Google Cloud Native is in preview. Google Cloud Classic is fully supported.
google-native.cloudasset/v1.SavedQuery
Explore with Pulumi AI
Google Cloud Native is in preview. Google Cloud Classic is fully supported.
Creates a saved query in a parent project/folder/organization. Auto-naming is currently not supported for this resource.
Create SavedQuery Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SavedQuery(name: string, args: SavedQueryArgs, opts?: CustomResourceOptions);
@overload
def SavedQuery(resource_name: str,
args: SavedQueryArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SavedQuery(resource_name: str,
opts: Optional[ResourceOptions] = None,
saved_query_id: Optional[str] = None,
v1_id: Optional[str] = None,
v1_id1: Optional[str] = None,
content: Optional[QueryContentArgs] = None,
description: Optional[str] = None,
labels: Optional[Mapping[str, str]] = None,
name: Optional[str] = None)
func NewSavedQuery(ctx *Context, name string, args SavedQueryArgs, opts ...ResourceOption) (*SavedQuery, error)
public SavedQuery(string name, SavedQueryArgs args, CustomResourceOptions? opts = null)
public SavedQuery(String name, SavedQueryArgs args)
public SavedQuery(String name, SavedQueryArgs args, CustomResourceOptions options)
type: google-native:cloudasset/v1:SavedQuery
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SavedQueryArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SavedQueryArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SavedQueryArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SavedQueryArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SavedQueryArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var savedQueryResource = new GoogleNative.CloudAsset.V1.SavedQuery("savedQueryResource", new()
{
SavedQueryId = "string",
V1Id = "string",
V1Id1 = "string",
Content = new GoogleNative.CloudAsset.V1.Inputs.QueryContentArgs
{
IamPolicyAnalysisQuery = new GoogleNative.CloudAsset.V1.Inputs.IamPolicyAnalysisQueryArgs
{
Scope = "string",
AccessSelector = new GoogleNative.CloudAsset.V1.Inputs.AccessSelectorArgs
{
Permissions = new[]
{
"string",
},
Roles = new[]
{
"string",
},
},
ConditionContext = new GoogleNative.CloudAsset.V1.Inputs.ConditionContextArgs
{
AccessTime = "string",
},
IdentitySelector = new GoogleNative.CloudAsset.V1.Inputs.IdentitySelectorArgs
{
Identity = "string",
},
Options = new GoogleNative.CloudAsset.V1.Inputs.OptionsArgs
{
AnalyzeServiceAccountImpersonation = false,
ExpandGroups = false,
ExpandResources = false,
ExpandRoles = false,
OutputGroupEdges = false,
OutputResourceEdges = false,
},
ResourceSelector = new GoogleNative.CloudAsset.V1.Inputs.ResourceSelectorArgs
{
FullResourceName = "string",
},
},
},
Description = "string",
Labels =
{
{ "string", "string" },
},
Name = "string",
});
example, err := cloudasset.NewSavedQuery(ctx, "savedQueryResource", &cloudasset.SavedQueryArgs{
SavedQueryId: pulumi.String("string"),
V1Id: pulumi.String("string"),
V1Id1: pulumi.String("string"),
Content: &cloudasset.QueryContentArgs{
IamPolicyAnalysisQuery: &cloudasset.IamPolicyAnalysisQueryArgs{
Scope: pulumi.String("string"),
AccessSelector: &cloudasset.AccessSelectorArgs{
Permissions: pulumi.StringArray{
pulumi.String("string"),
},
Roles: pulumi.StringArray{
pulumi.String("string"),
},
},
ConditionContext: &cloudasset.ConditionContextArgs{
AccessTime: pulumi.String("string"),
},
IdentitySelector: &cloudasset.IdentitySelectorArgs{
Identity: pulumi.String("string"),
},
Options: &cloudasset.OptionsArgs{
AnalyzeServiceAccountImpersonation: pulumi.Bool(false),
ExpandGroups: pulumi.Bool(false),
ExpandResources: pulumi.Bool(false),
ExpandRoles: pulumi.Bool(false),
OutputGroupEdges: pulumi.Bool(false),
OutputResourceEdges: pulumi.Bool(false),
},
ResourceSelector: &cloudasset.ResourceSelectorArgs{
FullResourceName: pulumi.String("string"),
},
},
},
Description: pulumi.String("string"),
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
Name: pulumi.String("string"),
})
var savedQueryResource = new SavedQuery("savedQueryResource", SavedQueryArgs.builder()
.savedQueryId("string")
.v1Id("string")
.v1Id1("string")
.content(QueryContentArgs.builder()
.iamPolicyAnalysisQuery(IamPolicyAnalysisQueryArgs.builder()
.scope("string")
.accessSelector(AccessSelectorArgs.builder()
.permissions("string")
.roles("string")
.build())
.conditionContext(ConditionContextArgs.builder()
.accessTime("string")
.build())
.identitySelector(IdentitySelectorArgs.builder()
.identity("string")
.build())
.options(OptionsArgs.builder()
.analyzeServiceAccountImpersonation(false)
.expandGroups(false)
.expandResources(false)
.expandRoles(false)
.outputGroupEdges(false)
.outputResourceEdges(false)
.build())
.resourceSelector(ResourceSelectorArgs.builder()
.fullResourceName("string")
.build())
.build())
.build())
.description("string")
.labels(Map.of("string", "string"))
.name("string")
.build());
saved_query_resource = google_native.cloudasset.v1.SavedQuery("savedQueryResource",
saved_query_id="string",
v1_id="string",
v1_id1="string",
content={
"iam_policy_analysis_query": {
"scope": "string",
"access_selector": {
"permissions": ["string"],
"roles": ["string"],
},
"condition_context": {
"access_time": "string",
},
"identity_selector": {
"identity": "string",
},
"options": {
"analyze_service_account_impersonation": False,
"expand_groups": False,
"expand_resources": False,
"expand_roles": False,
"output_group_edges": False,
"output_resource_edges": False,
},
"resource_selector": {
"full_resource_name": "string",
},
},
},
description="string",
labels={
"string": "string",
},
name="string")
const savedQueryResource = new google_native.cloudasset.v1.SavedQuery("savedQueryResource", {
savedQueryId: "string",
v1Id: "string",
v1Id1: "string",
content: {
iamPolicyAnalysisQuery: {
scope: "string",
accessSelector: {
permissions: ["string"],
roles: ["string"],
},
conditionContext: {
accessTime: "string",
},
identitySelector: {
identity: "string",
},
options: {
analyzeServiceAccountImpersonation: false,
expandGroups: false,
expandResources: false,
expandRoles: false,
outputGroupEdges: false,
outputResourceEdges: false,
},
resourceSelector: {
fullResourceName: "string",
},
},
},
description: "string",
labels: {
string: "string",
},
name: "string",
});
type: google-native:cloudasset/v1:SavedQuery
properties:
content:
iamPolicyAnalysisQuery:
accessSelector:
permissions:
- string
roles:
- string
conditionContext:
accessTime: string
identitySelector:
identity: string
options:
analyzeServiceAccountImpersonation: false
expandGroups: false
expandResources: false
expandRoles: false
outputGroupEdges: false
outputResourceEdges: false
resourceSelector:
fullResourceName: string
scope: string
description: string
labels:
string: string
name: string
savedQueryId: string
v1Id: string
v1Id1: string
SavedQuery Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SavedQuery resource accepts the following input properties:
- Saved
Query stringId - Required. The ID to use for the saved query, which must be unique in the specified parent. It will become the final component of the saved query's resource name. This value should be 4-63 characters, and valid characters are
a-z-
. Notice that this field is required in the saved query creation, and thename
field of thesaved_query
will be ignored. - V1Id string
- V1Id1 string
- Content
Pulumi.
Google Native. Cloud Asset. V1. Inputs. Query Content - The query content.
- Description string
- The description of this saved query. This value should be fewer than 255 characters.
- Labels Dictionary<string, string>
- Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
- Name string
- The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
- Saved
Query stringId - Required. The ID to use for the saved query, which must be unique in the specified parent. It will become the final component of the saved query's resource name. This value should be 4-63 characters, and valid characters are
a-z-
. Notice that this field is required in the saved query creation, and thename
field of thesaved_query
will be ignored. - V1Id string
- V1Id1 string
- Content
Query
Content Args - The query content.
- Description string
- The description of this saved query. This value should be fewer than 255 characters.
- Labels map[string]string
- Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
- Name string
- The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
- saved
Query StringId - Required. The ID to use for the saved query, which must be unique in the specified parent. It will become the final component of the saved query's resource name. This value should be 4-63 characters, and valid characters are
a-z-
. Notice that this field is required in the saved query creation, and thename
field of thesaved_query
will be ignored. - v1Id String
- v1Id1 String
- content
Query
Content - The query content.
- description String
- The description of this saved query. This value should be fewer than 255 characters.
- labels Map<String,String>
- Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
- name String
- The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
- saved
Query stringId - Required. The ID to use for the saved query, which must be unique in the specified parent. It will become the final component of the saved query's resource name. This value should be 4-63 characters, and valid characters are
a-z-
. Notice that this field is required in the saved query creation, and thename
field of thesaved_query
will be ignored. - v1Id string
- v1Id1 string
- content
Query
Content - The query content.
- description string
- The description of this saved query. This value should be fewer than 255 characters.
- labels {[key: string]: string}
- Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
- name string
- The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
- saved_
query_ strid - Required. The ID to use for the saved query, which must be unique in the specified parent. It will become the final component of the saved query's resource name. This value should be 4-63 characters, and valid characters are
a-z-
. Notice that this field is required in the saved query creation, and thename
field of thesaved_query
will be ignored. - v1_
id str - v1_
id1 str - content
Query
Content Args - The query content.
- description str
- The description of this saved query. This value should be fewer than 255 characters.
- labels Mapping[str, str]
- Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
- name str
- The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
- saved
Query StringId - Required. The ID to use for the saved query, which must be unique in the specified parent. It will become the final component of the saved query's resource name. This value should be 4-63 characters, and valid characters are
a-z-
. Notice that this field is required in the saved query creation, and thename
field of thesaved_query
will be ignored. - v1Id String
- v1Id1 String
- content Property Map
- The query content.
- description String
- The description of this saved query. This value should be fewer than 255 characters.
- labels Map<String>
- Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
- name String
- The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
Outputs
All input properties are implicitly available as output properties. Additionally, the SavedQuery resource produces the following output properties:
- Create
Time string - The create time of this saved query.
- Creator string
- The account's email address who has created this saved query.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Update stringTime - The last update time of this saved query.
- Last
Updater string - The account's email address who has updated this saved query most recently.
- Create
Time string - The create time of this saved query.
- Creator string
- The account's email address who has created this saved query.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Update stringTime - The last update time of this saved query.
- Last
Updater string - The account's email address who has updated this saved query most recently.
- create
Time String - The create time of this saved query.
- creator String
- The account's email address who has created this saved query.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Update StringTime - The last update time of this saved query.
- last
Updater String - The account's email address who has updated this saved query most recently.
- create
Time string - The create time of this saved query.
- creator string
- The account's email address who has created this saved query.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Update stringTime - The last update time of this saved query.
- last
Updater string - The account's email address who has updated this saved query most recently.
- create_
time str - The create time of this saved query.
- creator str
- The account's email address who has created this saved query.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
update_ strtime - The last update time of this saved query.
- last_
updater str - The account's email address who has updated this saved query most recently.
- create
Time String - The create time of this saved query.
- creator String
- The account's email address who has created this saved query.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Update StringTime - The last update time of this saved query.
- last
Updater String - The account's email address who has updated this saved query most recently.
Supporting Types
AccessSelector, AccessSelectorArgs
- Permissions List<string>
- Optional. The permissions to appear in result.
- Roles List<string>
- Optional. The roles to appear in result.
- Permissions []string
- Optional. The permissions to appear in result.
- Roles []string
- Optional. The roles to appear in result.
- permissions List<String>
- Optional. The permissions to appear in result.
- roles List<String>
- Optional. The roles to appear in result.
- permissions string[]
- Optional. The permissions to appear in result.
- roles string[]
- Optional. The roles to appear in result.
- permissions Sequence[str]
- Optional. The permissions to appear in result.
- roles Sequence[str]
- Optional. The roles to appear in result.
- permissions List<String>
- Optional. The permissions to appear in result.
- roles List<String>
- Optional. The roles to appear in result.
AccessSelectorResponse, AccessSelectorResponseArgs
- Permissions List<string>
- Optional. The permissions to appear in result.
- Roles List<string>
- Optional. The roles to appear in result.
- Permissions []string
- Optional. The permissions to appear in result.
- Roles []string
- Optional. The roles to appear in result.
- permissions List<String>
- Optional. The permissions to appear in result.
- roles List<String>
- Optional. The roles to appear in result.
- permissions string[]
- Optional. The permissions to appear in result.
- roles string[]
- Optional. The roles to appear in result.
- permissions Sequence[str]
- Optional. The permissions to appear in result.
- roles Sequence[str]
- Optional. The roles to appear in result.
- permissions List<String>
- Optional. The permissions to appear in result.
- roles List<String>
- Optional. The roles to appear in result.
ConditionContext, ConditionContextArgs
- Access
Time string - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- Access
Time string - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access
Time String - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access
Time string - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access_
time str - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access
Time String - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
ConditionContextResponse, ConditionContextResponseArgs
- Access
Time string - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- Access
Time string - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access
Time String - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access
Time string - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access_
time str - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
- access
Time String - The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
IamPolicyAnalysisQuery, IamPolicyAnalysisQueryArgs
- Scope string
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- Access
Selector Pulumi.Google Native. Cloud Asset. V1. Inputs. Access Selector - Optional. Specifies roles or permissions for analysis. This is optional.
- Condition
Context Pulumi.Google Native. Cloud Asset. V1. Inputs. Condition Context - Optional. The hypothetical context for IAM conditions evaluation.
- Identity
Selector Pulumi.Google Native. Cloud Asset. V1. Inputs. Identity Selector - Optional. Specifies an identity for analysis.
- Options
Pulumi.
Google Native. Cloud Asset. V1. Inputs. Options - Optional. The query options.
- Resource
Selector Pulumi.Google Native. Cloud Asset. V1. Inputs. Resource Selector - Optional. Specifies a resource for analysis.
- Scope string
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- Access
Selector AccessSelector - Optional. Specifies roles or permissions for analysis. This is optional.
- Condition
Context ConditionContext - Optional. The hypothetical context for IAM conditions evaluation.
- Identity
Selector IdentitySelector - Optional. Specifies an identity for analysis.
- Options Options
- Optional. The query options.
- Resource
Selector ResourceSelector - Optional. Specifies a resource for analysis.
- scope String
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access
Selector AccessSelector - Optional. Specifies roles or permissions for analysis. This is optional.
- condition
Context ConditionContext - Optional. The hypothetical context for IAM conditions evaluation.
- identity
Selector IdentitySelector - Optional. Specifies an identity for analysis.
- options Options
- Optional. The query options.
- resource
Selector ResourceSelector - Optional. Specifies a resource for analysis.
- scope string
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access
Selector AccessSelector - Optional. Specifies roles or permissions for analysis. This is optional.
- condition
Context ConditionContext - Optional. The hypothetical context for IAM conditions evaluation.
- identity
Selector IdentitySelector - Optional. Specifies an identity for analysis.
- options Options
- Optional. The query options.
- resource
Selector ResourceSelector - Optional. Specifies a resource for analysis.
- scope str
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access_
selector AccessSelector - Optional. Specifies roles or permissions for analysis. This is optional.
- condition_
context ConditionContext - Optional. The hypothetical context for IAM conditions evaluation.
- identity_
selector IdentitySelector - Optional. Specifies an identity for analysis.
- options Options
- Optional. The query options.
- resource_
selector ResourceSelector - Optional. Specifies a resource for analysis.
- scope String
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access
Selector Property Map - Optional. Specifies roles or permissions for analysis. This is optional.
- condition
Context Property Map - Optional. The hypothetical context for IAM conditions evaluation.
- identity
Selector Property Map - Optional. Specifies an identity for analysis.
- options Property Map
- Optional. The query options.
- resource
Selector Property Map - Optional. Specifies a resource for analysis.
IamPolicyAnalysisQueryResponse, IamPolicyAnalysisQueryResponseArgs
- Access
Selector Pulumi.Google Native. Cloud Asset. V1. Inputs. Access Selector Response - Optional. Specifies roles or permissions for analysis. This is optional.
- Condition
Context Pulumi.Google Native. Cloud Asset. V1. Inputs. Condition Context Response - Optional. The hypothetical context for IAM conditions evaluation.
- Identity
Selector Pulumi.Google Native. Cloud Asset. V1. Inputs. Identity Selector Response - Optional. Specifies an identity for analysis.
- Options
Pulumi.
Google Native. Cloud Asset. V1. Inputs. Options Response - Optional. The query options.
- Resource
Selector Pulumi.Google Native. Cloud Asset. V1. Inputs. Resource Selector Response - Optional. Specifies a resource for analysis.
- Scope string
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- Access
Selector AccessSelector Response - Optional. Specifies roles or permissions for analysis. This is optional.
- Condition
Context ConditionContext Response - Optional. The hypothetical context for IAM conditions evaluation.
- Identity
Selector IdentitySelector Response - Optional. Specifies an identity for analysis.
- Options
Options
Response - Optional. The query options.
- Resource
Selector ResourceSelector Response - Optional. Specifies a resource for analysis.
- Scope string
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access
Selector AccessSelector Response - Optional. Specifies roles or permissions for analysis. This is optional.
- condition
Context ConditionContext Response - Optional. The hypothetical context for IAM conditions evaluation.
- identity
Selector IdentitySelector Response - Optional. Specifies an identity for analysis.
- options
Options
Response - Optional. The query options.
- resource
Selector ResourceSelector Response - Optional. Specifies a resource for analysis.
- scope String
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access
Selector AccessSelector Response - Optional. Specifies roles or permissions for analysis. This is optional.
- condition
Context ConditionContext Response - Optional. The hypothetical context for IAM conditions evaluation.
- identity
Selector IdentitySelector Response - Optional. Specifies an identity for analysis.
- options
Options
Response - Optional. The query options.
- resource
Selector ResourceSelector Response - Optional. Specifies a resource for analysis.
- scope string
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access_
selector AccessSelector Response - Optional. Specifies roles or permissions for analysis. This is optional.
- condition_
context ConditionContext Response - Optional. The hypothetical context for IAM conditions evaluation.
- identity_
selector IdentitySelector Response - Optional. Specifies an identity for analysis.
- options
Options
Response - Optional. The query options.
- resource_
selector ResourceSelector Response - Optional. Specifies a resource for analysis.
- scope str
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
- access
Selector Property Map - Optional. Specifies roles or permissions for analysis. This is optional.
- condition
Context Property Map - Optional. The hypothetical context for IAM conditions evaluation.
- identity
Selector Property Map - Optional. Specifies an identity for analysis.
- options Property Map
- Optional. The query options.
- resource
Selector Property Map - Optional. Specifies a resource for analysis.
- scope String
- The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
IdentitySelector, IdentitySelectorArgs
- Identity string
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- Identity string
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity String
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity string
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity str
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity String
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
IdentitySelectorResponse, IdentitySelectorResponseArgs
- Identity string
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- Identity string
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity String
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity string
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity str
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
- identity String
- The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
Options, OptionsArgs
- Analyze
Service boolAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - Expand
Groups bool - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- Expand
Resources bool - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- Expand
Roles bool - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- Output
Group boolEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- Output
Resource boolEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- Analyze
Service boolAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - Expand
Groups bool - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- Expand
Resources bool - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- Expand
Roles bool - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- Output
Group boolEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- Output
Resource boolEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze
Service BooleanAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand
Groups Boolean - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand
Resources Boolean - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand
Roles Boolean - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output
Group BooleanEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output
Resource BooleanEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze
Service booleanAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand
Groups boolean - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand
Resources boolean - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand
Roles boolean - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output
Group booleanEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output
Resource booleanEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze_
service_ boolaccount_ impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand_
groups bool - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand_
resources bool - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand_
roles bool - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output_
group_ booledges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output_
resource_ booledges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze
Service BooleanAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand
Groups Boolean - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand
Resources Boolean - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand
Roles Boolean - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output
Group BooleanEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output
Resource BooleanEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
OptionsResponse, OptionsResponseArgs
- Analyze
Service boolAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - Expand
Groups bool - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- Expand
Resources bool - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- Expand
Roles bool - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- Output
Group boolEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- Output
Resource boolEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- Analyze
Service boolAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - Expand
Groups bool - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- Expand
Resources bool - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- Expand
Roles bool - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- Output
Group boolEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- Output
Resource boolEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze
Service BooleanAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand
Groups Boolean - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand
Resources Boolean - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand
Roles Boolean - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output
Group BooleanEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output
Resource BooleanEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze
Service booleanAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand
Groups boolean - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand
Resources boolean - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand
Roles boolean - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output
Group booleanEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output
Resource booleanEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze_
service_ boolaccount_ impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand_
groups bool - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand_
resources bool - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand_
roles bool - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output_
group_ booledges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output_
resource_ booledges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
- analyze
Service BooleanAccount Impersonation - Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: *
iam.serviceAccounts.actAs
*iam.serviceAccounts.signBlob
*iam.serviceAccounts.signJwt
*iam.serviceAccounts.getAccessToken
*iam.serviceAccounts.getOpenIdToken
*iam.serviceAccounts.implicitDelegation
Default is false. - expand
Groups Boolean - Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
- expand
Resources Boolean - Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
- expand
Roles Boolean - Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
- output
Group BooleanEdges - Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
- output
Resource BooleanEdges - Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
QueryContent, QueryContentArgs
- Iam
Policy Pulumi.Analysis Query Google Native. Cloud Asset. V1. Inputs. Iam Policy Analysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- Iam
Policy IamAnalysis Query Policy Analysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam
Policy IamAnalysis Query Policy Analysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam
Policy IamAnalysis Query Policy Analysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam_
policy_ Iamanalysis_ query Policy Analysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam
Policy Property MapAnalysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
QueryContentResponse, QueryContentResponseArgs
- Iam
Policy Pulumi.Analysis Query Google Native. Cloud Asset. V1. Inputs. Iam Policy Analysis Query Response - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- Iam
Policy IamAnalysis Query Policy Analysis Query Response - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam
Policy IamAnalysis Query Policy Analysis Query Response - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam
Policy IamAnalysis Query Policy Analysis Query Response - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam_
policy_ Iamanalysis_ query Policy Analysis Query Response - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
- iam
Policy Property MapAnalysis Query - An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
ResourceSelector, ResourceSelectorArgs
- Full
Resource stringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- Full
Resource stringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full
Resource StringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full
Resource stringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full_
resource_ strname - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full
Resource StringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
ResourceSelectorResponse, ResourceSelectorResponseArgs
- Full
Resource stringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- Full
Resource stringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full
Resource StringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full
Resource stringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full_
resource_ strname - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
- full
Resource StringName - The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
Package Details
- Repository
- Google Cloud Native pulumi/pulumi-google-native
- License
- Apache-2.0
Google Cloud Native is in preview. Google Cloud Classic is fully supported.