Class AttributePropagationSettings (1.8.1)

AttributePropagationSettings(
    mapping=None, *, ignore_unknown_fields=False, **kwargs
)

Configuration for propagating attributes to applications protected by IAP.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

Attributes

NameDescription
expression str
Raw string CEL expression. Must return a list of attributes. Maximum of 45 attributes can be selected. Expressions can select different attribute types from attributes: attributes.saml_attributes, attributes.iap_attributes. Limited functions are supported: - filter: -> returns a subset of where is true for every item. - in: in -> returns true if contains - selectByName: -> returns the attribute in with the given name, otherwise returns empty. - emitAs: -> sets the name field to the given for propagation in selected output credentials. - strict: -> ignore the x-goog-iap-attr- prefix for the provided when propagating via the HEADER output credential, i.e. request headers. - append: OR -> append the provided or onto the end of . Example expression: attributes.saml_attributes.filter(x, x.name in ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict()) This field is a member of oneof_ _expression.
output_credentials MutableSequence[google.cloud.iap_v1.types.AttributePropagationSettings.OutputCredentials]
Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential.
enable bool
Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials. This field is a member of oneof_ _enable.

Classes

OutputCredentials

OutputCredentials(value)

Supported output credentials for attribute propagation. Each output credential maps to a "field" in the response. For example, selecting JWT will propagate all attributes in the IAP JWT, header in the headers, etc.

Values: OUTPUT_CREDENTIALS_UNSPECIFIED (0): No output credential. This is an unsupported default. HEADER (1): Propagate attributes in the headers with "x-goog-iap-attr-" prefix. JWT (2): Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] } RCTOKEN (3): Propagate attributes in the RCToken of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }