Google Git
Sign in
android / platform / external / python / google-api-python-client / 1f15bf352ba516461263a073edb893b8932c230f / . / docs / dyn / binaryauthorization_v1beta1.projects.attestors.html
blob: b5b055c0189d13aa79d3c01a884a539b8761b01b [file] [log] [blame]
<html><body>
<style>
body, h1, h2, h3, div, span, p, pre, a {
margin: 0;
padding: 0;
border: 0;
font-weight: inherit;
font-style: inherit;
font-size: 100%;
font-family: inherit;
vertical-align: baseline;
}
body {
font-size: 13px;
padding: 1em;
}
h1 {
font-size: 26px;
margin-bottom: 1em;
}
h2 {
font-size: 24px;
margin-bottom: 1em;
}
h3 {
font-size: 20px;
margin-bottom: 1em;
margin-top: 1em;
}
pre, code {
line-height: 1.5;
font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}
pre {
margin-top: 0.5em;
}
h1, h2, h3, p {
font-family: Arial, sans serif;
}
h1, h2, h3 {
border-bottom: solid #CCC 1px;
}
.toc_element {
margin-top: 0.5em;
}
.firstline {
margin-left: 2 em;
}
.method {
margin-top: 1em;
border: solid 1px #CCC;
padding: 1em;
background: #EEE;
}
.details {
font-weight: bold;
font-size: 14px;
}
</style>
<h1><a href="binaryauthorization_v1beta1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1beta1.projects.html">projects</a> . <a href="binaryauthorization_v1beta1.projects.attestors.html">attestors</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
<code><a href="#create">create(parent, body, attestorId=None, x__xgafv=None)</a></code></p>
<p class="firstline">Creates an attestor, and returns a copy of the new</p>
<p class="toc_element">
<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
<p class="firstline">Deletes an attestor. Returns NOT_FOUND if the</p>
<p class="toc_element">
<code><a href="#get">get(name, x__xgafv=None)</a></code></p>
<p class="firstline">Gets an attestor.</p>
<p class="toc_element">
<code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p>
<p class="firstline">Gets the access control policy for a resource.</p>
<p class="toc_element">
<code><a href="#list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
<p class="firstline">Lists attestors.</p>
<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
<code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p>
<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>
<p class="toc_element">
<code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p>
<p class="firstline">Returns permissions that a caller has on the specified resource.</p>
<p class="toc_element">
<code><a href="#update">update(name, body, x__xgafv=None)</a></code></p>
<p class="firstline">Updates an attestor.</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="create">create(parent, body, attestorId=None, x__xgafv=None)</code>
<pre>Creates an attestor, and returns a copy of the new
attestor. Returns NOT_FOUND if the project does not exist,
INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
attestor already exists.
Args:
parent: string, Required. The parent of this attestor. (required)
body: object, The request body. (required)
The object takes the form of:
{ # An attestor that attests to container image
# artifacts. An existing attestor cannot be modified except where
# indicated.
"updateTime": "A String", # Output only. Time when the attestor was last updated.
"description": "A String", # Optional. A descriptive comment. This field may be updated.
# The field may be displayed in chooser dialogs.
"userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user.
# ATTESTATION_AUTHORITY Note created by the user.
"delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address
# that this Attestor will use as the principal when querying Container
# Analysis. Attestor administrators must grant this service account the
# IAM role needed to read attestations from the note_reference in
# Container Analysis (`containeranalysis.notes.occurrences.viewer`).
#
# This email address is fixed for the lifetime of the Attestor, but callers
# should not make any other assumptions about the service account email;
# future versions may use an email based on a different naming pattern.
"noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
# created by the user, in the format: `projects/*/notes/*` (or the legacy
# `providers/*/notes/*`). This field may not be updated.
#
# An attestation by this attestor is stored as a Drydock
# ATTESTATION_AUTHORITY Occurrence that names a container image and that
# links to this Note. Drydock is an external dependency.
"publicKeys": [ # Optional. Public keys that verify attestations signed by this
# attestor. This field may be updated.
#
# If this field is non-empty, one of the specified public keys must
# verify that an attestation was signed by this attestor for the
# image specified in the admission request.
#
# If this field is empty, this attestor always returns that no
# valid attestations exist.
{ # An attestor public key that will be used to verify
# attestations signed by this attestor.
"comment": "A String", # Optional. A descriptive comment. This field may be updated.
"asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by
# the command `gpg --export --armor [email protected]` (either LF or CRLF
# line endings).
# When using this field, `id` should be left blank. The BinAuthz API
# handlers will calculate the ID and fill it in automatically. BinAuthz
# computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
# upper-case hex. If `id` is provided by the caller, it will be
# overwritten by the API-calculated ID.
"id": "A String", # The ID of this public key.
# Signatures verified by BinAuthz must include the ID of the public key that
# can be used to verify them, and that ID must match the contents of this
# field exactly.
# Additional restrictions on this field can be imposed based on which public
# key type is encapsulated. See the documentation on `public_key` cases below
# for details.
"pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key.
#
# NOTE: `id` may be explicitly provided by the caller when using this
# type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
# blank, a default one will be computed based on the digest of the DER
# encoding of the public key.
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
# Public keys of this type are typically textually encoded using the PEM
# format.
"publicKeyPem": "A String", # A PEM-encoded public key, as described in
# https://tools.ietf.org/html/rfc7468#section-13
"signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using
# this key.
# These signature algorithm must match the structure and any object
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
# that of the public key).
},
},
],
},
"name": "A String", # Required. The resource name, in the format:
# `projects/*/attestors/*`. This field may not be updated.
}
attestorId: string, Required. The attestors ID.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # An attestor that attests to container image
# artifacts. An existing attestor cannot be modified except where
# indicated.
"updateTime": "A String", # Output only. Time when the attestor was last updated.
"description": "A String", # Optional. A descriptive comment. This field may be updated.
# The field may be displayed in chooser dialogs.
"userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user.
# ATTESTATION_AUTHORITY Note created by the user.
"delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address
# that this Attestor will use as the principal when querying Container
# Analysis. Attestor administrators must grant this service account the
# IAM role needed to read attestations from the note_reference in
# Container Analysis (`containeranalysis.notes.occurrences.viewer`).
#
# This email address is fixed for the lifetime of the Attestor, but callers
# should not make any other assumptions about the service account email;
# future versions may use an email based on a different naming pattern.
"noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
# created by the user, in the format: `projects/*/notes/*` (or the legacy
# `providers/*/notes/*`). This field may not be updated.
#
# An attestation by this attestor is stored as a Drydock
# ATTESTATION_AUTHORITY Occurrence that names a container image and that
# links to this Note. Drydock is an external dependency.
"publicKeys": [ # Optional. Public keys that verify attestations signed by this
# attestor. This field may be updated.
#
# If this field is non-empty, one of the specified public keys must
# verify that an attestation was signed by this attestor for the
# image specified in the admission request.
#
# If this field is empty, this attestor always returns that no
# valid attestations exist.
{ # An attestor public key that will be used to verify
# attestations signed by this attestor.
"comment": "A String", # Optional. A descriptive comment. This field may be updated.
"asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by
# the command `gpg --export --armor [email protected]` (either LF or CRLF
# line endings).
# When using this field, `id` should be left blank. The BinAuthz API
# handlers will calculate the ID and fill it in automatically. BinAuthz
# computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
# upper-case hex. If `id` is provided by the caller, it will be
# overwritten by the API-calculated ID.
"id": "A String", # The ID of this public key.
# Signatures verified by BinAuthz must include the ID of the public key that
# can be used to verify them, and that ID must match the contents of this
# field exactly.
# Additional restrictions on this field can be imposed based on which public
# key type is encapsulated. See the documentation on `public_key` cases below
# for details.
"pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key.
#
# NOTE: `id` may be explicitly provided by the caller when using this
# type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
# blank, a default one will be computed based on the digest of the DER
# encoding of the public key.
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
# Public keys of this type are typically textually encoded using the PEM
# format.
"publicKeyPem": "A String", # A PEM-encoded public key, as described in
# https://tools.ietf.org/html/rfc7468#section-13
"signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using
# this key.
# These signature algorithm must match the structure and any object
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
# that of the public key).
},
},
],
},
"name": "A String", # Required. The resource name, in the format:
# `projects/*/attestors/*`. This field may not be updated.
}</pre>
</div>
<div class="method">
<code class="details" id="delete">delete(name, x__xgafv=None)</code>
<pre>Deletes an attestor. Returns NOT_FOUND if the
attestor does not exist.
Args:
name: string, Required. The name of the attestors to delete, in the format
`projects/*/attestors/*`. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated
# empty messages in your APIs. A typical example is to use it as the request
# or the response type of an API method. For instance:
#
# service Foo {
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
# }
#
# The JSON representation for `Empty` is empty JSON object `{}`.
}</pre>
</div>
<div class="method">
<code class="details" id="get">get(name, x__xgafv=None)</code>
<pre>Gets an attestor.
Returns NOT_FOUND if the attestor does not exist.
Args:
name: string, Required. The name of the attestor to retrieve, in the format
`projects/*/attestors/*`. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # An attestor that attests to container image
# artifacts. An existing attestor cannot be modified except where
# indicated.
"updateTime": "A String", # Output only. Time when the attestor was last updated.
"description": "A String", # Optional. A descriptive comment. This field may be updated.
# The field may be displayed in chooser dialogs.
"userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user.
# ATTESTATION_AUTHORITY Note created by the user.
"delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address
# that this Attestor will use as the principal when querying Container
# Analysis. Attestor administrators must grant this service account the
# IAM role needed to read attestations from the note_reference in
# Container Analysis (`containeranalysis.notes.occurrences.viewer`).
#
# This email address is fixed for the lifetime of the Attestor, but callers
# should not make any other assumptions about the service account email;
# future versions may use an email based on a different naming pattern.
"noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
# created by the user, in the format: `projects/*/notes/*` (or the legacy
# `providers/*/notes/*`). This field may not be updated.
#
# An attestation by this attestor is stored as a Drydock
# ATTESTATION_AUTHORITY Occurrence that names a container image and that
# links to this Note. Drydock is an external dependency.
"publicKeys": [ # Optional. Public keys that verify attestations signed by this
# attestor. This field may be updated.
#
# If this field is non-empty, one of the specified public keys must
# verify that an attestation was signed by this attestor for the
# image specified in the admission request.
#
# If this field is empty, this attestor always returns that no
# valid attestations exist.
{ # An attestor public key that will be used to verify
# attestations signed by this attestor.
"comment": "A String", # Optional. A descriptive comment. This field may be updated.
"asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by
# the command `gpg --export --armor [email protected]` (either LF or CRLF
# line endings).
# When using this field, `id` should be left blank. The BinAuthz API
# handlers will calculate the ID and fill it in automatically. BinAuthz
# computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
# upper-case hex. If `id` is provided by the caller, it will be
# overwritten by the API-calculated ID.
"id": "A String", # The ID of this public key.
# Signatures verified by BinAuthz must include the ID of the public key that
# can be used to verify them, and that ID must match the contents of this
# field exactly.
# Additional restrictions on this field can be imposed based on which public
# key type is encapsulated. See the documentation on `public_key` cases below
# for details.
"pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key.
#
# NOTE: `id` may be explicitly provided by the caller when using this
# type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
# blank, a default one will be computed based on the digest of the DER
# encoding of the public key.
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
# Public keys of this type are typically textually encoded using the PEM
# format.
"publicKeyPem": "A String", # A PEM-encoded public key, as described in
# https://tools.ietf.org/html/rfc7468#section-13
"signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using
# this key.
# These signature algorithm must match the structure and any object
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
# that of the public key).
},
},
],
},
"name": "A String", # Required. The resource name, in the format:
# `projects/*/attestors/*`. This field may not be updated.
}</pre>
</div>
<div class="method">
<code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code>
<pre>Gets the access control policy for a resource.
Returns an empty policy if the resource exists and does not have a policy
set.
Args:
resource: string, REQUIRED: The resource for which the policy is being requested.
See the operation documentation for the appropriate value for this field. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines an Identity and Access Management (IAM) policy. It is used to
# specify access control policies for Cloud Platform resources.
#
#
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of
# `members` to a `role`, where the members can be user accounts, Google groups,
# Google domains, and service accounts. A `role` is a named list of permissions
# defined by IAM.
#
# **JSON Example**
#
# {
# "bindings": [
# {
# "role": "roles/owner",
# "members": [
# "user:[email protected]",
# "group:[email protected]",
# "domain:google.com",
# "serviceAccount:[email protected]"
# ]
# },
# {
# "role": "roles/viewer",
# "members": ["user:[email protected]"]
# }
# ]
# }
#
# **YAML Example**
#
# bindings:
# - members:
# - user:[email protected]
# - group:[email protected]
# - domain:google.com
# - serviceAccount:[email protected]
# role: roles/owner
# - members:
# - user:[email protected]
# role: roles/viewer
#
#
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
"bindings": [ # Associates a list of `members` to a `role`.
# `bindings` with no members will result in an error.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `[email protected]` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `[email protected]`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `[email protected]`.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
#
# title: "User account presence"
# description: "Determines whether the request has a user account"
# expression: "size(request.user) > 0"
"location": "A String", # An optional string indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"expression": "A String", # Textual representation of an expression in
# Common Expression Language syntax.
#
# The application context of the containing message determines which
# well-known feature set of CEL is supported.
"description": "A String", # An optional description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # An optional title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
# policy is overwritten blindly.
"version": 42, # Deprecated.
}</pre>
</div>
<div class="method">
<code class="details" id="list">list(parent, pageToken=None, x__xgafv=None, pageSize=None)</code>
<pre>Lists attestors.
Returns INVALID_ARGUMENT if the project does not exist.
Args:
parent: string, Required. The resource name of the project associated with the
attestors, in the format `projects/*`. (required)
pageToken: string, A token identifying a page of results the server should return. Typically,
this is the value of ListAttestorsResponse.next_page_token returned
from the previous call to the `ListAttestors` method.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
pageSize: integer, Requested page size. The server may return fewer results than requested. If
unspecified, the server will pick an appropriate default.
Returns:
An object of the form:
{ # Response message for BinauthzManagementService.ListAttestors.
"nextPageToken": "A String", # A token to retrieve the next page of results. Pass this value in the
# ListAttestorsRequest.page_token field in the subsequent call to the
# `ListAttestors` method to retrieve the next page of results.
"attestors": [ # The list of attestors.
{ # An attestor that attests to container image
# artifacts. An existing attestor cannot be modified except where
# indicated.
"updateTime": "A String", # Output only. Time when the attestor was last updated.
"description": "A String", # Optional. A descriptive comment. This field may be updated.
# The field may be displayed in chooser dialogs.
"userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user.
# ATTESTATION_AUTHORITY Note created by the user.
"delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address
# that this Attestor will use as the principal when querying Container
# Analysis. Attestor administrators must grant this service account the
# IAM role needed to read attestations from the note_reference in
# Container Analysis (`containeranalysis.notes.occurrences.viewer`).
#
# This email address is fixed for the lifetime of the Attestor, but callers
# should not make any other assumptions about the service account email;
# future versions may use an email based on a different naming pattern.
"noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
# created by the user, in the format: `projects/*/notes/*` (or the legacy
# `providers/*/notes/*`). This field may not be updated.
#
# An attestation by this attestor is stored as a Drydock
# ATTESTATION_AUTHORITY Occurrence that names a container image and that
# links to this Note. Drydock is an external dependency.
"publicKeys": [ # Optional. Public keys that verify attestations signed by this
# attestor. This field may be updated.
#
# If this field is non-empty, one of the specified public keys must
# verify that an attestation was signed by this attestor for the
# image specified in the admission request.
#
# If this field is empty, this attestor always returns that no
# valid attestations exist.
{ # An attestor public key that will be used to verify
# attestations signed by this attestor.
"comment": "A String", # Optional. A descriptive comment. This field may be updated.
"asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by
# the command `gpg --export --armor [email protected]` (either LF or CRLF
# line endings).
# When using this field, `id` should be left blank. The BinAuthz API
# handlers will calculate the ID and fill it in automatically. BinAuthz
# computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
# upper-case hex. If `id` is provided by the caller, it will be
# overwritten by the API-calculated ID.
"id": "A String", # The ID of this public key.
# Signatures verified by BinAuthz must include the ID of the public key that
# can be used to verify them, and that ID must match the contents of this
# field exactly.
# Additional restrictions on this field can be imposed based on which public
# key type is encapsulated. See the documentation on `public_key` cases below
# for details.
"pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key.
#
# NOTE: `id` may be explicitly provided by the caller when using this
# type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
# blank, a default one will be computed based on the digest of the DER
# encoding of the public key.
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
# Public keys of this type are typically textually encoded using the PEM
# format.
"publicKeyPem": "A String", # A PEM-encoded public key, as described in
# https://tools.ietf.org/html/rfc7468#section-13
"signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using
# this key.
# These signature algorithm must match the structure and any object
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
# that of the public key).
},
},
],
},
"name": "A String", # Required. The resource name, in the format:
# `projects/*/attestors/*`. This field may not be updated.
},
],
}</pre>
</div>
<div class="method">
<code class="details" id="list_next">list_next(previous_request, previous_response)</code>
<pre>Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
</pre>
</div>
<div class="method">
<code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code>
<pre>Sets the access control policy on the specified resource. Replaces any
existing policy.
Args:
resource: string, REQUIRED: The resource for which the policy is being specified.
See the operation documentation for the appropriate value for this field. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request message for `SetIamPolicy` method.
"policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of
# the policy is limited to a few 10s of KB. An empty policy is a
# valid policy but certain Cloud Platform services (such as Projects)
# might reject them.
# specify access control policies for Cloud Platform resources.
#
#
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of
# `members` to a `role`, where the members can be user accounts, Google groups,
# Google domains, and service accounts. A `role` is a named list of permissions
# defined by IAM.
#
# **JSON Example**
#
# {
# "bindings": [
# {
# "role": "roles/owner",
# "members": [
# "user:[email protected]",
# "group:[email protected]",
# "domain:google.com",
# "serviceAccount:[email protected]"
# ]
# },
# {
# "role": "roles/viewer",
# "members": ["user:[email protected]"]
# }
# ]
# }
#
# **YAML Example**
#
# bindings:
# - members:
# - user:[email protected]
# - group:[email protected]
# - domain:google.com
# - serviceAccount:[email protected]
# role: roles/owner
# - members:
# - user:[email protected]
# role: roles/viewer
#
#
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
"bindings": [ # Associates a list of `members` to a `role`.
# `bindings` with no members will result in an error.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `[email protected]` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `[email protected]`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `[email protected]`.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
#
# title: "User account presence"
# description: "Determines whether the request has a user account"
# expression: "size(request.user) > 0"
"location": "A String", # An optional string indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"expression": "A String", # Textual representation of an expression in
# Common Expression Language syntax.
#
# The application context of the containing message determines which
# well-known feature set of CEL is supported.
"description": "A String", # An optional description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # An optional title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
# policy is overwritten blindly.
"version": 42, # Deprecated.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines an Identity and Access Management (IAM) policy. It is used to
# specify access control policies for Cloud Platform resources.
#
#
# A `Policy` consists of a list of `bindings`. A `binding` binds a list of
# `members` to a `role`, where the members can be user accounts, Google groups,
# Google domains, and service accounts. A `role` is a named list of permissions
# defined by IAM.
#
# **JSON Example**
#
# {
# "bindings": [
# {
# "role": "roles/owner",
# "members": [
# "user:[email protected]",
# "group:[email protected]",
# "domain:google.com",
# "serviceAccount:[email protected]"
# ]
# },
# {
# "role": "roles/viewer",
# "members": ["user:[email protected]"]
# }
# ]
# }
#
# **YAML Example**
#
# bindings:
# - members:
# - user:[email protected]
# - group:[email protected]
# - domain:google.com
# - serviceAccount:[email protected]
# role: roles/owner
# - members:
# - user:[email protected]
# role: roles/viewer
#
#
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
"bindings": [ # Associates a list of `members` to a `role`.
# `bindings` with no members will result in an error.
{ # Associates `members` with a `role`.
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `[email protected]` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `[email protected]`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `[email protected]`.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
#
"A String",
],
"condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
#
# title: "User account presence"
# description: "Determines whether the request has a user account"
# expression: "size(request.user) > 0"
"location": "A String", # An optional string indicating the location of the expression for error
# reporting, e.g. a file name and a position in the file.
"expression": "A String", # Textual representation of an expression in
# Common Expression Language syntax.
#
# The application context of the containing message determines which
# well-known feature set of CEL is supported.
"description": "A String", # An optional description of the expression. This is a longer text which
# describes the expression, e.g. when hovered over it in a UI.
"title": "A String", # An optional title for the expression, i.e. a short string describing
# its purpose. This can be used e.g. in UIs which allow to enter the
# expression.
},
},
],
"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
# policy is overwritten blindly.
"version": 42, # Deprecated.
}</pre>
</div>
<div class="method">
<code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code>
<pre>Returns permissions that a caller has on the specified resource.
If the resource does not exist, this will return an empty set of
permissions, not a NOT_FOUND error.
Note: This operation is designed to be used for building permission-aware
UIs and command-line tools, not for authorization checking. This operation
may "fail open" without warning.
Args:
resource: string, REQUIRED: The resource for which the policy detail is being requested.
See the operation documentation for the appropriate value for this field. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request message for `TestIamPermissions` method.
"permissions": [ # The set of permissions to check for the `resource`. Permissions with
# wildcards (such as '*' or 'storage.*') are not allowed. For more
# information see
# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for `TestIamPermissions` method.
"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
# allowed.
"A String",
],
}</pre>
</div>
<div class="method">
<code class="details" id="update">update(name, body, x__xgafv=None)</code>
<pre>Updates an attestor.
Returns NOT_FOUND if the attestor does not exist.
Args:
name: string, Required. The resource name, in the format:
`projects/*/attestors/*`. This field may not be updated. (required)
body: object, The request body. (required)
The object takes the form of:
{ # An attestor that attests to container image
# artifacts. An existing attestor cannot be modified except where
# indicated.
"updateTime": "A String", # Output only. Time when the attestor was last updated.
"description": "A String", # Optional. A descriptive comment. This field may be updated.
# The field may be displayed in chooser dialogs.
"userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user.
# ATTESTATION_AUTHORITY Note created by the user.
"delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address
# that this Attestor will use as the principal when querying Container
# Analysis. Attestor administrators must grant this service account the
# IAM role needed to read attestations from the note_reference in
# Container Analysis (`containeranalysis.notes.occurrences.viewer`).
#
# This email address is fixed for the lifetime of the Attestor, but callers
# should not make any other assumptions about the service account email;
# future versions may use an email based on a different naming pattern.
"noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
# created by the user, in the format: `projects/*/notes/*` (or the legacy
# `providers/*/notes/*`). This field may not be updated.
#
# An attestation by this attestor is stored as a Drydock
# ATTESTATION_AUTHORITY Occurrence that names a container image and that
# links to this Note. Drydock is an external dependency.
"publicKeys": [ # Optional. Public keys that verify attestations signed by this
# attestor. This field may be updated.
#
# If this field is non-empty, one of the specified public keys must
# verify that an attestation was signed by this attestor for the
# image specified in the admission request.
#
# If this field is empty, this attestor always returns that no
# valid attestations exist.
{ # An attestor public key that will be used to verify
# attestations signed by this attestor.
"comment": "A String", # Optional. A descriptive comment. This field may be updated.
"asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by
# the command `gpg --export --armor [email protected]` (either LF or CRLF
# line endings).
# When using this field, `id` should be left blank. The BinAuthz API
# handlers will calculate the ID and fill it in automatically. BinAuthz
# computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
# upper-case hex. If `id` is provided by the caller, it will be
# overwritten by the API-calculated ID.
"id": "A String", # The ID of this public key.
# Signatures verified by BinAuthz must include the ID of the public key that
# can be used to verify them, and that ID must match the contents of this
# field exactly.
# Additional restrictions on this field can be imposed based on which public
# key type is encapsulated. See the documentation on `public_key` cases below
# for details.
"pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key.
#
# NOTE: `id` may be explicitly provided by the caller when using this
# type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
# blank, a default one will be computed based on the digest of the DER
# encoding of the public key.
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
# Public keys of this type are typically textually encoded using the PEM
# format.
"publicKeyPem": "A String", # A PEM-encoded public key, as described in
# https://tools.ietf.org/html/rfc7468#section-13
"signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using
# this key.
# These signature algorithm must match the structure and any object
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
# that of the public key).
},
},
],
},
"name": "A String", # Required. The resource name, in the format:
# `projects/*/attestors/*`. This field may not be updated.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # An attestor that attests to container image
# artifacts. An existing attestor cannot be modified except where
# indicated.
"updateTime": "A String", # Output only. Time when the attestor was last updated.
"description": "A String", # Optional. A descriptive comment. This field may be updated.
# The field may be displayed in chooser dialogs.
"userOwnedDrydockNote": { # An user owned drydock note references a Drydock # A Drydock ATTESTATION_AUTHORITY Note, created by the user.
# ATTESTATION_AUTHORITY Note created by the user.
"delegationServiceAccountEmail": "A String", # Output only. This field will contain the service account email address
# that this Attestor will use as the principal when querying Container
# Analysis. Attestor administrators must grant this service account the
# IAM role needed to read attestations from the note_reference in
# Container Analysis (`containeranalysis.notes.occurrences.viewer`).
#
# This email address is fixed for the lifetime of the Attestor, but callers
# should not make any other assumptions about the service account email;
# future versions may use an email based on a different naming pattern.
"noteReference": "A String", # Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
# created by the user, in the format: `projects/*/notes/*` (or the legacy
# `providers/*/notes/*`). This field may not be updated.
#
# An attestation by this attestor is stored as a Drydock
# ATTESTATION_AUTHORITY Occurrence that names a container image and that
# links to this Note. Drydock is an external dependency.
"publicKeys": [ # Optional. Public keys that verify attestations signed by this
# attestor. This field may be updated.
#
# If this field is non-empty, one of the specified public keys must
# verify that an attestation was signed by this attestor for the
# image specified in the admission request.
#
# If this field is empty, this attestor always returns that no
# valid attestations exist.
{ # An attestor public key that will be used to verify
# attestations signed by this attestor.
"comment": "A String", # Optional. A descriptive comment. This field may be updated.
"asciiArmoredPgpPublicKey": "A String", # ASCII-armored representation of a PGP public key, as the entire output by
# the command `gpg --export --armor [email protected]` (either LF or CRLF
# line endings).
# When using this field, `id` should be left blank. The BinAuthz API
# handlers will calculate the ID and fill it in automatically. BinAuthz
# computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
# upper-case hex. If `id` is provided by the caller, it will be
# overwritten by the API-calculated ID.
"id": "A String", # The ID of this public key.
# Signatures verified by BinAuthz must include the ID of the public key that
# can be used to verify them, and that ID must match the contents of this
# field exactly.
# Additional restrictions on this field can be imposed based on which public
# key type is encapsulated. See the documentation on `public_key` cases below
# for details.
"pkixPublicKey": { # A public key in the PkixPublicKey format (see # A raw PKIX SubjectPublicKeyInfo format public key.
#
# NOTE: `id` may be explicitly provided by the caller when using this
# type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
# blank, a default one will be computed based on the digest of the DER
# encoding of the public key.
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
# Public keys of this type are typically textually encoded using the PEM
# format.
"publicKeyPem": "A String", # A PEM-encoded public key, as described in
# https://tools.ietf.org/html/rfc7468#section-13
"signatureAlgorithm": "A String", # The signature algorithm used to verify a message against a signature using
# this key.
# These signature algorithm must match the structure and any object
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
# that of the public key).
},
},
],
},
"name": "A String", # Required. The resource name, in the format:
# `projects/*/attestors/*`. This field may not be updated.
}</pre>
</div>
</body></html>