Struct MethodAnalyzeIamPolicyCall 

pub struct MethodAnalyzeIamPolicyCall<'a, C>
where
    C: 'a,
{ /* private fields */ }

Analyzes IAM policies to answer which identities have what accesses on which resources.

A builder for the analyzeIamPolicy method. It is not used directly, but through a MethodMethods instance.

Example

Instantiate a resource method builder

// You can configure optional parameters by calling the respective setters at will, and
// execute the final call using `doit()`.
// Values shown here are possibly random and not representative !
let result = hub.methods().analyze_iam_policy("scope")
             .saved_analysis_query("rebum.")
             .execution_timeout(chrono::Duration::seconds(5840181))
             .analysis_query_resource_selector_full_resource_name("ipsum")
             .analysis_query_options_output_resource_edges(true)
             .analysis_query_options_output_group_edges(true)
             .analysis_query_options_expand_roles(false)
             .analysis_query_options_expand_resources(true)
             .analysis_query_options_expand_groups(false)
             .analysis_query_options_analyze_service_account_impersonation(true)
             .analysis_query_identity_selector_identity("duo")
             .analysis_query_condition_context_access_time(chrono::Utc::now())
             .add_analysis_query_access_selector_roles("sed")
             .add_analysis_query_access_selector_permissions("no")
             .doit().await;

Implementations

impl<'a, C> MethodAnalyzeIamPolicyCall<'a, C>

where C: Connector,

pub async fn doit(self) -> Result<(Response, AnalyzeIamPolicyResponse)>

Perform the operation you have build so far.

pub fn scope(self, new_value: &str) -> MethodAnalyzeIamPolicyCall<'a, C>

Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as “organizations/123”), a folder number (such as “folders/123”), a project ID (such as “projects/my-project-id”), or a project number (such as “projects/12345”). To know how to get organization ID, visit here . To know how to get folder or project ID, visit here .

Sets the scope path property to the given value.

Even though the property as already been set when instantiating this call, we provide this method for API completeness.

pub fn saved_analysis_query( self, new_value: &str, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. The name of a saved query, which must be in the format of: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id If both analysis_query and saved_analysis_query are provided, they will be merged together with the saved_analysis_query as base and the analysis_query as overrides. For more details of the merge behavior, refer to the MergeFrom page. Note that you cannot override primitive fields with default value, such as 0 or empty string, etc., because we use proto3, which doesn’t support field presence yet.

Sets the saved analysis query query property to the given value.

pub fn execution_timeout( self, new_value: Duration, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. Amount of time executable has to complete. See JSON representation of Duration. If this field is set with a value less than the RPC deadline, and the execution of your query hasn’t finished in the specified execution timeout, you will get a response with partial result. Otherwise, your query’s execution will continue until the RPC deadline. If it’s not finished until then, you will get a DEADLINE_EXCEEDED error. Default is empty.

Sets the execution timeout query property to the given value.

pub fn analysis_query_resource_selector_full_resource_name( self, new_value: &str, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.

Sets the analysis query.resource selector.full resource name query property to the given value.

pub fn analysis_query_options_output_resource_edges( self, new_value: bool, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.

Sets the analysis query.options.output resource edges query property to the given value.

pub fn analysis_query_options_output_group_edges( self, new_value: bool, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.

Sets the analysis query.options.output group edges query property to the given value.

pub fn analysis_query_options_expand_roles( self, new_value: bool, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.

Sets the analysis query.options.expand roles query property to the given value.

pub fn analysis_query_options_expand_resources( self, new_value: bool, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.

Sets the analysis query.options.expand resources query property to the given value.

pub fn analysis_query_options_expand_groups( self, new_value: bool, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.

Sets the analysis query.options.expand groups query property to the given value.

pub fn analysis_query_options_analyze_service_account_impersonation( self, new_value: bool, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there’s an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there’s another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there’s an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there’s another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.

Sets the analysis query.options.analyze service account impersonation query property to the given value.

pub fn analysis_query_identity_selector_identity( self, new_value: &str, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Required. The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: “user:mike@example.com”, “group:admins@example.com”, “domain:google.com”, “serviceAccount:my-project-id@appspot.gserviceaccount.com”. Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.

Sets the analysis query.identity selector.identity query property to the given value.

pub fn analysis_query_condition_context_access_time( self, new_value: DateTime<Utc>, ) -> MethodAnalyzeIamPolicyCall<'a, C>

The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.

Sets the analysis query.condition context.access time query property to the given value.

pub fn add_analysis_query_access_selector_roles( self, new_value: &str, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. The roles to appear in result.

Append the given value to the analysis query.access selector.roles query property. Each appended value will retain its original ordering and be ‘/’-separated in the URL’s parameters.

pub fn add_analysis_query_access_selector_permissions( self, new_value: &str, ) -> MethodAnalyzeIamPolicyCall<'a, C>

Optional. The permissions to appear in result.

Append the given value to the analysis query.access selector.permissions query property. Each appended value will retain its original ordering and be ‘/’-separated in the URL’s parameters.

pub fn delegate( self, new_value: &'a mut dyn Delegate, ) -> MethodAnalyzeIamPolicyCall<'a, C>

The delegate implementation is consulted whenever there is an intermediate result, or if something goes wrong while executing the actual API request.

                  It should be used to handle progress information, and to implement a certain level of resilience.

Sets the delegate property to the given value.

pub fn param<T>(self, name: T, value: T) -> MethodAnalyzeIamPolicyCall<'a, C>

where T: AsRef<str>,

Set any additional parameter of the query string used in the request. It should be used to set parameters which are not yet available through their own setters.

Please note that this method must not be used to set any of the known parameters which have their own setter method. If done anyway, the request will fail.

Additional Parameters

• $.xgafv (query-string) - V1 error format.
• access_token (query-string) - OAuth access token.
• alt (query-string) - Data format for response.
• callback (query-string) - JSONP
• fields (query-string) - Selector specifying which fields to include in a partial response.
• key (query-string) - API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
• oauth_token (query-string) - OAuth 2.0 token for the current user.
• prettyPrint (query-boolean) - Returns response with indentations and line breaks.
• quotaUser (query-string) - Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
• uploadType (query-string) - Legacy upload protocol for media (e.g. “media”, “multipart”).
• upload_protocol (query-string) - Upload protocol for media (e.g. “raw”, “multipart”).

pub fn add_scope<St>(self, scope: St) -> MethodAnalyzeIamPolicyCall<'a, C>

where St: AsRef<str>,

Identifies the authorization scope for the method you are building.

Use this method to actively specify which scope should be used, instead of the default Scope variant Scope::CloudPlatform.

The scope will be added to a set of scopes. This is important as one can maintain access tokens for more than one scope.

Usually there is more than one suitable scope to authorize an operation, some of which may encompass more rights than others. For example, for listing resources, a read-only scope will be sufficient, a read-write scope will do as well.

pub fn add_scopes<I, St>(self, scopes: I) -> MethodAnalyzeIamPolicyCall<'a, C>

where I: IntoIterator<Item = St>, St: AsRef<str>,

Identifies the authorization scope(s) for the method you are building.

See Self::add_scope() for details.

pub fn clear_scopes(self) -> MethodAnalyzeIamPolicyCall<'a, C>

Removes all scopes, and no default scope will be used either. In this case, you have to specify your API-key using the key parameter (see Self::param() for details).

Trait Implementations

impl<'a, C> CallBuilder for MethodAnalyzeIamPolicyCall<'a, C>