Custom content configuration for access denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead.
Access related settings for IAP protected apps.
Configuration for IAP allowed domains. Lets you to restrict access to an app and allow access to only the domains that you list.
Wrapper over application specific settings for IAP.
Configuration for propagating attributes to applications protected by IAP.
Associates members, or principals, with a role.
OAuth brand data. NOTE: Only contains a portion of the data that describes a brand.
Central instance to access all CloudIAP related resource activities
Allows customers to configure HTTP request paths that’ll allow HTTP OPTIONS call to bypass authentication and authorization.
Configuration for RCToken generated for service mesh workloads protected by IAP. RCToken are IAP generated JWTs that can be verified at the application. The RCToken is primarily used for service mesh deployments, and can be scoped to a single mesh by configuring the audience field accordingly.
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: “Summary size limit” description: “Determines if a summary is less than 100 chars” expression: “document.summary.size() < 100” Example (Equality): title: “Requestor is owner” description: “Determines if requestor is the document owner” expression: “document.owner == request.auth.claims.email” Example (Logic): title: “Public documents” description: “Determine whether the document should be publicly visible” expression: “document.type != ‘private’ && document.type != ‘internal’” Example (Data Manipulation): title: “Notification string” description: “Create a notification string with a timestamp.” expression: “’New message received at ’ + string(document.create_time)” The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
Allows customers to configure tenant_id for GCIP instance per-app.
Request message for GetIamPolicy method.
Encapsulates settings provided to GetIamPolicy.
The IAP configurable settings.
Contains the data that describes an Identity Aware Proxy owned client.
Response message for ListBrands.
Response message for ListIdentityAwareProxyClients.
The response from ListTunnelDestGroups.
Gets the access control policy for an Identity-Aware Proxy protected resource. More information about managing access via IAP can be found at: https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
Gets the IAP settings on a particular IAP protected resource.
A builder providing access to all free methods, which are not associated with a particular resource.
It is not used directly, but through the
CloudIAP hub.
Sets the access control policy for an Identity-Aware Proxy protected resource. Replaces any existing policy. More information about managing access via IAP can be found at: https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
Returns permissions that a caller has on the Identity-Aware Proxy protected resource. More information about managing access via IAP can be found at: https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
Updates the IAP settings on a particular IAP protected resource. It replaces all fields unless the update_mask is set.
Validates a given CEL expression conforms to IAP restrictions.
Configuration for OAuth login&consent flow behavior as well as for OAuth Credentials.
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A
Policy is a collection of
bindings. A
binding binds one or more
members, or principals, to a single
role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A
role is a named list of permissions; each
role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a
binding can also specify a
condition, which is a logical expression that allows access to a resource only if the expression evaluates to
true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the
IAM documentation.
JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the
IAM documentation.
PolicyDelegationConfig allows google-internal teams to use IAP for apps hosted in a tenant project. Using these settings, the app can delegate permission check to happen against the linked customer project. This is only ever supposed to be used by google internal teams, hence the restriction on the proto.
An internal name for an IAM policy, based on the resource to which the policy applies. Not to be confused with a resource’s external full resource name. For more information on this distinction, see go/iam-full-resource-names.
Constructs a new OAuth brand for the project if one does not exist. The created brand is “internal only”, meaning that OAuth clients created under it only accept requests from users who belong to the same Google Workspace organization as the project. The brand is created in an un-reviewed status. NOTE: The “internal only” status can be manually changed in the Google Cloud Console. Requires that a brand does not already exist for the project, and that the specified support email is owned by the caller.
Retrieves the OAuth brand of the project.
Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned by IAP. Requires that the brand for the project exists and that it is set for internal-only use.
Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing obsolete clients, managing the number of clients in a given project, and cleaning up after tests. Requires that the client is owned by IAP.
Retrieves an Identity Aware Proxy (IAP) OAuth client. Requires that the client is owned by IAP.
Lists the existing clients for the brand.
Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the secret was compromised. Requires that the client is owned by IAP.
Lists the existing brands for the project.
Creates a new TunnelDestGroup.
Deletes a TunnelDestGroup.
Retrieves an existing TunnelDestGroup.
Lists the existing TunnelDestGroups. To group across all locations, use a - as the location ID. For example: /v1/projects/123/iap_tunnel/locations/-/destGroups
Updates a TunnelDestGroup.
A builder providing access to all methods supported on
project resources.
It is not used directly, but through the
CloudIAP hub.
Configuration for IAP reauthentication policies.
The request sent to ResetIdentityAwareProxyClientSecret.
There is no detailed description.
Request message for SetIamPolicy method.
Request message for TestIamPermissions method.
Response message for TestIamPermissions method.
A TunnelDestGroup.
API requires a return message, but currently all response strings will fit in the status and public message. In the future, this response can hold AST validation info.