// source: google/cloud/asset/v1p4beta1/asset_service.proto
package asset
import (
context "context"
fmt "fmt"
math "math"
proto ""
duration ""
_ ""
_ ""
longrunning ""
grpc ""
codes ""
status ""
// IAM policy analysis query message.
type IamPolicyAnalysisQuery struct {
// Required. The relative name of the root asset. Only resources and IAM policies within
// the parent will be analyzed. This can only be an organization number (such
// as "organizations/123") or a folder number (such as "folders/123").
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// Optional. Specifies a resource for analysis. Leaving it empty means ANY.
ResourceSelector *IamPolicyAnalysisQuery_ResourceSelector `protobuf:"bytes,2,opt,name=resource_selector,json=resourceSelector,proto3" json:"resource_selector,omitempty"`
// Optional. Specifies an identity for analysis. Leaving it empty means ANY.
IdentitySelector *IamPolicyAnalysisQuery_IdentitySelector `protobuf:"bytes,3,opt,name=identity_selector,json=identitySelector,proto3" json:"identity_selector,omitempty"`
// Optional. Specifies roles or permissions for analysis. Leaving it empty
// means ANY.
// means ANY.
AccessSelector *IamPolicyAnalysisQuery_AccessSelector `protobuf:"bytes,4,opt,name=access_selector,json=accessSelector,proto3" json:"access_selector,omitempty"`
func (m *IamPolicyAnalysisQuery) GetResourceSelector() *IamPolicyAnalysisQuery_ResourceSelector {
if m != nil {
return m.ResourceSelector
return nil
func (m *IamPolicyAnalysisQuery) GetIdentitySelector() *IamPolicyAnalysisQuery_IdentitySelector {
if m != nil {
return m.IdentitySelector
return nil
func (m *IamPolicyAnalysisQuery) GetAccessSelector() *IamPolicyAnalysisQuery_AccessSelector {
if m != nil {
return m.AccessSelector
return nil
// Specifies the resource to analyze for access policies, which may be set
// directly on the resource, or on ancestors such as organizations, folders or
// projects. At least one of [ResourceSelector][], [IdentitySelector][] or
// [AccessSelector][] must be specified in a request.
type IamPolicyAnalysisQuery_ResourceSelector struct {
// Required. The [full resource
// name](
// .
// name](
// .
FullResourceName string `protobuf:"bytes,1,opt,name=full_resource_name,json=fullResourceName,proto3" json:"full_resource_name,omitempty"`
// Specifies an identity for which to determine resource access, based on
// roles assigned either directly to them or to the groups they belong to,
// directly or indirectly.
type IamPolicyAnalysisQuery_IdentitySelector struct {
// Required. The identity appear in the form of members in
// [IAM policy
// binding](
// [IAM policy
// binding](
Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
// Specifies roles and/or permissions to analyze, to determine both the
// identities possessing them and the resources they control. If multiple
// values are specified, results will include identities and resources
// matching any of them.
type IamPolicyAnalysisQuery_AccessSelector struct {
// Optional. The roles to appear in result.
Roles []string `protobuf:"bytes,1,rep,name=roles,proto3" json:"roles,omitempty"`
// Optional. The permissions to appear in result.
Permissions []string `protobuf:"bytes,2,rep,name=permissions,proto3" json:"permissions,omitempty"`
// A request message for [AssetService.AnalyzeIamPolicy][].
type AnalyzeIamPolicyRequest struct {
// Required. The request query.
AnalysisQuery *IamPolicyAnalysisQuery `protobuf:"bytes,1,opt,name=analysis_query,json=analysisQuery,proto3" json:"analysis_query,omitempty"`
// Optional. The request options.
Options *AnalyzeIamPolicyRequest_Options `protobuf:"bytes,2,opt,name=options,proto3" json:"options,omitempty"`
// Contains request options.
type AnalyzeIamPolicyRequest_Options struct {
// Optional. If true, the identities section of the result will expand any
// Google groups appearing in an IAM policy binding.
// If [identity_selector][] is specified, the identity in the result will
// be determined by the selector, and this flag will have no effect.
// Default is false.
ExpandGroups bool `protobuf:"varint,1,opt,name=expand_groups,json=expandGroups,proto3" json:"expand_groups,omitempty"`
// Optional. If true, the access section of result will expand any roles
// appearing in IAM policy bindings to include their permissions.
// If [access_selector][] is specified, the access section of the result
// will be determined by the selector, and this flag will have no effect.
// Default is false.
ExpandRoles bool `protobuf:"varint,2,opt,name=expand_roles,json=expandRoles,proto3" json:"expand_roles,omitempty"`
// Optional. If true, the resource section of the result will expand any
// resource attached to an IAM policy to include resources lower in the
// resource hierarchy.
// For example, if the request analyzes for which resources user A has
// permission P, and the results include an IAM policy with P on a GCP
// folder, the results will also include resources in that folder with
// permission P.
// If [resource_selector][] is specified, the resource section of the result
// will be determined by the selector, and this flag will have no effect.
// Default is false.
ExpandResources bool `protobuf:"varint,3,opt,name=expand_resources,json=expandResources,proto3" json:"expand_resources,omitempty"`
// Optional. If true, the result will output resource edges, starting
// from the policy attached resource, to any expanded resources.
// Default is false.
OutputResourceEdges bool `protobuf:"varint,4,opt,name=output_resource_edges,json=outputResourceEdges,proto3" json:"output_resource_edges,omitempty"`
// Optional. If true, the result will output group identity edges, starting
// from the binding's group members, to any expanded identities.
// Default is false.
OutputGroupEdges bool `protobuf:"varint,5,opt,name=output_group_edges,json=outputGroupEdges,proto3" json:"output_group_edges,omitempty"`
// Optional. If true, the response will include access analysis from identities to
// resources via service account impersonation. This is a very expensive
// operation, because many derived queries will be executed. We highly
// recommend you use ExportIamPolicyAnalysis rpc instead.
// For example, if the request analyzes for which resources user A has
// permission P, and there's an IAM policy states user A has
// iam.serviceAccounts.getAccessToken permission to a service account SA,
// and there's another IAM policy states service account SA has permission P
// to a GCP folder F, then user A potentially has access to the GCP folder
// F. And those advanced analysis results will be included in
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][].
// Another example, if the request analyzes for who has
// permission P to a GCP folder F, and there's an IAM policy states user A
// has iam.serviceAccounts.actAs permission to a service account SA, and
// there's another IAM policy states service account SA has permission P to
// the GCP folder F, then user A potentially has access to the GCP folder
// F. And those advanced analysis results will be included in
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][].
// Default is false.
AnalyzeServiceAccountImpersonation bool `protobuf:"varint,6,opt,name=analyze_service_account_impersonation,json=analyzeServiceAccountImpersonation,proto3" json:"analyze_service_account_impersonation,omitempty"`
// Optional. Amount of time executable has to complete. See JSON representation of
// [Duration](
// If this field is set with a value less than the RPC deadline, and the
// execution of your query hasn't finished in the specified
// execution timeout, you will get a response with partial result.
// Otherwise, your query's execution will continue until the RPC deadline.
// If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
// Default is empty.
ExecutionTimeout *duration.Duration `protobuf:"bytes,7,opt,name=execution_timeout,json=executionTimeout,proto3" json:"execution_timeout,omitempty"`
// Optional. The maximum number of fanouts per group when [expand_groups][]
// is enabled. This internal field is to help load testing and determine a
// proper value, and won't be public in the future.
MaxFanoutsPerGroup int32 `protobuf:"varint,8,opt,name=max_fanouts_per_group,json=maxFanoutsPerGroup,proto3" json:"max_fanouts_per_group,omitempty"`
// Optional. The maximum number of fanouts per parent resource, such as
// GCP Project etc., when [expand_resources][] is enabled. This internal
// field is to help load testing and determine a proper value, and won't be
// public in the future.
MaxFanoutsPerResource int32 `protobuf:"varint,9,opt,name=max_fanouts_per_resource,json=maxFanoutsPerResource,proto3" json:"max_fanouts_per_resource,omitempty"`
// A response message for [AssetService.AnalyzeIamPolicy][].
type AnalyzeIamPolicyResponse struct {
// The main analysis that matches the original request.
MainAnalysis *AnalyzeIamPolicyResponse_IamPolicyAnalysis `protobuf:"bytes,1,opt,name=main_analysis,json=mainAnalysis,proto3" json:"main_analysis,omitempty"`
// The service account impersonation analysis if
// [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
// enabled.
ServiceAccountImpersonationAnalysis []*AnalyzeIamPolicyResponse_IamPolicyAnalysis `protobuf:"bytes,2,rep,name=service_account_impersonation_analysis,json=serviceAccountImpersonationAnalysis,proto3" json:"service_account_impersonation_analysis,omitempty"`
// Represents whether all entries in the [main_analysis][] and
// [service_account_impersonation_analysis][] have been fully explored to
// answer the query in the request.
FullyExplored bool `protobuf:"varint,3,opt,name=fully_explored,json=fullyExplored,proto3" json:"fully_explored,omitempty"`
// A list of non-critical errors happened during the request handling to
// explain why `fully_explored` is false, or empty if no error happened.
NonCriticalErrors []*IamPolicyAnalysisResult_AnalysisState `protobuf:"bytes,4,rep,name=non_critical_errors,json=nonCriticalErrors,proto3" json:"non_critical_errors,omitempty"`
// An analysis message to group the query and results.
type AnalyzeIamPolicyResponse_IamPolicyAnalysis struct {
// The analysis query.
AnalysisQuery *IamPolicyAnalysisQuery `protobuf:"bytes,1,opt,name=analysis_query,json=analysisQuery,proto3" json:"analysis_query,omitempty"`
// A list of [IamPolicyAnalysisResult][] that matches the analysis query, or
// empty if no result is found.
// empty if no result is found.
AnalysisResults []*IamPolicyAnalysisResult `protobuf:"bytes,2,rep,name=analysis_results,json=analysisResults,proto3" json:"analysis_results,omitempty"`
// Represents whether all entries in the [analysis_results][] have been
// fully explored to answer the query.
FullyExplored bool `protobuf:"varint,3,opt,name=fully_explored,json=fullyExplored,proto3" json:"fully_explored,omitempty"`
// Output configuration for export IAM policy analysis destination.
type IamPolicyAnalysisOutputConfig struct {
// IAM policy analysis export destination.
// Types that are valid to be assigned to Destination:
// *IamPolicyAnalysisOutputConfig_GcsDestination_
Destination isIamPolicyAnalysisOutputConfig_Destination `protobuf_oneof:"destination"`
func (m *IamPolicyAnalysisOutputConfig) Reset() { *m = IamPolicyAnalysisOutputConfig{} }
func (m *IamPolicyAnalysisOutputConfig) String() string { return proto.CompactTextString(m) }
func (*IamPolicyAnalysisOutputConfig) ProtoMessage() {}
func (*IamPolicyAnalysisOutputConfig) Descriptor() ([]byte, []int) {
return fileDescriptor_6d37c6d1bea9ee6a, []int{3}
func (m *IamPolicyAnalysisOutputConfig) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_IamPolicyAnalysisOutputConfig.Unmarshal(m, b)
func (m *IamPolicyAnalysisOutputConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
return xxx_messageInfo_IamPolicyAnalysisOutputConfig.Marshal(b, m, deterministic)
func (m *IamPolicyAnalysisOutputConfig) XXX_Merge(src proto.Message) {
xxx_messageInfo_IamPolicyAnalysisOutputConfig.Merge(m, src)
func (m *IamPolicyAnalysisOutputConfig) XXX_Size() int {
return xxx_messageInfo_IamPolicyAnalysisOutputConfig.Size(m)
func (m *IamPolicyAnalysisOutputConfig) XXX_DiscardUnknown() {
var xxx_messageInfo_IamPolicyAnalysisOutputConfig proto.InternalMessageInfo
// A Cloud Storage location.
type IamPolicyAnalysisOutputConfig_GcsDestination struct {
// Required. The uri of the Cloud Storage object. It's the same uri that is used by
// gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
// Editing Object
// Metadata](
// for more information. An INVALID_ARGUMENT error will be
// returned if file with the same name "gs://bucket_name/object_name"
// already exists.
Uri string `protobuf:"bytes,1,opt,name=uri,proto3" json:"uri,omitempty"`
// A request message for [AssetService.ExportIamPolicyAnalysis][].
type ExportIamPolicyAnalysisRequest struct {
// Required. The request query.
AnalysisQuery *IamPolicyAnalysisQuery `protobuf:"bytes,1,opt,name=analysis_query,json=analysisQuery,proto3" json:"analysis_query,omitempty"`
// Optional. The request options.
Options *ExportIamPolicyAnalysisRequest_Options `protobuf:"bytes,2,opt,name=options,proto3" json:"options,omitempty"`
// Required. Output configuration indicating where the results will be output to.
OutputConfig *IamPolicyAnalysisOutputConfig `protobuf:"bytes,3,opt,name=output_config,json=outputConfig,proto3" json:"output_config,omitempty"`
// Contains request options.
type ExportIamPolicyAnalysisRequest_Options struct {
// Optional. If true, the identities section of the result will expand any
// Google groups appearing in an IAM policy binding.
// If [identity_selector][] is specified, the identity in the result will
// be determined by the selector, and this flag will have no effect.
// Default is false.
ExpandGroups bool `protobuf:"varint,1,opt,name=expand_groups,json=expandGroups,proto3" json:"expand_groups,omitempty"`
// Optional. If true, the access section of result will expand any roles
// appearing in IAM policy bindings to include their permissions.
// If [access_selector][] is specified, the access section of the result
// will be determined by the selector, and this flag will have no effect.
// Default is false.
ExpandRoles bool `protobuf:"varint,2,opt,name=expand_roles,json=expandRoles,proto3" json:"expand_roles,omitempty"`
// Optional. If true, the resource section of the result will expand any
// resource attached to an IAM policy to include resources lower in the
// resource hierarchy.
// For example, if the request analyzes for which resources user A has
// permission P, and the results include an IAM policy with P on a GCP
// folder, the results will also include resources in that folder with
// permission P.
// If [resource_selector][] is specified, the resource section of the result
// will be determined by the selector, and this flag will have no effect.
// Default is false.
ExpandResources bool `protobuf:"varint,3,opt,name=expand_resources,json=expandResources,proto3" json:"expand_resources,omitempty"`
// Optional. If true, the result will output resource edges, starting
// from the policy attached resource, to any expanded resources.
// Default is false.
OutputResourceEdges bool `protobuf:"varint,4,opt,name=output_resource_edges,json=outputResourceEdges,proto3" json:"output_resource_edges,omitempty"`
// Optional. If true, the result will output group identity edges, starting
// from the binding's group members, to any expanded identities.
// Default is false.
OutputGroupEdges bool `protobuf:"varint,5,opt,name=output_group_edges,json=outputGroupEdges,proto3" json:"output_group_edges,omitempty"`
// Optional. If true, the response will include access analysis from identities to
// resources via service account impersonation. This is a very expensive
// operation, because many derived queries will be executed.
// For example, if the request analyzes for which resources user A has
// permission P, and there's an IAM policy states user A has
// iam.serviceAccounts.getAccessToken permission to a service account SA,
// and there's another IAM policy states service account SA has permission P
// to a GCP folder F, then user A potentially has access to the GCP folder
// F. And those advanced analysis results will be included in
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][].
// Another example, if the request analyzes for who has
// permission P to a GCP folder F, and there's an IAM policy states user A
// has iam.serviceAccounts.actAs permission to a service account SA, and
// there's another IAM policy states service account SA has permission P to
// the GCP folder F, then user A potentially has access to the GCP folder
// F. And those advanced analysis results will be included in
// [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][].
// Default is false.
AnalyzeServiceAccountImpersonation bool `protobuf:"varint,6,opt,name=analyze_service_account_impersonation,json=analyzeServiceAccountImpersonation,proto3" json:"analyze_service_account_impersonation,omitempty"`
// AssetServiceClient is the client API for AssetService service.
// For semantics around ctx use and closing/ending streaming RPCs, please refer to
type AssetServiceClient interface {
// Analyzes IAM policies based on the specified request. Returns
// a list of [IamPolicyAnalysisResult][] matching the request.
AnalyzeIamPolicy(ctx context.Context, in *AnalyzeIamPolicyRequest, opts ...grpc.CallOption) (*AnalyzeIamPolicyResponse, error)
// Exports IAM policy analysis based on the specified request. This API
// implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you to keep
// track of the export. The metadata contains the request to help callers to
// map responses to requests.
ExportIamPolicyAnalysis(ctx context.Context, in *ExportIamPolicyAnalysisRequest, opts ...grpc.CallOption) (*longrunning.Operation, error)
// AssetServiceServer is the server API for AssetService service.
type AssetServiceServer interface {
// Analyzes IAM policies based on the specified request. Returns
// a list of [IamPolicyAnalysisResult][] matching the request.
AnalyzeIamPolicy(context.Context, *AnalyzeIamPolicyRequest) (*AnalyzeIamPolicyResponse, error)
// Exports IAM policy analysis based on the specified request. This API
// implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you to keep
// track of the export. The metadata contains the request to help callers to
// map responses to requests.
ExportIamPolicyAnalysis(context.Context, *ExportIamPolicyAnalysisRequest) (*longrunning.Operation, error)
