Identifying information for a single ancestor of a project.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { “audit_configs”: [ { “service”: “allServices”, “audit_log_configs”: [ { “log_type”: “DATA_READ”, “exempted_members”: [ “user:jose@example.com” ] }, { “log_type”: “DATA_WRITE” }, { “log_type”: “ADMIN_READ” } ] }, { “service”: “sampleservice.googleapis.com”, “audit_log_configs”: [ { “log_type”: “DATA_READ” }, { “log_type”: “DATA_WRITE”, “exempted_members”: [ “user:aliya@example.com” ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Provides the configuration for logging a type of permissions. Example: { “audit_log_configs”: [ { “log_type”: “DATA_READ”, “exempted_members”: [ “user:jose@example.com” ] }, { “log_type”: “DATA_WRITE” } ] } This enables ‘DATA_READ’ and ‘DATA_WRITE’ logging, while exempting jose@example.com from DATA_READ logging.
Associates members, or principals, with a role.
Central instance to access all CloudResourceManager related resource activities
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: “Summary size limit” description: “Determines if a summary is less than 100 chars” expression: “document.summary.size() < 100” Example (Equality): title: “Requestor is owner” description: “Determines if requestor is the document owner” expression: “document.owner == request.auth.claims.email” Example (Logic): title: “Public documents” description: “Determine whether the document should be publicly visible” expression: “document.type != ‘private’ && document.type != ‘internal’” Example (Data Manipulation): title: “Notification string” description: “Create a notification string with a timestamp.” expression: “’New message received at ’ + string(document.create_time)” The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
The request sent to the [google.cloudresourcemanager.projects.v1beta1.DeveloperProjects.GetAncestry] method.
Response from the projects.getAncestry method.
Request message for GetIamPolicy method.
Encapsulates settings provided to GetIamPolicy.
The response returned from the ListOrganizations method.
A page of the response received from the ListProjects method. A paginated response where more pages are available has next_page_token set. This token can be used in a subsequent request to retrieve the next request page.
The root node in the resource hierarchy to which a particular entity’s (e.g., company) resources belong.
Fetches an Organization resource identified by the specified resource name.
Gets the access control policy for an Organization resource. May be empty if no such policy or resource exists. The resource field should be the organization’s resource name, e.g. “organizations/123”.
Lists Organization resources that are visible to the user and satisfy the specified filter. This method returns Organizations in an unspecified order. New Organizations do not necessarily appear at the end of the list.
A builder providing access to all methods supported on
organization resources.
It is not used directly, but through the
CloudResourceManager hub.
The entity that owns an Organization. The lifetime of the Organization and all of its descendants are bound to the OrganizationOwner. If the OrganizationOwner is deleted, the Organization and all its descendants will be deleted.
Sets the access control policy on an Organization resource. Replaces any existing policy. The resource field should be the organization’s resource name, e.g. “organizations/123”.
Returns permissions that a caller has on the specified Organization. The resource field should be the organization’s resource name, e.g. “organizations/123”.
Updates an Organization resource identified by the specified resource name.
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A
Policy is a collection of
bindings. A
binding binds one or more
members, or principals, to a single
role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A
role is a named list of permissions; each
role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a
binding can also specify a
condition, which is a logical expression that allows access to a resource only if the expression evaluates to
true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the
IAM documentation.
JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the
IAM documentation.
A Project is a high-level Google Cloud Platform entity. It is a container for ACLs, APIs, App Engine Apps, VMs, and other Google Cloud Platform resources.
Creates a Project resource. Initially, the Project resource is owned by its creator exclusively. The creator can later grant permission to others to read or update the Project. Several APIs are activated automatically for the Project, including Google Cloud Storage. The parent is identified by a specified ResourceId, which must include both an ID and a type, such as project, folder, or organization. This method does not associate the new project with a billing account. You can set or update the billing account associated with a project using the [projects.updateBillingInfo] (/billing/reference/rest/v1/projects/updateBillingInfo) method.
Marks the Project identified by the specified project_id (for example, my-project-123) for deletion. This method will only affect the Project if it has a lifecycle state of ACTIVE. This method changes the Project’s lifecycle state from ACTIVE to DELETE_REQUESTED. The deletion starts at an unspecified time, at which point the project is no longer accessible. Until the deletion completes, you can check the lifecycle state checked by retrieving the Project with GetProject, and the Project remains visible to ListProjects. However, you cannot update the project. After the deletion completes, the Project is not retrievable by the GetProject and ListProjects methods. The caller must have delete permissions for this Project.
Gets a list of ancestors in the resource hierarchy for the Project identified by the specified project_id (for example, my-project-123). The caller must have read permissions for this Project.
Retrieves the Project identified by the specified project_id (for example, my-project-123). The caller must have read permissions for this Project.
Returns the IAM access control policy for the specified Project. Permission is denied if the policy or the resource does not exist. For additional information about resource structure and identification, see
Resource Names.
Lists Projects that the caller has the resourcemanager.projects.get permission on and satisfy the specified filter. This method returns Projects in an unspecified order. This method is eventually consistent with project mutations; this means that a newly created project may not appear in the results or recent updates to an existing project may not be reflected in the results. To retrieve the latest state of a project, use the GetProject method. NOTE: If the request filter contains a parent.type and parent.id and the caller has the resourcemanager.projects.list permission on the parent, the results will be drawn from an alternate index which provides more consistent results. In future versions of this API, this List method will be split into List and Search to properly capture the behavioral difference.
A builder providing access to all methods supported on
project resources.
It is not used directly, but through the
CloudResourceManager hub.
Sets the IAM access control policy for the specified Project. CAUTION: This method will replace the existing policy, and cannot be used to append additional IAM settings. NOTE: Removing service accounts from policies or changing their roles can render services completely inoperable. It is important to understand how the service account is being used before removing or updating its roles. The following constraints apply when using setIamPolicy(): + Project does not support allUsers and allAuthenticatedUsers as members in a Binding of a Policy. + The owner role can be granted to a user, serviceAccount, or a group that is part of an organization. For example, group@myownpersonaldomain.com could be added as an owner to a project in the myownpersonaldomain.com organization, but not the examplepetstore.com organization. + Service accounts can be made owners of a project directly without any restrictions. However, to be added as an owner, a user must be invited via Cloud Platform console and must accept the invitation. + A user cannot be granted the owner role using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and must explicitly accept the invitation. + Invitations to grant the owner role cannot be sent using setIamPolicy(); they must be sent only using the Cloud Platform Console. + Membership changes that leave the project without any owners that have accepted the Terms of Service (ToS) will be rejected. + If the project is not part of an organization, there must be at least one owner who has accepted the Terms of Service (ToS) agreement in the policy. Calling setIamPolicy() to remove the last ToS-accepted owner from the policy will fail. This restriction also applies to legacy projects that no longer have owners who have accepted the ToS. Edits to IAM policies will be rejected until the lack of a ToS-accepting owner is rectified. Authorization requires the Google IAM permission resourcemanager.projects.setIamPolicy on the project
Returns permissions that a caller has on the specified Project.
Restores the Project identified by the specified project_id (for example, my-project-123). You can only use this method for a Project that has a lifecycle state of DELETE_REQUESTED. After deletion starts, the Project cannot be restored. The caller must have undelete permissions for this Project.
Updates the attributes of the Project identified by the specified project_id (for example, my-project-123). The caller must have modify permissions for this Project.
A container to reference an id for any resource type. A resource in Google Cloud Platform is a generic term for something you (a developer) may want to interact with through one of our API’s. Some examples are an App Engine app, a Compute Engine instance, a Cloud SQL database, and so on.
Request message for SetIamPolicy method.
Request message for TestIamPermissions method.
Response message for TestIamPermissions method.
The request sent to the UndeleteProject method.