xuyiping
/
kpt-grpc-demo


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100
							// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.securitycenter.v1;

option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
option java_multiple_files = true;
option java_outer_classname = "AccessProto";
option java_package = "com.google.cloud.securitycenter.v1";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
option ruby_package = "Google::Cloud::SecurityCenter::V1";

// Represents an access event.
message Access {
  // Associated email, such as "foo@google.com".
  //
  // The email address of the authenticated user (or service account on behalf
  // of third party principal) making the request. For third party identity
  // callers, the `principal_subject` field is populated instead of this field.
  // For privacy reasons, the principal email address is sometimes redacted.
  // For more information, see [Caller identities in audit
  // logs](https://cloud.google.com/logging/docs/audit#user-id).
  string principal_email = 1;

  // Caller's IP address, such as "1.1.1.1".
  string caller_ip = 2;

  // The caller IP's geolocation, which identifies where the call came from.
  Geolocation caller_ip_geo = 3;

  // What kind of user agent is associated, e.g. operating system shells,
  // embedded or stand-alone applications, etc.
  string user_agent_family = 4;

  // This is the API service that the service account made a call to, e.g.
  // "iam.googleapis.com"
  string service_name = 5;

  // The method that the service account called, e.g. "SetIamPolicy".
  string method_name = 6;

  // A string representing the principal_subject associated with the identity.
  // As compared to `principal_email`, supports principals that aren't
  // associated with email addresses, such as third party principals. For most
  // identities, the format will be `principal://iam.googleapis.com/{identity
  // pool name}/subjects/{subject}` except for some GKE identities
  // (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy
  // format `serviceAccount:{identity pool name}[{subject}]`
  string principal_subject = 7;

  // The name of the service account key used to create or exchange
  // credentials for authenticating the service account making the request.
  // This is a scheme-less URI full resource name. For example:
  //
  // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
  //
  string service_account_key_name = 8;

  // Identity delegation history of an authenticated service account that makes
  // the request. It contains information on the real authorities that try to
  // access GCP resources by delegating on a service account. When multiple
  // authorities are present, they are guaranteed to be sorted based on the
  // original ordering of the identity delegation events.
  repeated ServiceAccountDelegationInfo service_account_delegation_info = 9;
}

// Identity delegation history of an authenticated service account.
message ServiceAccountDelegationInfo {
  // The email address of a Google account.
  string principal_email = 1;

  // A string representing the principal_subject associated with the identity.
  // As compared to `principal_email`, supports principals that aren't
  // associated with email addresses, such as third party principals. For most
  // identities, the format will be `principal://iam.googleapis.com/{identity
  // pool name}/subjects/{subject}` except for some GKE identities
  // (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy
  // format `serviceAccount:{identity pool name}[{subject}]`
  string principal_subject = 2;
}

// Represents a geographical location for a given access.
message Geolocation {
  // A CLDR.
  string region_code = 1;
}