Package Classes (0.1.13)

IAM Policy Troubleshooter service.

This service helps you troubleshoot access issues for Google Cloud resources.

IAM Policy Troubleshooter service.

This service helps you troubleshoot access issues for Google Cloud resources.

Information about the principal, resource, and permission to check.

Whether IAM allow policies gives the principal the permission.

Details about how a role binding in an allow policy affects a principal's ability to use a permission.

Details about whether the role binding includes the principal.

The abstract base class for a message.

Details about how the relevant IAM allow policies affect the final access state.

Additional context for troubleshooting conditional role bindings and deny rules.

A tag that applies to a resource during policy evaluation. Tags can be either directly bound to a resource or inherited from its ancestor. EffectiveTag contains the name and namespaced_name of the tag value and tag key, with additional fields of inherited to indicate the inheritance status of the effective tag.

This message defines attributes for a node that handles a network request. The node can be either a service or an application that sends, forwards, or receives the request. Service peers should fill in principal and labels as appropriate.

This message defines attributes for an HTTP request. If the actual request is not an HTTP request, the runtime system should try to map the actual request to an equivalent HTTP request.

Core attributes for a resource. A resource is an addressable (named) entity provided by the destination service. For example, a Compute Engine instance.

Explanation for how a condition affects a principal's access

Evaluated state of a condition expression.

Whether IAM deny policies deny the principal the permission.

Details about how the relevant IAM deny policies affect the final access state.

Details about how a deny rule in a deny policy affects a principal's ability to use a permission.

Details about whether the principal in the request is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

Details about whether the permission in the request is denied by the deny rule.

The abstract base class for a message.

The abstract base class for a message.

The abstract base class for a message.

The abstract base class for a message.

Details about how a specific IAM allow policy contributed to the final access state.

Details about how a specific IAM deny policy Policy][google.iam.v2.Policy] contributed to the access check.

Details about how a specific resource contributed to the deny policy evaluation.

The extent to which a single data point contributes to an overall determination.

Whether the principal in the request matches the principal in the policy.

    -  A principal is included directly if that principal is
       listed in the role binding.
    -  A principal is included indirectly if that principal is
       in a Google group, Google Workspace account, or Cloud
       Identity domain that is listed in the policy.
MEMBERSHIP_NOT_MATCHED (2):
    The principal in the request doesn't match
    the principal in the policy.
MEMBERSHIP_UNKNOWN_INFO (3):
    The principal in the policy is a group or
    domain, and the sender of the request doesn't
    have permission to view whether the principal in
    the request is a member of the group or domain.
MEMBERSHIP_UNKNOWN_UNSUPPORTED (4):
    The principal is an unsupported type.

Whether the permission in the request matches the permission in the policy.

Whether a role includes a specific permission.

Request for TroubleshootIamPolicy.

Response for TroubleshootIamPolicy.

Whether the principal has the permission on the resource.