feat: AuditConfig for IAM v1

Google APIs · copybara-github · commit afa2ba156bd5 · 2022-04-04T10:47:49.000-07:00
PiperOrigin-RevId: 439356405
diff --git a/google/iam/v1/BUILD.bazel b/google/iam/v1/BUILD.bazel
@@ -18,6 +18,7 @@ proto_library(
         "//google/api:client_proto",
         "//google/api:field_behavior_proto",
         "//google/api:resource_proto",
+        "@com_google_protobuf//:field_mask_proto",
     ],
 )
 
diff --git a/google/iam/v1/iam_meta_api.yaml b/google/iam/v1/iam_meta_api.yaml
@@ -1,5 +1,5 @@
 type: google.api.Service
-config_version: 2
+config_version: 3
 name: iam-meta-api.googleapis.com
 title: IAM Meta API
 
@@ -11,46 +11,6 @@ types:
 
 documentation:
   summary: Manages access control for Google Cloud Platform resources.
-  overview: |-
-    # Google Identity and Access Management (IAM) API
-
-    Documentation of the access control API that will be implemented by all
-    1st party services provided by the Google Cloud Platform (like Cloud
-    Storage, Compute Engine, App Engine).
-
-    Any implementation of an API that offers access control features
-    will implement the google.iam.v1.IAMPolicy interface.
-
-    ## Data model
-
-    Access control is applied when a principal (user or service account),
-    takes some action on a resource exposed by a service. Resources,
-    identified by
-    URI-like names, are the unit of access control specification. It is up to
-    the service implementations to choose what granularity of access control
-    to support and what set of actions (permissions) to support for the
-    resources
-    they provide. For example one database service may allow access control to
-    be specified only at the Table level, whereas another might allow access
-    control to also be specified at the Column level.
-
-    This is intentionally not a CRUD style API because access control policies
-    are created and deleted implicitly with the resources to which they are
-    attached.
-
-    ## Policy
-
-    A `Policy` consists of a list of bindings. A `Binding` binds a set of
-    members to a role, where the members can include user accounts, user
-    groups, user
-    domains, and service accounts. A role is a named set of permissions,
-    defined by the IAM system. The definition of a role is outside the
-    policy.
-
-    A permission check involves determining the roles that include the
-    specified permission, and then determining if the principal specified by
-    the check is a member of a binding to at least one of these roles. The
-    membership check is recursive when a group is bound to a role.
   rules:
   - selector: google.iam.v1.IAMPolicy.GetIamPolicy
     description: |-
@@ -62,11 +22,14 @@ documentation:
       Sets the access control policy on the specified resource. Replaces
       any existing policy.
 
+      Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+      errors.
+
   - selector: google.iam.v1.IAMPolicy.TestIamPermissions
     description: |-
       Returns permissions that a caller has on the specified resource. If the
       resource does not exist, this will return an empty set of
-      permissions, not a NOT_FOUND error.
+      permissions, not a `NOT_FOUND` error.
 
       Note: This operation is designed to be used for building
       permission-aware UIs and command-line tools, not for authorization
diff --git a/google/iam/v1/iam_policy.proto b/google/iam/v1/iam_policy.proto
@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,18 +11,18 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
 package google.iam.v1;
 
-import "google/iam/v1/options.proto";
-import "google/iam/v1/policy.proto";
 import "google/api/annotations.proto";
 import "google/api/client.proto";
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
+import "google/iam/v1/options.proto";
+import "google/iam/v1/policy.proto";
+import "google/protobuf/field_mask.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.Iam.V1";
@@ -32,7 +32,8 @@ option java_outer_classname = "IamPolicyProto";
 option java_package = "com.google.iam.v1";
 option php_namespace = "Google\\Cloud\\Iam\\V1";
 
-// ## API Overview
+// API Overview
+//
 //
 // Manages Identity and Access Management (IAM) policies.
 //
@@ -62,6 +63,8 @@ service IAMPolicy {
 
   // Sets the access control policy on the specified resource. Replaces any
   // existing policy.
+  //
+  // Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
   rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) {
     option (google.api.http) = {
       post: "/v1/{resource=**}:setIamPolicy"
@@ -81,7 +84,7 @@ service IAMPolicy {
 
   // Returns permissions that a caller has on the specified resource.
   // If the resource does not exist, this will return an empty set of
-  // permissions, not a NOT_FOUND error.
+  // permissions, not a `NOT_FOUND` error.
   //
   // Note: This operation is designed to be used for building permission-aware
   // UIs and command-line tools, not for authorization checking. This operation
@@ -107,6 +110,13 @@ message SetIamPolicyRequest {
   // valid policy but certain Cloud Platform services (such as Projects)
   // might reject them.
   Policy policy = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+  // the fields in the mask will be modified. If no mask is provided, the
+  // following default mask is used:
+  //
+  // `paths: "bindings, etag"`
+  google.protobuf.FieldMask update_mask = 3;
 }
 
 // Request message for `GetIamPolicy` method.
@@ -118,7 +128,7 @@ message GetIamPolicyRequest {
     (google.api.resource_reference).type = "*"];
 
   // OPTIONAL: A `GetPolicyOptions` object for specifying options to
-  // `GetIamPolicy`. This field is only used by Cloud IAM.
+  // `GetIamPolicy`.
   GetPolicyOptions options = 2;
 }
 
diff --git a/google/iam/v1/options.proto b/google/iam/v1/options.proto
@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,14 +11,11 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
 package google.iam.v1;
 
-import "google/api/annotations.proto";
-
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.Iam.V1";
 option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
@@ -29,13 +26,23 @@ option php_namespace = "Google\\Cloud\\Iam\\V1";
 
 // Encapsulates settings provided to GetIamPolicy.
 message GetPolicyOptions {
-  // Optional. The policy format version to be returned.
+  // Optional. The maximum policy version that will be used to format the
+  // policy.
   //
   // Valid values are 0, 1, and 3. Requests specifying an invalid value will be
   // rejected.
   //
-  // Requests for policies with any conditional bindings must specify version 3.
-  // Policies without any conditional bindings may specify any valid value or
-  // leave the field unset.
+  // Requests for policies with any conditional role bindings must specify
+  // version 3. Policies with no conditional role bindings may specify any valid
+  // value or leave the field unset.
+  //
+  // The policy in the response might use the policy version that you specified,
+  // or it might use a lower policy version. For example, if you specify version
+  // 3, but the policy has no conditional role bindings, the response uses
+  // version 1.
+  //
+  // To learn which resources support conditions in their IAM policies, see the
+  // [IAM
+  // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
   int32 requested_policy_version = 1;
 }
diff --git a/google/iam/v1/policy.proto b/google/iam/v1/policy.proto

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ proto_library(`
`18`	`18`	`"//google/api:client_proto",`
`19`	`19`	`"//google/api:field_behavior_proto",`
`20`	`20`	`"//google/api:resource_proto",`
	`21`	`+ "@com_google_protobuf//:field_mask_proto",`
`21`	`22`	`],`
`22`	`23`	`)`
`23`	`24`