic::Status> {
706 self.inner.ready().await.map_err(|e| {
707 tonic::Status::new(tonic::Code::Unknown, format!("Service was not ready: {}", e.into()))
708 })?;
709 let codec = tonic::codec::ProstCodec::default();
710 let path = http::uri::PathAndQuery::from_static("/google.iam.v1.IAMPolicy/TestIamPermissions");
711 let mut req = request.into_request();
712 req.extensions_mut()
713 .insert(GrpcMethod::new("google.iam.v1.IAMPolicy", "TestIamPermissions"));
714 self.inner.unary(req, path, codec).await
715 }
716 }
717}