Identifying information for a single ancestor of a project.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { “audit_configs”: [ { “service”: “allServices”, “audit_log_configs”: [ { “log_type”: “DATA_READ”, “exempted_members”: [ “user:jose@example.com” ] }, { “log_type”: “DATA_WRITE” }, { “log_type”: “ADMIN_READ” } ] }, { “service”: “sampleservice.googleapis.com”, “audit_log_configs”: [ { “log_type”: “DATA_READ” }, { “log_type”: “DATA_WRITE”, “exempted_members”: [ “user:aliya@example.com” ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com
from DATA_READ logging, and aliya@example.com
from DATA_WRITE logging.
Provides the configuration for logging a type of permissions. Example: { “audit_log_configs”: [ { “log_type”: “DATA_READ”, “exempted_members”: [ “user:jose@example.com” ] }, { “log_type”: “DATA_WRITE” } ] } This enables ‘DATA_READ’ and ‘DATA_WRITE’ logging, while exempting jose@example.com from DATA_READ logging.
Associates members
, or principals, with a role
.
A Constraint
that is either enforced or not. For example a constraint constraints/compute.disableSerialPortAccess
. If it is enforced on a VM instance, serial port connections will not be opened to that instance.
Used in policy_type
to specify how boolean_policy
will behave at this resource.
The request sent to the ClearOrgPolicy method.
Central instance to access all CloudResourceManager related resource activities
A
Constraint
describes a way in which a resource’s configuration can be restricted. For example, it controls which cloud services can be activated across an organization, or whether a Compute Engine instance can have serial port connections established.
Constraints
can be configured by the organization’s policy administrator to fit the needs of the organzation by setting Policies for
Constraints
at different locations in the organization’s resource hierarchy. Policies are inherited down the resource hierarchy from higher levels, but can also be overridden. For details about the inheritance rules please read about
Policies.
Constraints
have a default behavior determined by the
constraint_default
field, which is the enforcement behavior that is used in the absence of a
Policy
being defined or inherited for the resource in question.
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: “Summary size limit” description: “Determines if a summary is less than 100 chars” expression: “document.summary.size() < 100” Example (Equality): title: “Requestor is owner” description: “Determines if requestor is the document owner” expression: “document.owner == request.auth.claims.email” Example (Logic): title: “Public documents” description: “Determine whether the document should be publicly visible” expression: “document.type != ‘private’ && document.type != ‘internal’” Example (Data Manipulation): title: “Notification string” description: “Create a notification string with a timestamp.” expression: “’New message received at ’ + string(document.create_time)” The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
Clears a Policy
from a resource.
Gets the effective Policy
on a resource. This is the result of merging Policies
in the resource hierarchy. The returned Policy
will not have an etag
set because it is a computed Policy
across multiple resources. Subtrees of Resource Manager resource hierarchy with ‘under:’ prefix will not be expanded.
Gets a Policy
on a resource. If no Policy
is set on the resource, a Policy
is returned with default values including POLICY_TYPE_NOT_SET
for the policy_type oneof
. The etag
value can be used with SetOrgPolicy()
to create or update a Policy
during read-modify-write.
Lists Constraints
that could be applied on the specified resource.
Lists all the Policies
set for a particular resource.
A builder providing access to all methods supported on
folder resources.
It is not used directly, but through the
CloudResourceManager
hub.
Updates the specified Policy
on the resource. Creates a new Policy
for that Constraint
on the resource if one does not exist. Not supplying an etag
on the request Policy
results in an unconditional write of the Policy
.
The request sent to the GetAncestry method.
Response from the projects.getAncestry method.
The request sent to the GetEffectiveOrgPolicy method.
Request message for GetIamPolicy
method.
The request sent to the GetOrgPolicy method.
Encapsulates settings provided to GetIamPolicy.
A Lien represents an encumbrance on the actions that can be performed on a resource.
Create a Lien which applies to the resource denoted by the parent
field. Callers of this method will require permission on the parent
resource. For example, applying to projects/1234
requires permission resourcemanager.projects.updateLiens
. NOTE: Some resources may limit the number of Liens which may be applied.
Delete a Lien by name
. Callers of this method will require permission on the parent
resource. For example, a Lien with a parent
of projects/1234
requires permission resourcemanager.projects.updateLiens
.
Retrieve a Lien by name
. Callers of this method will require permission on the parent
resource. For example, a Lien with a parent
of projects/1234
requires permission resourcemanager.projects.get
List all Liens applied to the parent
resource. Callers of this method will require permission on the parent
resource. For example, a Lien with a parent
of projects/1234
requires permission resourcemanager.projects.get
.
A builder providing access to all methods supported on
lien resources.
It is not used directly, but through the
CloudResourceManager
hub.
The request sent to the ListAvailableOrgPolicyConstraints
method on the project, folder, or organization.
The response returned from the ListAvailableOrgPolicyConstraints
method. Returns all Constraints
that could be set at this level of the hierarchy (contrast with the response from ListPolicies
, which returns all policies which are set).
A Constraint
that allows or disallows a list of string values, which are configured by an Organization’s policy administrator with a Policy
.
The response message for Liens.ListLiens.
The request sent to the ListOrgPolicies method.
The response returned from the ListOrgPolicies
method. It will be empty if no Policies
are set on the resource.
Used in policy_type
to specify how list_policy
behaves at this resource. ListPolicy
can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations
, Folders
, Projects
) that are allowed or denied by setting the allowed_values
and denied_values
fields. This is achieved by using the under:
and optional is:
prefixes. The under:
prefix is used to denote resource subtree values. The is:
prefix is used to denote specific values, and is required only if the value contains a “:”. Values prefixed with “is:” are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - “projects/”, e.g. “projects/tokyo-rain-123” - “folders/”, e.g. “folders/1234” - “organizations/”, e.g. “organizations/1234” The supports_under
field of the associated Constraint
defines whether ancestry prefixes can be used. You can set allowed_values
and denied_values
in the same Policy
if all_values
is ALL_VALUES_UNSPECIFIED
. ALLOW
or DENY
are used to allow or deny all values. If all_values
is set to either ALLOW
or DENY
, allowed_values
and denied_values
must be unset.
A page of the response received from the ListProjects method. A paginated response where more pages are available has next_page_token
set. This token can be used in a subsequent request to retrieve the next request page.
This resource represents a long-running operation that is the result of a network API call.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
A builder providing access to all methods supported on
operation resources.
It is not used directly, but through the
CloudResourceManager
hub.
Defines a Cloud Organization Policy
which is used to specify Constraints
for configurations of Cloud Platform resources.
The root node in the resource hierarchy to which a particular entity’s (e.g., company) resources belong.
Clears a Policy
from a resource.
Fetches an Organization resource identified by the specified resource name.
Gets the effective Policy
on a resource. This is the result of merging Policies
in the resource hierarchy. The returned Policy
will not have an etag
set because it is a computed Policy
across multiple resources. Subtrees of Resource Manager resource hierarchy with ‘under:’ prefix will not be expanded.
Gets the access control policy for an Organization resource. May be empty if no such policy or resource exists. The resource
field should be the organization’s resource name, e.g. “organizations/123”. Authorization requires the Google IAM permission resourcemanager.organizations.getIamPolicy
on the specified organization
Gets a Policy
on a resource. If no Policy
is set on the resource, a Policy
is returned with default values including POLICY_TYPE_NOT_SET
for the policy_type oneof
. The etag
value can be used with SetOrgPolicy()
to create or update a Policy
during read-modify-write.
Lists Constraints
that could be applied on the specified resource.
Lists all the Policies
set for a particular resource.
A builder providing access to all methods supported on
organization resources.
It is not used directly, but through the
CloudResourceManager
hub.
The entity that owns an Organization. The lifetime of the Organization and all of its descendants are bound to the OrganizationOwner
. If the OrganizationOwner
is deleted, the Organization and all its descendants will be deleted.
Searches Organization resources that are visible to the user and satisfy the specified filter. This method returns Organizations in an unspecified order. New Organizations do not necessarily appear at the end of the results. Search will only return organizations on which the user has the permission resourcemanager.organizations.get
or has super admin privileges.
Sets the access control policy on an Organization resource. Replaces any existing policy. The resource
field should be the organization’s resource name, e.g. “organizations/123”. Authorization requires the Google IAM permission resourcemanager.organizations.setIamPolicy
on the specified organization
Updates the specified Policy
on the resource. Creates a new Policy
for that Constraint
on the resource if one does not exist. Not supplying an etag
on the request Policy
results in an unconditional write of the Policy
.
Returns permissions that a caller has on the specified Organization. The resource
field should be the organization’s resource name, e.g. “organizations/123”. There are no permissions required for making this API call.
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A
Policy
is a collection of
bindings
. A
binding
binds one or more
members
, or principals, to a single
role
. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A
role
is a named list of permissions; each
role
can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a
binding
can also specify a
condition
, which is a logical expression that allows access to a resource only if the expression evaluates to
true
. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the
IAM documentation.
JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3
For a description of IAM and its features, see the
IAM documentation.
A Project is a high-level Google Cloud Platform entity. It is a container for ACLs, APIs, App Engine Apps, VMs, and other Google Cloud Platform resources.
Clears a Policy
from a resource.
Request that a new Project be created. The result is an Operation which can be used to track the creation process. This process usually takes a few seconds, but can sometimes take much longer. The tracking Operation is automatically deleted after a few hours, so there is no need to call DeleteOperation. Authorization requires the Google IAM permission resourcemanager.projects.create
on the specified parent for the new project. The parent is identified by a specified ResourceId, which must include both an ID and a type, such as organization. This method does not associate the new project with a billing account. You can set or update the billing account associated with a project using the [projects.updateBillingInfo
] (/billing/reference/rest/v1/projects/updateBillingInfo) method.
Marks the Project identified by the specified project_id
(for example, my-project-123
) for deletion. This method will only affect the Project if it has a lifecycle state of ACTIVE. This method changes the Project’s lifecycle state from ACTIVE to DELETE_REQUESTED. The deletion starts at an unspecified time, at which point the Project is no longer accessible. Until the deletion completes, you can check the lifecycle state checked by retrieving the Project with GetProject, and the Project remains visible to ListProjects. However, you cannot update the project. After the deletion completes, the Project is not retrievable by the GetProject and ListProjects methods. The caller must have delete permissions for this Project.
Gets a list of ancestors in the resource hierarchy for the Project identified by the specified project_id
(for example, my-project-123
). The caller must have read permissions for this Project.
Retrieves the Project identified by the specified project_id
(for example, my-project-123
). The caller must have read permissions for this Project.
Gets the effective Policy
on a resource. This is the result of merging Policies
in the resource hierarchy. The returned Policy
will not have an etag
set because it is a computed Policy
across multiple resources. Subtrees of Resource Manager resource hierarchy with ‘under:’ prefix will not be expanded.
Returns the IAM access control policy for the specified Project. Permission is denied if the policy or the resource does not exist. Authorization requires the Google IAM permission
resourcemanager.projects.getIamPolicy
on the project. For additional information about
resource
(e.g. my-project-id) structure and identification, see
Resource Names.
Gets a Policy
on a resource. If no Policy
is set on the resource, a Policy
is returned with default values including POLICY_TYPE_NOT_SET
for the policy_type oneof
. The etag
value can be used with SetOrgPolicy()
to create or update a Policy
during read-modify-write.
Lists Constraints
that could be applied on the specified resource.
Lists Projects that the caller has the resourcemanager.projects.get
permission on and satisfy the specified filter. This method returns Projects in an unspecified order. This method is eventually consistent with project mutations; this means that a newly created project may not appear in the results or recent updates to an existing project may not be reflected in the results. To retrieve the latest state of a project, use the GetProject method. NOTE: If the request filter contains a parent.type
and parent.id
and the caller has the resourcemanager.projects.list
permission on the parent, the results will be drawn from an alternate index which provides more consistent results. In future versions of this API, this List method will be split into List and Search to properly capture the behavioral difference.
Lists all the Policies
set for a particular resource.
A builder providing access to all methods supported on
project resources.
It is not used directly, but through the
CloudResourceManager
hub.
Sets the IAM access control policy for the specified Project. CAUTION: This method will replace the existing policy, and cannot be used to append additional IAM settings. NOTE: Removing service accounts from policies or changing their roles can render services completely inoperable. It is important to understand how the service account is being used before removing or updating its roles. For additional information about
resource
(e.g. my-project-id) structure and identification, see
Resource Names. The following constraints apply when using
setIamPolicy()
: + Project does not support
allUsers
and
allAuthenticatedUsers
as
members
in a
Binding
of a
Policy
. + The owner role can be granted to a
user
,
serviceAccount
, or a group that is part of an organization. For example, group@myownpersonaldomain.com could be added as an owner to a project in the myownpersonaldomain.com organization, but not the examplepetstore.com organization. + Service accounts can be made owners of a project directly without any restrictions. However, to be added as an owner, a user must be invited via Cloud Platform console and must accept the invitation. + A user cannot be granted the owner role using
setIamPolicy()
. The user must be granted the owner role using the Cloud Platform Console and must explicitly accept the invitation. + You can only grant ownership of a project to a member by using the Google Cloud console. Inviting a member will deliver an invitation email that they must accept. An invitation email is not generated if you are granting a role other than owner, or if both the member you are inviting and the project are part of your organization. + If the project is not part of an organization, there must be at least one owner who has accepted the Terms of Service (ToS) agreement in the policy. Calling
setIamPolicy()
to remove the last ToS-accepted owner from the policy will fail. This restriction also applies to legacy projects that no longer have owners who have accepted the ToS. Edits to IAM policies will be rejected until the lack of a ToS-accepting owner is rectified. If the project is part of an organization, you can remove all owners, potentially making the organization inaccessible. Authorization requires the Google IAM permission
resourcemanager.projects.setIamPolicy
on the project
Updates the specified Policy
on the resource. Creates a new Policy
for that Constraint
on the resource if one does not exist. Not supplying an etag
on the request Policy
results in an unconditional write of the Policy
.
Returns permissions that a caller has on the specified Project. For additional information about
resource
(e.g. my-project-id) structure and identification, see
Resource Names. There are no permissions required for making this API call.
Restores the Project identified by the specified project_id
(for example, my-project-123
). You can only use this method for a Project that has a lifecycle state of DELETE_REQUESTED. After deletion starts, the Project cannot be restored. The caller must have undelete permissions for this Project.
Updates the attributes of the Project identified by the specified project_id
(for example, my-project-123
). The caller must have modify permissions for this Project.
A container to reference an id for any resource type. A resource
in Google Cloud Platform is a generic term for something you (a developer) may want to interact with through one of our API’s. Some examples are an App Engine app, a Compute Engine instance, a Cloud SQL database, and so on.
Ignores policies set above this resource and restores the constraint_default
enforcement behavior of the specific Constraint
at this resource. Suppose that constraint_default
is set to ALLOW
for the Constraint
constraints/serviceuser.services
. Suppose that organization foo.com sets a Policy
at their Organization resource node that restricts the allowed service activations to deny all service activations. They could then set a Policy
with the policy_type
restore_default
on several experimental projects, restoring the constraint_default
enforcement of the Constraint
for only those projects, allowing those projects to have all services activated.
The request sent to the SearchOrganizations
method.
The response returned from the SearchOrganizations
method.
Request message for SetIamPolicy
method.
The request sent to the SetOrgPolicyRequest method.
The
Status
type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by
gRPC. Each
Status
message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the
API Design Guide.
Request message for TestIamPermissions
method.
Response message for TestIamPermissions
method.
The request sent to the UndeleteProject method.