A tag that applies to a resource during policy evaluation. Tags can
be either directly bound to a resource or inherited from its
ancestor. EffectiveTag contains the name and
namespaced_name of the tag value and tag key, with additional
fields of inherited to indicate the inheritance status of the
effective tag.
This message defines attributes for a node that handles a network
request. The node can be either a service or an application that
sends, forwards, or receives the request. Service peers should fill
in principal and labels as appropriate.
This message defines attributes for an HTTP request. If the
actual request is not an HTTP request, the runtime system should
try to map the actual request to an equivalent HTTP request.
Core attributes for a resource. A resource is an
addressable (named) entity provided by the destination service.
For example, a Compute Engine instance.
Details about whether the principal in the request is listed
as a denied principal in the deny rule, either directly or
through membership in a principal set.
Whether the principal in the request matches the principal in
the policy.
- A principal is included directly if that principal is
listed in the role binding.
- A principal is included indirectly if that principal is
in a Google group, Google Workspace account, or Cloud
Identity domain that is listed in the policy.
MEMBERSHIP_NOT_MATCHED (2):
The principal in the request doesn't match
the principal in the policy.
MEMBERSHIP_UNKNOWN_INFO (3):
The principal in the policy is a group or
domain, and the sender of the request doesn't
have permission to view whether the principal in
the request is a member of the group or domain.
MEMBERSHIP_UNKNOWN_UNSUPPORTED (4):
The principal is an unsupported type.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Package Classes (0.1.13)\n\nVersion latestkeyboard_arrow_down\n\n- [0.1.13 (latest)](/python/docs/reference/policytroubleshooter-iam/latest/summary_class)\n- [0.1.11](/python/docs/reference/policytroubleshooter-iam/0.1.11/summary_class) \nSummary of entries of Classes for policytroubleshooter-iam. \n\nClasses\n-------\n\n### [PolicyTroubleshooterAsyncClient](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.services.policy_troubleshooter.PolicyTroubleshooterAsyncClient)\n\nIAM Policy Troubleshooter service.\n\nThis service helps you troubleshoot access issues for Google\nCloud resources.\n\n### [PolicyTroubleshooterClient](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.services.policy_troubleshooter.PolicyTroubleshooterClient)\n\nIAM Policy Troubleshooter service.\n\nThis service helps you troubleshoot access issues for Google\nCloud resources.\n\n### [AccessTuple](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.AccessTuple)\n\nInformation about the principal, resource, and permission to\ncheck.\n\n### [AllowAccessState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.AllowAccessState)\n\nWhether IAM allow policies gives the principal the\npermission.\n\n### [AllowBindingExplanation](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.AllowBindingExplanation)\n\nDetails about how a role binding in an allow policy affects a\nprincipal's ability to use a permission.\n\n### [AnnotatedAllowMembership](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.AllowBindingExplanation.AnnotatedAllowMembership)\n\nDetails about whether the role binding includes the\nprincipal.\n\n### [MembershipsEntry](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.AllowBindingExplanation.MembershipsEntry)\n\nThe abstract base class for a message.\n\n### [AllowPolicyExplanation](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.AllowPolicyExplanation)\n\nDetails about how the relevant IAM allow policies affect the\nfinal access state.\n\n### [ConditionContext](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionContext)\n\nAdditional context for troubleshooting conditional role\nbindings and deny rules.\n\n### [EffectiveTag](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionContext.EffectiveTag)\n\nA tag that applies to a resource during policy evaluation. Tags can\nbe either directly bound to a resource or inherited from its\nancestor. `EffectiveTag` contains the `name` and\n`namespaced_name` of the tag value and tag key, with additional\nfields of `inherited` to indicate the inheritance status of the\neffective tag.\n\n### [Peer](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionContext.Peer)\n\nThis message defines attributes for a node that handles a network\nrequest. The node can be either a service or an application that\nsends, forwards, or receives the request. Service peers should fill\nin `principal` and `labels` as appropriate.\n\n### [Request](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionContext.Request)\n\nThis message defines attributes for an HTTP request. If the\nactual request is not an HTTP request, the runtime system should\ntry to map the actual request to an equivalent HTTP request.\n\n### [Resource](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionContext.Resource)\n\nCore attributes for a resource. A resource is an\naddressable (named) entity provided by the destination service.\nFor example, a Compute Engine instance.\n\n### [ConditionExplanation](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionExplanation)\n\nExplanation for how a condition affects a principal's access\n\n### [EvaluationState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ConditionExplanation.EvaluationState)\n\nEvaluated state of a condition expression.\n\n### [DenyAccessState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyAccessState)\n\nWhether IAM deny policies deny the principal the permission.\n\n### [DenyPolicyExplanation](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyPolicyExplanation)\n\nDetails about how the relevant IAM deny policies affect the\nfinal access state.\n\n### [DenyRuleExplanation](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation)\n\nDetails about how a deny rule in a deny policy affects a\nprincipal's ability to use a permission.\n\n### [AnnotatedDenyPrincipalMatching](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation.AnnotatedDenyPrincipalMatching)\n\nDetails about whether the principal in the request is listed\nas a denied principal in the deny rule, either directly or\nthrough membership in a principal set.\n\n### [AnnotatedPermissionMatching](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation.AnnotatedPermissionMatching)\n\nDetails about whether the permission in the request is denied\nby the deny rule.\n\n### [DeniedPermissionsEntry](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation.DeniedPermissionsEntry)\n\nThe abstract base class for a message.\n\n### [DeniedPrincipalsEntry](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation.DeniedPrincipalsEntry)\n\nThe abstract base class for a message.\n\n### [ExceptionPermissionsEntry](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation.ExceptionPermissionsEntry)\n\nThe abstract base class for a message.\n\n### [ExceptionPrincipalsEntry](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.DenyRuleExplanation.ExceptionPrincipalsEntry)\n\nThe abstract base class for a message.\n\n### [ExplainedAllowPolicy](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ExplainedAllowPolicy)\n\nDetails about how a specific IAM allow policy contributed to\nthe final access state.\n\n### [ExplainedDenyPolicy](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ExplainedDenyPolicy)\n\nDetails about how a specific IAM deny policy\n`Policy][google.iam.v2.Policy]` contributed to the access check.\n\n### [ExplainedDenyResource](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.ExplainedDenyResource)\n\nDetails about how a specific resource contributed to the deny\npolicy evaluation.\n\n### [HeuristicRelevance](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.HeuristicRelevance)\n\nThe extent to which a single data point contributes to an\noverall determination.\n\n### [MembershipMatchingState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.MembershipMatchingState)\n\nWhether the principal in the request matches the principal in\nthe policy. \n\n - A principal is included directly if that principal is\n listed in the role binding.\n - A principal is included indirectly if that principal is\n in a Google group, Google Workspace account, or Cloud\n Identity domain that is listed in the policy.\n MEMBERSHIP_NOT_MATCHED (2):\n The principal in the request doesn't match\n the principal in the policy.\n MEMBERSHIP_UNKNOWN_INFO (3):\n The principal in the policy is a group or\n domain, and the sender of the request doesn't\n have permission to view whether the principal in\n the request is a member of the group or domain.\n MEMBERSHIP_UNKNOWN_UNSUPPORTED (4):\n The principal is an unsupported type.\n\n### [PermissionPatternMatchingState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.PermissionPatternMatchingState)\n\nWhether the permission in the request matches the permission\nin the policy.\n\n### [RolePermissionInclusionState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.RolePermissionInclusionState)\n\nWhether a role includes a specific permission.\n\n### [TroubleshootIamPolicyRequest](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.TroubleshootIamPolicyRequest)\n\nRequest for\nTroubleshootIamPolicy.\n\n### [TroubleshootIamPolicyResponse](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.TroubleshootIamPolicyResponse)\n\nResponse for\nTroubleshootIamPolicy.\n\n### [OverallAccessState](/python/docs/reference/policytroubleshooter-iam/latest/google.cloud.policytroubleshooter_iam_v3.types.TroubleshootIamPolicyResponse.OverallAccessState)\n\nWhether the principal has the permission on the resource."]]