Classes
AccessContextManager
API for setting [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for Google Cloud Projects. Each organization has one [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] containing the [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]. This [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is applicable to all resources in the organization. AccessPolicies
AccessContextManager.AccessContextManagerBase
Base class for server-side implementations of AccessContextManager
AccessContextManager.AccessContextManagerClient
Client for AccessContextManager
AccessContextManagerClient
AccessContextManager client wrapper, for convenient use.
AccessContextManagerClientBuilder
Builder class for AccessContextManagerClient to provide simple configuration of credentials, endpoint etc.
AccessContextManagerClientImpl
AccessContextManager client wrapper implementation, for convenient use.
AccessContextManagerOperationMetadata
Metadata of Access Context Manager's Long Running Operations.
AccessContextManagerSettings
Settings for AccessContextManagerClient instances.
AccessLevel
An AccessLevel
is a label that can be applied to requests to Google Cloud
services, along with a list of requirements necessary for the label to be
applied.
AccessLevelName
Resource name for the AccessLevel
resource.
AccessPolicy
AccessPolicy
is a container for AccessLevels
(which define the necessary
attributes to use Google Cloud services) and ServicePerimeters
(which
define regions of services able to freely pass data within a perimeter). An
access policy is globally visible within an organization, and the
restrictions it specifies apply to all projects within an organization.
AccessPolicyName
Resource name for the AccessPolicy
resource.
BasicLevel
BasicLevel
is an AccessLevel
using a set of recommended features.
BasicLevel.Types
Container for nested types declared in the BasicLevel message type.
CommitServicePerimetersRequest
A request to commit dry-run specs in all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] belonging to an [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
CommitServicePerimetersResponse
A response to CommitServicePerimetersRequest. This will be put inside of Operation.response field.
Condition
A condition necessary for an AccessLevel
to be granted. The Condition is an
AND over its fields. So a Condition is true if: 1) the request IP is from one
of the listed subnetworks AND 2) the originating device complies with the
listed device policy AND 3) all listed access levels are granted AND 4) the
request was sent at a time allowed by the DateTimeRestriction.
CreateAccessLevelRequest
A request to create an AccessLevel
.
CreateGcpUserAccessBindingRequest
Request of [CreateGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.CreateGcpUserAccessBinding].
CreateServicePerimeterRequest
A request to create a ServicePerimeter
.
CustomLevel
CustomLevel
is an AccessLevel
using the Cloud Common Expression Language
to represent the necessary conditions for the level to apply to a request.
See CEL spec at: https://github.com/google/cel-spec
DeleteAccessLevelRequest
A request to delete an AccessLevel
.
DeleteAccessPolicyRequest
A request to delete an AccessPolicy
.
DeleteGcpUserAccessBindingRequest
Request of [DeleteGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.DeleteGcpUserAccessBinding].
DeleteServicePerimeterRequest
A request to delete a ServicePerimeter
.
DevicePolicy
DevicePolicy
specifies device specific restrictions necessary to acquire a
given access level. A DevicePolicy
specifies requirements for requests from
devices to be granted access levels, it does not do any enforcement on the
device. DevicePolicy
acts as an AND over all specified fields, and each
repeated field is an OR over its elements. Any unset fields are ignored. For
example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
true for requests originating from encrypted Linux desktops and encrypted
Windows desktops.
GcpUserAccessBinding
Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access.
GcpUserAccessBindingName
Resource name for the GcpUserAccessBinding
resource.
GcpUserAccessBindingOperationMetadata
Currently, a completed operation means nothing. In the future, this metadata and a completed operation may indicate that the binding has taken effect and is affecting access decisions for all users.
GetAccessLevelRequest
A request to get a particular AccessLevel
.
GetAccessPolicyRequest
A request to get a particular AccessPolicy
.
GetGcpUserAccessBindingRequest
Request of [GetGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.GetGcpUserAccessBinding].
GetServicePerimeterRequest
A request to get a particular ServicePerimeter
.
ListAccessLevelsRequest
A request to list all AccessLevels
in an AccessPolicy
.
ListAccessLevelsResponse
A response to ListAccessLevelsRequest
.
ListAccessPoliciesRequest
A request to list all AccessPolicies
for a container.
ListAccessPoliciesResponse
A response to ListAccessPoliciesRequest
.
ListGcpUserAccessBindingsRequest
Request of [ListGcpUserAccessBindings] [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
ListGcpUserAccessBindingsResponse
Response of [ListGcpUserAccessBindings] [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
ListServicePerimetersRequest
A request to list all ServicePerimeters
in an AccessPolicy
.
ListServicePerimetersResponse
A response to ListServicePerimetersRequest
.
OsConstraint
A restriction on the OS type and version of devices making requests.
ReplaceAccessLevelsRequest
A request to replace all existing Access Levels in an Access Policy with the Access Levels provided. This is done atomically.
ReplaceAccessLevelsResponse
A response to ReplaceAccessLevelsRequest. This will be put inside of Operation.response field.
ReplaceServicePerimetersRequest
A request to replace all existing Service Perimeters in an Access Policy with the Service Perimeters provided. This is done atomically.
ReplaceServicePerimetersResponse
A response to ReplaceServicePerimetersRequest. This will be put inside of Operation.response field.
ServicePerimeter
ServicePerimeter
describes a set of Google Cloud resources which can freely
import and export data amongst themselves, but not export outside of the
ServicePerimeter
. If a request with a source within this ServicePerimeter
has a target outside of the ServicePerimeter
, the request will be blocked.
Otherwise the request is allowed. There are two types of Service Perimeter -
Regular and Bridge. Regular Service Perimeters cannot overlap, a single
Google Cloud project can only belong to a single regular Service Perimeter.
Service Perimeter Bridges can contain only Google Cloud projects as members,
a single Google Cloud project may belong to multiple Service Perimeter
Bridges.
ServicePerimeter.Types
Container for nested types declared in the ServicePerimeter message type.
ServicePerimeterConfig
ServicePerimeterConfig
specifies a set of Google Cloud resources that
describe specific Service Perimeter configuration.
ServicePerimeterConfig.Types
Container for nested types declared in the ServicePerimeterConfig message type.
ServicePerimeterConfig.Types.ApiOperation
Identification for an API Operation.
ServicePerimeterConfig.Types.EgressFrom
Defines the conditions under which an [EgressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is also protected by a [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter], then that [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] must have an [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] which allows access in order for this request to succeed.
ServicePerimeterConfig.Types.EgressPolicy
Policy for egress from perimeter.
[EgressPolicies]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
match requests based on egress_from
and egress_to
stanzas. For an
[EgressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
to match, both egress_from
and egress_to
stanzas must be matched. If an
[EgressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
matches a request, the request is allowed to span the [ServicePerimeter]
[google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
For example, an [EgressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
can be used to allow VMs on networks within the [ServicePerimeter]
[google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
defined set of projects outside the perimeter in certain contexts (e.g. to
read data from a Cloud Storage bucket or query against a BigQuery dataset).
[EgressPolicies] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] are concerned with the resources that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of [EgressFrom] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] and [EgressTo] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
ServicePerimeterConfig.Types.EgressTo
Defines the conditions under which an [EgressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
matches a request. Conditions are based on information about the
[ApiOperation]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
intended to be performed on the resources
specified. Note that if the
destination of the request is also protected by a [ServicePerimeter]
[google.identity.accesscontextmanager.v1.ServicePerimeter], then that
[ServicePerimeter]
[google.identity.accesscontextmanager.v1.ServicePerimeter] must have
an [IngressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
which allows access in order for this request to succeed. The request must
match operations
AND resources
fields in order to be allowed egress out
of the perimeter.
ServicePerimeterConfig.Types.IngressFrom
Defines the conditions under which an [IngressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
matches a request. Conditions are based on information about the source of
the request. The request must satisfy what is defined in sources
AND
identity related fields in order to match.
ServicePerimeterConfig.Types.IngressPolicy
Policy for ingress into [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter].
[IngressPolicies]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
match requests based on ingress_from
and ingress_to
stanzas. For an
ingress policy to match, both the ingress_from
and ingress_to
stanzas
must be matched. If an [IngressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
matches a request, the request is allowed through the perimeter boundary
from outside the perimeter.
For example, access from the internet can be allowed either based on an [AccessLevel] [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required.
Individual ingress policies can be limited by restricting which
services and/or actions they match using the ingress_to
field.
ServicePerimeterConfig.Types.IngressSource
The source that [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] authorizes access from.
ServicePerimeterConfig.Types.IngressTo
Defines the conditions under which an [IngressPolicy]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
matches a request. Conditions are based on information about the
[ApiOperation]
[google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
intended to be performed on the target resource of the request. The request
must satisfy what is defined in operations
AND resources
in order to
match.
ServicePerimeterConfig.Types.MethodSelector
An allowed method or permission of a service specified in [ApiOperation] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
ServicePerimeterConfig.Types.VpcAccessibleServices
Specifies how APIs are allowed to communicate within the Service Perimeter.
ServicePerimeterName
Resource name for the ServicePerimeter
resource.
UpdateAccessLevelRequest
A request to update an AccessLevel
.
UpdateAccessPolicyRequest
A request to update an AccessPolicy
.
UpdateGcpUserAccessBindingRequest
Request of [UpdateGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.UpdateGcpUserAccessBinding].
UpdateServicePerimeterRequest
A request to update a ServicePerimeter
.
Enums
AccessLevel.LevelOneofCase
Enum of possible cases for the "level" oneof.
AccessLevelName.ResourceNameType
The possible contents of AccessLevelName.
AccessPolicyName.ResourceNameType
The possible contents of AccessPolicyName.
BasicLevel.Types.ConditionCombiningFunction
Options for how the conditions
list should be combined to determine if
this AccessLevel
is applied. Default is AND.
GcpUserAccessBindingName.ResourceNameType
The possible contents of GcpUserAccessBindingName.
LevelFormat
The format used in an AccessLevel
.
ServicePerimeter.Types.PerimeterType
Specifies the type of the Perimeter. There are two types: regular and bridge. Regular Service Perimeter contains resources, access levels, and restricted services. Every resource can be in at most ONE regular Service Perimeter.
In addition to being in a regular service perimeter, a resource can also be in zero or more perimeter bridges. A perimeter bridge only contains resources. Cross project operations are permitted if all effected resources share some perimeter (whether bridge or regular). Perimeter Bridge does not contain access levels or services: those are governed entirely by the regular perimeter that resource is in.
Perimeter Bridges are typically useful when building more complex toplogies with many independent perimeters that need to share some data with a common perimeter, but should not be able to share data among themselves.
ServicePerimeterConfig.Types.IdentityType
Specifies the types of identities that are allowed access in either [IngressFrom] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom] or [EgressFrom] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] rules.
ServicePerimeterConfig.Types.IngressSource.SourceOneofCase
Enum of possible cases for the "source" oneof.
ServicePerimeterConfig.Types.MethodSelector.KindOneofCase
Enum of possible cases for the "kind" oneof.
ServicePerimeterName.ResourceNameType
The possible contents of ServicePerimeterName.