Reference documentation and code samples for the Google Cloud Access Approval V1 Client class AccessApprovalClient.
Service Description: This API allows a customer to manage accesses to cloud resources by Google personnel. It defines the following resource model:
- The API has a collection of
ApprovalRequest
resources, named
approvalRequests/{approval_request}
- The API has top-level settings per Project/Folder/Organization, named
accessApprovalSettings
The service also periodically emails a list of recipients, defined at the Project/Folder/Organization level in the accessApprovalSettings, when there is a pending ApprovalRequest for them to act on. The ApprovalRequests can also optionally be published to a Pub/Sub topic owned by the customer (contact support if you would like to enable Pub/Sub notifications).
ApprovalRequests can be approved or dismissed. Google personnel can only access the indicated resource or resources if the request is approved (subject to some exclusions: https://cloud.google.com/access-approval/docs/overview#exclusions).
Note: Using Access Approval functionality will mean that Google may not be able to meet the SLAs for your chosen products, as any support response times may be dramatically increased. As such the SLAs do not apply to any service disruption to the extent impacted by Customer's use of Access Approval. Do not enable Access Approval for projects where you may require high service availability and rapid response by Google Cloud Support.
After a request is approved or dismissed, no further action may be taken on it. Requests with the requested_expiration in the past or with no activity for 14 days are considered dismissed. When an approval expires, the request is considered dismissed.
If a request is not approved or dismissed, we call it pending.
This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:
$accessApprovalClient = new AccessApprovalClient();
try {
$response = $accessApprovalClient->approveApprovalRequest();
} finally {
$accessApprovalClient->close();
}
Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parseName method to extract the individual identifiers contained within formatted names that are returned by the API.
Methods
accessApprovalSettingsName
Formats a string containing the fully-qualified path to represent a access_approval_settings resource.
Parameter | |
---|---|
Name | Description |
project |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted access_approval_settings resource. |
approvalRequestName
Formats a string containing the fully-qualified path to represent a approval_request resource.
Parameters | |
---|---|
Name | Description |
project |
string
|
approvalRequest |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted approval_request resource. |
folderName
Formats a string containing the fully-qualified path to represent a folder resource.
Parameter | |
---|---|
Name | Description |
folder |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted folder resource. |
folderAccessApprovalSettingsName
Formats a string containing the fully-qualified path to represent a folder_accessApprovalSettings resource.
Parameter | |
---|---|
Name | Description |
folder |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted folder_accessApprovalSettings resource. |
folderApprovalRequestName
Formats a string containing the fully-qualified path to represent a folder_approval_request resource.
Parameters | |
---|---|
Name | Description |
folder |
string
|
approvalRequest |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted folder_approval_request resource. |
organizationName
Formats a string containing the fully-qualified path to represent a organization resource.
Parameter | |
---|---|
Name | Description |
organization |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted organization resource. |
organizationAccessApprovalSettingsName
Formats a string containing the fully-qualified path to represent a organization_accessApprovalSettings resource.
Parameter | |
---|---|
Name | Description |
organization |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted organization_accessApprovalSettings resource. |
organizationApprovalRequestName
Formats a string containing the fully-qualified path to represent a organization_approval_request resource.
Parameters | |
---|---|
Name | Description |
organization |
string
|
approvalRequest |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted organization_approval_request resource. |
projectName
Formats a string containing the fully-qualified path to represent a project resource.
Parameter | |
---|---|
Name | Description |
project |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted project resource. |
projectAccessApprovalSettingsName
Formats a string containing the fully-qualified path to represent a project_accessApprovalSettings resource.
Parameter | |
---|---|
Name | Description |
project |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted project_accessApprovalSettings resource. |
projectApprovalRequestName
Formats a string containing the fully-qualified path to represent a project_approval_request resource.
Parameters | |
---|---|
Name | Description |
project |
string
|
approvalRequest |
string
|
Returns | |
---|---|
Type | Description |
string | The formatted project_approval_request resource. |
parseName
Parses a formatted name string and returns an associative array of the components in the name.
The following name formats are supported: Template: Pattern
- accessApprovalSettings: projects/{project}/accessApprovalSettings
- approvalRequest: projects/{project}/approvalRequests/{approval_request}
- folder: folders/{folder}
- folderAccessApprovalSettings: folders/{folder}/accessApprovalSettings
- folderApprovalRequest: folders/{folder}/approvalRequests/{approval_request}
- organization: organizations/{organization}
- organizationAccessApprovalSettings: organizations/{organization}/accessApprovalSettings
- organizationApprovalRequest: organizations/{organization}/approvalRequests/{approval_request}
- project: projects/{project}
- projectAccessApprovalSettings: projects/{project}/accessApprovalSettings
- projectApprovalRequest: projects/{project}/approvalRequests/{approval_request}
The optional $template argument can be supplied to specify a particular pattern, and must match one of the templates listed above. If no $template argument is provided, or if the $template argument does not match one of the templates listed, then parseName will check each of the supported templates, and return the first match.
Parameters | |
---|---|
Name | Description |
formattedName |
string
The formatted name string |
template |
string
Optional name of template to match |
Returns | |
---|---|
Type | Description |
array | An associative array from name component IDs to component values. |
__construct
Constructor.
Parameters | |
---|---|
Name | Description |
options |
array
Optional. Options for configuring the service API wrapper. |
↳ apiEndpoint |
string
The address of the API remote host. May optionally include the port, formatted as "
|
↳ credentials |
string|array|FetchAuthTokenInterface|CredentialsWrapper
The credentials to be used by the client to authorize API calls. This option accepts either a path to a credentials file, or a decoded credentials file as a PHP array. Advanced usage: In addition, this option can also accept a pre-constructed Google\Auth\FetchAuthTokenInterface object or Google\ApiCore\CredentialsWrapper object. Note that when one of these objects are provided, any settings in $credentialsConfig will be ignored. |
↳ credentialsConfig |
array
Options used to configure credentials, including auth token caching, for the client. For a full list of supporting configuration options, see Google\ApiCore\CredentialsWrapper::build() . |
↳ disableRetries |
bool
Determines whether or not retries defined by the client configuration should be disabled. Defaults to |
↳ clientConfig |
string|array
Client method configuration, including retry settings. This option can be either a path to a JSON file, or a PHP array containing the decoded JSON data. By default this settings points to the default client config file, which is provided in the resources folder. |
↳ transport |
string|TransportInterface
The transport used for executing network requests. May be either the string |
↳ transportConfig |
array
Configuration options that will be used to construct the transport. Options for each supported transport type should be passed in a key for that transport. For example: $transportConfig = [ 'grpc' => [...], 'rest' => [...], ]; See the Google\ApiCore\Transport\GrpcTransport::build() and Google\ApiCore\Transport\RestTransport::build() methods for the supported options. |
↳ clientCertSource |
callable
A callable which returns the client cert as a string. This can be used to provide a certificate and private key to the transport layer for mTLS. |
approveApprovalRequest
Approves a request and returns the updated ApprovalRequest.
Returns NOT_FOUND if the request does not exist. Returns FAILED_PRECONDITION if the request exists but is not in a pending state.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
Name of the approval request to approve. |
↳ expireTime |
Timestamp
The expiration time of this approval. |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\ApprovalRequest |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\ApprovalRequest;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function approve_approval_request_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var ApprovalRequest $response */
$response = $accessApprovalClient->approveApprovalRequest();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
deleteAccessApprovalSettings
Deletes the settings associated with a project, folder, or organization.
This will have the effect of disabling Access Approval for the project, folder, or organization, but only if all ancestors also have Access Approval disabled. If Access Approval is enabled at a higher level of the hierarchy, then Access Approval will still be enabled at this level as the settings are inherited.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
Name of the AccessApprovalSettings to delete. |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function delete_access_approval_settings_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
$accessApprovalClient->deleteAccessApprovalSettings();
printf('Call completed successfully.' . PHP_EOL);
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
dismissApprovalRequest
Dismisses a request. Returns the updated ApprovalRequest.
NOTE: This does not deny access to the resource if another request has been made and approved. It is equivalent in effect to ignoring the request altogether.
Returns NOT_FOUND if the request does not exist.
Returns FAILED_PRECONDITION if the request exists but is not in a pending state.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
Name of the ApprovalRequest to dismiss. |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\ApprovalRequest |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\ApprovalRequest;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function dismiss_approval_request_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var ApprovalRequest $response */
$response = $accessApprovalClient->dismissApprovalRequest();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
getAccessApprovalServiceAccount
Retrieves the service account that is used by Access Approval to access KMS keys for signing approved approval requests.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
Name of the AccessApprovalServiceAccount to retrieve. |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\AccessApprovalServiceAccount |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\AccessApprovalServiceAccount;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function get_access_approval_service_account_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var AccessApprovalServiceAccount $response */
$response = $accessApprovalClient->getAccessApprovalServiceAccount();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
getAccessApprovalSettings
Gets the settings associated with a project, folder, or organization.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
The name of the AccessApprovalSettings to retrieve. Format: "{projects|folders|organizations}/{id}/accessApprovalSettings" |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\AccessApprovalSettings |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\AccessApprovalSettings;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function get_access_approval_settings_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var AccessApprovalSettings $response */
$response = $accessApprovalClient->getAccessApprovalSettings();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
getApprovalRequest
Gets an approval request. Returns NOT_FOUND if the request does not exist.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
The name of the approval request to retrieve. Format: "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}" |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\ApprovalRequest |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\ApprovalRequest;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function get_approval_request_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var ApprovalRequest $response */
$response = $accessApprovalClient->getApprovalRequest();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
invalidateApprovalRequest
Invalidates an existing ApprovalRequest. Returns the updated ApprovalRequest.
NOTE: This does not deny access to the resource if another request has been made and approved. It only invalidates a single approval.
Returns FAILED_PRECONDITION if the request exists but is not in an approved state.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ name |
string
Name of the ApprovalRequest to invalidate. |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\ApprovalRequest |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\ApprovalRequest;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function invalidate_approval_request_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var ApprovalRequest $response */
$response = $accessApprovalClient->invalidateApprovalRequest();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
listApprovalRequests
Lists approval requests associated with a project, folder, or organization.
Approval requests can be filtered by state (pending, active, dismissed). The order is reverse chronological.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ parent |
string
The parent resource. This may be "projects/{project}", "folders/{folder}", or "organizations/{organization}". |
↳ filter |
string
A filter on the type of approval requests to retrieve. Must be one of the following values: * [not set]: Requests that are pending or have active approvals. * ALL: All requests. * PENDING: Only pending requests. * ACTIVE: Only active (i.e. currently approved) requests. * DISMISSED: Only requests that have been dismissed, or requests that are not approved and past expiration. * EXPIRED: Only requests that have been approved, and the approval has expired. * HISTORY: Active, dismissed and expired requests. |
↳ pageSize |
int
The maximum number of resources contained in the underlying API response. The API may return fewer values in a page, even if there are additional values to be retrieved. |
↳ pageToken |
string
A page token is used to specify a page of values to be returned. If no page token is specified (the default), the first page of values will be returned. Any page token used here must have been generated by a previous call to the API. |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\ApiCore\PagedListResponse |
use Google\ApiCore\ApiException;
use Google\ApiCore\PagedListResponse;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\ApprovalRequest;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function list_approval_requests_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var PagedListResponse $response */
$response = $accessApprovalClient->listApprovalRequests();
/** @var ApprovalRequest $element */
foreach ($response as $element) {
printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
}
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
updateAccessApprovalSettings
Updates the settings associated with a project, folder, or organization.
Settings to update are determined by the value of field_mask.
Parameters | |
---|---|
Name | Description |
optionalArgs |
array
Optional. |
↳ settings |
AccessApprovalSettings
The new AccessApprovalSettings. |
↳ updateMask |
FieldMask
The update mask applies to the settings. Only the top level fields of AccessApprovalSettings (notification_emails & enrolled_services) are supported. For each field, if it is included, the currently stored value will be entirely overwritten with the value of the field passed in this request. For the |
↳ retrySettings |
RetrySettings|array
Retry settings to use for this call. Can be a Google\ApiCore\RetrySettings object, or an associative array of retry settings parameters. See the documentation on Google\ApiCore\RetrySettings for example usage. |
Returns | |
---|---|
Type | Description |
Google\Cloud\AccessApproval\V1\AccessApprovalSettings |
use Google\ApiCore\ApiException;
use Google\Cloud\AccessApproval\V1\AccessApprovalClient;
use Google\Cloud\AccessApproval\V1\AccessApprovalSettings;
/**
* This sample has been automatically generated and should be regarded as a code
* template only. It will require modifications to work:
* - It may require correct/in-range values for request initialization.
* - It may require specifying regional endpoints when creating the service client,
* please see the apiEndpoint client configuration option for more details.
*/
function update_access_approval_settings_sample(): void
{
// Create a client.
$accessApprovalClient = new AccessApprovalClient();
// Call the API and handle any network failures.
try {
/** @var AccessApprovalSettings $response */
$response = $accessApprovalClient->updateAccessApprovalSettings();
printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
} catch (ApiException $ex) {
printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
}
}
Constants
SERVICE_NAME
Value: 'google.cloud.accessapproval.v1.AccessApproval'
The name of the service.
SERVICE_ADDRESS
Value: 'accessapproval.googleapis.com'
The default address of the service.
DEFAULT_SERVICE_PORT
Value: 443
The default port of the service.
CODEGEN_NAME
Value: 'gapic'
The name of the code generator, to be included in the agent header.