kpt-grpc-demo/google/iam/v1/policy.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.iam.v1;

import "google/type/expr.proto";

option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Iam.V1";
option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
option java_multiple_files = true;
option java_outer_classname = "PolicyProto";
option java_package = "com.google.iam.v1";
option php_namespace = "Google\\Cloud\\Iam\\V1";

// An Identity and Access Management (IAM) policy, which specifies access
// controls for Google Cloud resources.
//
//
// A `Policy` is a collection of `bindings`. A `binding` binds one or more
// `members`, or principals, to a single `role`. Principals can be user
// accounts, service accounts, Google groups, and domains (such as G Suite). A
// `role` is a named list of permissions; each `role` can be an IAM predefined
// role or a user-created custom role.
//
// For some types of Google Cloud resources, a `binding` can also specify a
// `condition`, which is a logical expression that allows access to a resource
// only if the expression evaluates to `true`. A condition can add constraints
// based on attributes of the request, the resource, or both. To learn which
// resources support conditions in their IAM policies, see the
// [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
//
// **JSON example:**
//
//     {
//       "bindings": [
//         {
//           "role": "roles/resourcemanager.organizationAdmin",
//           "members": [
//             "user:mike@example.com",
//             "group:admins@example.com",
//             "domain:google.com",
//             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
//           ]
//         },
//         {
//           "role": "roles/resourcemanager.organizationViewer",
//           "members": [
//             "user:eve@example.com"
//           ],
//           "condition": {
//             "title": "expirable access",
//             "description": "Does not grant access after Sep 2020",
//             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
//           }
//         }
//       ],
//       "etag": "BwWWja0YfJA=",
//       "version": 3
//     }
//
// **YAML example:**
//
//     bindings:
//     - members:
//       - user:mike@example.com
//       - group:admins@example.com
//       - domain:google.com
//       - serviceAccount:my-project-id@appspot.gserviceaccount.com
//       role: roles/resourcemanager.organizationAdmin
//     - members:
//       - user:eve@example.com
//       role: roles/resourcemanager.organizationViewer
//       condition:
//         title: expirable access
//         description: Does not grant access after Sep 2020
//         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
//     etag: BwWWja0YfJA=
//     version: 3
//
// For a description of IAM and its features, see the
// [IAM documentation](https://cloud.google.com/iam/docs/).
message Policy {
  // Specifies the format of the policy.
  //
  // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
  // are rejected.
  //
  // Any operation that affects conditional role bindings must specify version
  // `3`. This requirement applies to the following operations:
  //
  // * Getting a policy that includes a conditional role binding
  // * Adding a conditional role binding to a policy
  // * Changing a conditional role binding in a policy
  // * Removing any role binding, with or without a condition, from a policy
  //   that includes conditions
  //
  // **Important:** If you use IAM Conditions, you must include the `etag` field
  // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
  // you to overwrite a version `3` policy with a version `1` policy, and all of
  // the conditions in the version `3` policy are lost.
  //
  // If a policy does not include any conditions, operations on that policy may
  // specify any valid version or leave the field unset.
  //
  // To learn which resources support conditions in their IAM policies, see the
  // [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
  int32 version = 1;

  // Associates a list of `members`, or principals, with a `role`. Optionally,
  // may specify a `condition` that determines how and when the `bindings` are
  // applied. Each of the `bindings` must contain at least one principal.
  //
  // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
  // of these principals can be Google groups. Each occurrence of a principal
  // counts towards these limits. For example, if the `bindings` grant 50
  // different roles to `user:alice@example.com`, and not to any other
  // principal, then you can add another 1,450 principals to the `bindings` in
  // the `Policy`.
  repeated Binding bindings = 4;

  // Specifies cloud audit logging configuration for this policy.
  repeated AuditConfig audit_configs = 6;

  // `etag` is used for optimistic concurrency control as a way to help
  // prevent simultaneous updates of a policy from overwriting each other.
  // It is strongly suggested that systems make use of the `etag` in the
  // read-modify-write cycle to perform policy updates in order to avoid race
  // conditions: An `etag` is returned in the response to `getIamPolicy`, and
  // systems are expected to put that etag in the request to `setIamPolicy` to
  // ensure that their change will be applied to the same version of the policy.
  //
  // **Important:** If you use IAM Conditions, you must include the `etag` field
  // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
  // you to overwrite a version `3` policy with a version `1` policy, and all of
  // the conditions in the version `3` policy are lost.
  bytes etag = 3;
}

// Associates `members`, or principals, with a `role`.
message Binding {
  // Role that is assigned to the list of `members`, or principals.
  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
  string role = 1;

  // Specifies the principals requesting access for a Cloud Platform resource.
  // `members` can have the following values:
  //
  // * `allUsers`: A special identifier that represents anyone who is
  //    on the internet; with or without a Google account.
  //
  // * `allAuthenticatedUsers`: A special identifier that represents anyone
  //    who is authenticated with a Google account or a service account.
  //
  // * `user:{emailid}`: An email address that represents a specific Google
  //    account. For example, `alice@example.com` .
  //
  //
  // * `serviceAccount:{emailid}`: An email address that represents a service
  //    account. For example, `my-other-app@appspot.gserviceaccount.com`.
  //
  // * `group:{emailid}`: An email address that represents a Google group.
  //    For example, `admins@example.com`.
  //
  // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
  //    identifier) representing a user that has been recently deleted. For
  //    example, `alice@example.com?uid=123456789012345678901`. If the user is
  //    recovered, this value reverts to `user:{emailid}` and the recovered user
  //    retains the role in the binding.
  //
  // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
  //    unique identifier) representing a service account that has been recently
  //    deleted. For example,
  //    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
  //    If the service account is undeleted, this value reverts to
  //    `serviceAccount:{emailid}` and the undeleted service account retains the
  //    role in the binding.
  //
  // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
  //    identifier) representing a Google group that has been recently
  //    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
  //    the group is recovered, this value reverts to `group:{emailid}` and the
  //    recovered group retains the role in the binding.
  //
  //
  // * `domain:{domain}`: The G Suite domain (primary) that represents all the
  //    users of that domain. For example, `google.com` or `example.com`.
  //
  //
  repeated string members = 2;

  // The condition that is associated with this binding.
  //
  // If the condition evaluates to `true`, then this binding applies to the
  // current request.
  //
  // If the condition evaluates to `false`, then this binding does not apply to
  // the current request. However, a different role binding might grant the same
  // role to one or more of the principals in this binding.
  //
  // To learn which resources support conditions in their IAM policies, see the
  // [IAM
  // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
  google.type.Expr condition = 3;
}

// Specifies the audit configuration for a service.
// The configuration determines which permission types are logged, and what
// identities, if any, are exempted from logging.
// An AuditConfig must have one or more AuditLogConfigs.
//
// If there are AuditConfigs for both `allServices` and a specific service,
// the union of the two AuditConfigs is used for that service: the log_types
// specified in each AuditConfig are enabled, and the exempted_members in each
// AuditLogConfig are exempted.
//
// Example Policy with multiple AuditConfigs:
//
//     {
//       "audit_configs": [
//         {
//           "service": "allServices",
//           "audit_log_configs": [
//             {
//               "log_type": "DATA_READ",
//               "exempted_members": [
//                 "user:jose@example.com"
//               ]
//             },
//             {
//               "log_type": "DATA_WRITE"
//             },
//             {
//               "log_type": "ADMIN_READ"
//             }
//           ]
//         },
//         {
//           "service": "sampleservice.googleapis.com",
//           "audit_log_configs": [
//             {
//               "log_type": "DATA_READ"
//             },
//             {
//               "log_type": "DATA_WRITE",
//               "exempted_members": [
//                 "user:aliya@example.com"
//               ]
//             }
//           ]
//         }
//       ]
//     }
//
// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
// logging. It also exempts jose@example.com from DATA_READ logging, and
// aliya@example.com from DATA_WRITE logging.
message AuditConfig {
  // Specifies a service that will be enabled for audit logging.
  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
  // `allServices` is a special value that covers all services.
  string service = 1;

  // The configuration for logging of each type of permission.
  repeated AuditLogConfig audit_log_configs = 3;
}

// Provides the configuration for logging a type of permissions.
// Example:
//
//     {
//       "audit_log_configs": [
//         {
//           "log_type": "DATA_READ",
//           "exempted_members": [
//             "user:jose@example.com"
//           ]
//         },
//         {
//           "log_type": "DATA_WRITE"
//         }
//       ]
//     }
//
// This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
// jose@example.com from DATA_READ logging.
message AuditLogConfig {
  // The list of valid permission types for which logging can be configured.
  // Admin writes are always logged, and are not configurable.
  enum LogType {
    // Default case. Should never be this.
    LOG_TYPE_UNSPECIFIED = 0;

    // Admin reads. Example: CloudIAM getIamPolicy
    ADMIN_READ = 1;

    // Data writes. Example: CloudSQL Users create
    DATA_WRITE = 2;

    // Data reads. Example: CloudSQL Users list
    DATA_READ = 3;
  }

  // The log type that this config enables.
  LogType log_type = 1;

  // Specifies the identities that do not cause logging for this type of
  // permission.
  // Follows the same format of [Binding.members][google.iam.v1.Binding.members].
  repeated string exempted_members = 2;
}

// The difference delta between two policies.
message PolicyDelta {
  // The delta for Bindings between two policies.
  repeated BindingDelta binding_deltas = 1;

  // The delta for AuditConfigs between two policies.
  repeated AuditConfigDelta audit_config_deltas = 2;
}

// One delta entry for Binding. Each individual change (only one member in each
// entry) to a binding will be a separate entry.
message BindingDelta {
  // The type of action performed on a Binding in a policy.
  enum Action {
    // Unspecified.
    ACTION_UNSPECIFIED = 0;

    // Addition of a Binding.
    ADD = 1;

    // Removal of a Binding.
    REMOVE = 2;
  }

  // The action that was performed on a Binding.
  // Required
  Action action = 1;

  // Role that is assigned to `members`.
  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
  // Required
  string role = 2;

  // A single identity requesting access for a Cloud Platform resource.
  // Follows the same format of Binding.members.
  // Required
  string member = 3;

  // The condition that is associated with this binding.
  google.type.Expr condition = 4;
}

// One delta entry for AuditConfig. Each individual change (only one
// exempted_member in each entry) to a AuditConfig will be a separate entry.
message AuditConfigDelta {
  // The type of action performed on an audit configuration in a policy.
  enum Action {
    // Unspecified.
    ACTION_UNSPECIFIED = 0;

    // Addition of an audit configuration.
    ADD = 1;

    // Removal of an audit configuration.
    REMOVE = 2;
  }

  // The action that was performed on an audit configuration in a policy.
  // Required
  Action action = 1;

  // Specifies a service that was configured for Cloud Audit Logging.
  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
  // `allServices` is a special value that covers all services.
  // Required
  string service = 2;

  // A single identity that is exempted from "data access" audit
  // logging for the `service` specified above.
  // Follows the same format of Binding.members.
  string exempted_member = 3;

  // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
  // enabled, and cannot be configured.
  // Required
  string log_type = 4;
}