| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="cloudasset_v1.html">Cloud Asset API</a> . <a href="cloudasset_v1.v1.html">v1</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#analyzeIamPolicy">analyzeIamPolicy(scope, analysisQuery_accessSelector_permissions=None, analysisQuery_accessSelector_roles=None, analysisQuery_conditionContext_accessTime=None, analysisQuery_identitySelector_identity=None, analysisQuery_options_analyzeServiceAccountImpersonation=None, analysisQuery_options_expandGroups=None, analysisQuery_options_expandResources=None, analysisQuery_options_expandRoles=None, analysisQuery_options_outputGroupEdges=None, analysisQuery_options_outputResourceEdges=None, analysisQuery_resourceSelector_fullResourceName=None, executionTimeout=None, savedAnalysisQuery=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Analyzes IAM policies to answer which identities have what accesses on which resources.</p> |
| <p class="toc_element"> |
| <code><a href="#analyzeIamPolicyLongrunning">analyzeIamPolicyLongrunning(scope, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Analyzes IAM policies asynchronously to answer which identities have what accesses on which resources, and writes the analysis results to a Google Cloud Storage or a BigQuery destination. For Cloud Storage destination, the output format is the JSON format that represents a AnalyzeIamPolicyResponse. This method implements the google.longrunning.Operation, which allows you to track the operation status. We recommend intervals of at least 2 seconds with exponential backoff retry to poll the operation result. The metadata contains the metadata for the long-running operation.</p> |
| <p class="toc_element"> |
| <code><a href="#analyzeMove">analyzeMove(resource, destinationParent=None, view=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Analyze moving a resource to a specified destination without kicking off the actual move. The analysis is best effort depending on the user's permissions of viewing different hierarchical policies and configurations. The policies and configuration are subject to change before the actual resource migration takes place.</p> |
| <p class="toc_element"> |
| <code><a href="#batchGetAssetsHistory">batchGetAssetsHistory(parent, assetNames=None, contentType=None, readTimeWindow_endTime=None, readTimeWindow_startTime=None, relationshipTypes=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Batch gets the update history of assets that overlap a time window. For IAM_POLICY content, this API outputs history when the asset and its attached IAM POLICY both exist. This can create gaps in the output history. Otherwise, this API outputs history with asset in both non-delete or deleted status. If a specified asset does not exist, this API returns an INVALID_ARGUMENT error.</p> |
| <p class="toc_element"> |
| <code><a href="#close">close()</a></code></p> |
| <p class="firstline">Close httplib2 connections.</p> |
| <p class="toc_element"> |
| <code><a href="#exportAssets">exportAssets(parent, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Exports assets with time and resource types to a given Cloud Storage location/BigQuery table. For Cloud Storage location destinations, the output format is newline-delimited JSON. Each line represents a google.cloud.asset.v1.Asset in the JSON format; for BigQuery table destinations, the output table stores the fields in asset Protobuf as columns. This API implements the google.longrunning.Operation API, which allows you to keep track of the export. We recommend intervals of at least 2 seconds with exponential retry to poll the export operation result. For regular-size resource parent, the export operation usually finishes within 5 minutes.</p> |
| <p class="toc_element"> |
| <code><a href="#searchAllIamPolicies">searchAllIamPolicies(scope, assetTypes=None, orderBy=None, pageSize=None, pageToken=None, query=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Searches all IAM policies within the specified scope, such as a project, folder, or organization. The caller must be granted the `cloudasset.assets.searchAllIamPolicies` permission on the desired scope, otherwise the request will be rejected.</p> |
| <p class="toc_element"> |
| <code><a href="#searchAllIamPolicies_next">searchAllIamPolicies_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#searchAllResources">searchAllResources(scope, assetTypes=None, orderBy=None, pageSize=None, pageToken=None, query=None, readMask=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Searches all Cloud resources within the specified scope, such as a project, folder, or organization. The caller must be granted the `cloudasset.assets.searchAllResources` permission on the desired scope, otherwise the request will be rejected.</p> |
| <p class="toc_element"> |
| <code><a href="#searchAllResources_next">searchAllResources_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="analyzeIamPolicy">analyzeIamPolicy(scope, analysisQuery_accessSelector_permissions=None, analysisQuery_accessSelector_roles=None, analysisQuery_conditionContext_accessTime=None, analysisQuery_identitySelector_identity=None, analysisQuery_options_analyzeServiceAccountImpersonation=None, analysisQuery_options_expandGroups=None, analysisQuery_options_expandResources=None, analysisQuery_options_expandRoles=None, analysisQuery_options_outputGroupEdges=None, analysisQuery_options_outputResourceEdges=None, analysisQuery_resourceSelector_fullResourceName=None, executionTimeout=None, savedAnalysisQuery=None, x__xgafv=None)</code> |
| <pre>Analyzes IAM policies to answer which identities have what accesses on which resources. |
| |
| Args: |
| scope: string, Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). (required) |
| analysisQuery_accessSelector_permissions: string, Optional. The permissions to appear in result. (repeated) |
| analysisQuery_accessSelector_roles: string, Optional. The roles to appear in result. (repeated) |
| analysisQuery_conditionContext_accessTime: string, The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned. |
| analysisQuery_identitySelector_identity: string, Required. The identity appear in the form of principals in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity. |
| analysisQuery_options_analyzeServiceAccountImpersonation: boolean, Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Default is false. |
| analysisQuery_options_expandGroups: boolean, Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| analysisQuery_options_expandResources: boolean, Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. Default is false. |
| analysisQuery_options_expandRoles: boolean, Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| analysisQuery_options_outputGroupEdges: boolean, Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. |
| analysisQuery_options_outputResourceEdges: boolean, Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. |
| analysisQuery_resourceSelector_fullResourceName: string, Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of [supported resource types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). |
| executionTimeout: string, Optional. Amount of time executable has to complete. See JSON representation of [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). If this field is set with a value less than the RPC deadline, and the execution of your query hasn't finished in the specified execution timeout, you will get a response with partial result. Otherwise, your query's execution will continue until the RPC deadline. If it's not finished until then, you will get a DEADLINE_EXCEEDED error. Default is empty. |
| savedAnalysisQuery: string, Optional. The name of a saved query, which must be in the format of: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id If both `analysis_query` and `saved_analysis_query` are provided, they will be merged together with the `saved_analysis_query` as base and the `analysis_query` as overrides. For more details of the merge behavior, please refer to the [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) page. Note that you cannot override primitive fields with default value, such as 0 or empty string, etc., because we use proto3, which doesn't support field presence yet. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A response message for AssetService.AnalyzeIamPolicy. |
| "fullyExplored": True or False, # Represents whether all entries in the main_analysis and service_account_impersonation_analysis have been fully explored to answer the query in the request. |
| "mainAnalysis": { # An analysis message to group the query and results. # The main analysis that matches the original request. |
| "analysisQuery": { # IAM policy analysis query message. # The analysis query. |
| "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the identities possessing them and the resources they control. If multiple values are specified, results will include roles or permissions matching any of them. The total number of roles and permissions should be equal or less than 10. # Optional. Specifies roles or permissions for analysis. This is optional. |
| "permissions": [ # Optional. The permissions to appear in result. |
| "A String", |
| ], |
| "roles": [ # Optional. The roles to appear in result. |
| "A String", |
| ], |
| }, |
| "conditionContext": { # The IAM conditions context. # Optional. The hypothetical context for IAM conditions evaluation. |
| "accessTime": "A String", # The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned. |
| }, |
| "identitySelector": { # Specifies an identity for which to determine resource access, based on roles assigned either directly to them or to the groups they belong to, directly or indirectly. # Optional. Specifies an identity for analysis. |
| "identity": "A String", # Required. The identity appear in the form of principals in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity. |
| }, |
| "options": { # Contains query options. # Optional. The query options. |
| "analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Default is false. |
| "expandGroups": True or False, # Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| "expandResources": True or False, # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. Default is false. |
| "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| "outputGroupEdges": True or False, # Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. |
| "outputResourceEdges": True or False, # Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. |
| }, |
| "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set directly on the resource, or on ancestors such as organizations, folders or projects. # Optional. Specifies a resource for analysis. |
| "fullResourceName": "A String", # Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of [supported resource types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). |
| }, |
| "scope": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). |
| }, |
| "analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or empty if no result is found. |
| { # IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists. |
| "accessControlLists": [ # The access control lists derived from the iam_binding that match or potentially match resource and access selectors specified in the request. |
| { # An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry. NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations. For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3; This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3] |
| "accesses": [ # The accesses that match one of the following conditions: - The access_selector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding's role. |
| { # An IAM role or permission under analysis. |
| "analysisState": { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. # The analysis state of this access. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| "permission": "A String", # The permission. |
| "role": "A String", # The role. |
| }, |
| ], |
| "conditionEvaluation": { # The Condition evaluation. # Condition evaluation for this AccessControlList, if there is a condition defined in the above IAM policy binding. |
| "evaluationValue": "A String", # The evaluation result. |
| }, |
| "resourceEdges": [ # Resource edges of the graph starting from the policy attached resource to any descendant resources. The Edge.source_node contains the full resource name of a parent resource and Edge.target_node contains the full resource name of a child resource. This field is present only if the output_resource_edges option is enabled in request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| "targetNode": "A String", # The target node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| }, |
| ], |
| "resources": [ # The resources that match one of the following conditions: - The resource_selector, if it is specified in request; - Otherwise, resources reachable from the policy attached resource. |
| { # A Google Cloud resource under analysis. |
| "analysisState": { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. # The analysis state of this resource. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| "fullResourceName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) |
| }, |
| ], |
| }, |
| ], |
| "attachedResourceFullName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) of the resource to which the iam_binding policy attaches. |
| "fullyExplored": True or False, # Represents whether all analyses on the iam_binding have successfully finished. |
| "iamBinding": { # Associates `members`, or principals, with a `role`. # The Cloud IAM policy binding under analysis. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. # The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `[email protected]` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `[email protected]`. * `group:{emailid}`: An email address that represents a Google group. For example, `[email protected]`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| }, |
| "identityList": { # The identities and group edges. # The identity list derived from members of the iam_binding that match or potentially match identity selector specified in the request. |
| "groupEdges": [ # Group identity edges of the graph starting from the binding's group members to any node of the identities. The Edge.source_node contains a group, such as `group:[email protected]`. The Edge.target_node contains a member of the group, such as `group:[email protected]` or `user:[email protected]`. This field is present only if the output_group_edges option is enabled in request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| "targetNode": "A String", # The target node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| }, |
| ], |
| "identities": [ # Only the identities that match one of the following conditions will be presented: - The identity_selector, if it is specified in request; - Otherwise, identities reachable from the policy binding's members. |
| { # An identity under analysis. |
| "analysisState": { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. # The analysis state of this identity. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| "name": "A String", # The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:[email protected] - group:[email protected] - serviceAccount:[email protected] - projectOwner:some_project_id - domain:google.com - allUsers - etc. |
| }, |
| ], |
| }, |
| }, |
| ], |
| "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been fully explored to answer the query. |
| "nonCriticalErrors": [ # A list of non-critical errors happened during the query handling. |
| { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| ], |
| }, |
| "serviceAccountImpersonationAnalysis": [ # The service account impersonation analysis if AnalyzeIamPolicyRequest.analyze_service_account_impersonation is enabled. |
| { # An analysis message to group the query and results. |
| "analysisQuery": { # IAM policy analysis query message. # The analysis query. |
| "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the identities possessing them and the resources they control. If multiple values are specified, results will include roles or permissions matching any of them. The total number of roles and permissions should be equal or less than 10. # Optional. Specifies roles or permissions for analysis. This is optional. |
| "permissions": [ # Optional. The permissions to appear in result. |
| "A String", |
| ], |
| "roles": [ # Optional. The roles to appear in result. |
| "A String", |
| ], |
| }, |
| "conditionContext": { # The IAM conditions context. # Optional. The hypothetical context for IAM conditions evaluation. |
| "accessTime": "A String", # The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned. |
| }, |
| "identitySelector": { # Specifies an identity for which to determine resource access, based on roles assigned either directly to them or to the groups they belong to, directly or indirectly. # Optional. Specifies an identity for analysis. |
| "identity": "A String", # Required. The identity appear in the form of principals in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity. |
| }, |
| "options": { # Contains query options. # Optional. The query options. |
| "analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Default is false. |
| "expandGroups": True or False, # Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| "expandResources": True or False, # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. Default is false. |
| "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| "outputGroupEdges": True or False, # Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. |
| "outputResourceEdges": True or False, # Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. |
| }, |
| "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set directly on the resource, or on ancestors such as organizations, folders or projects. # Optional. Specifies a resource for analysis. |
| "fullResourceName": "A String", # Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of [supported resource types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). |
| }, |
| "scope": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). |
| }, |
| "analysisResults": [ # A list of IamPolicyAnalysisResult that matches the analysis query, or empty if no result is found. |
| { # IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists. |
| "accessControlLists": [ # The access control lists derived from the iam_binding that match or potentially match resource and access selectors specified in the request. |
| { # An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry. NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations. For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3; This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3] |
| "accesses": [ # The accesses that match one of the following conditions: - The access_selector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding's role. |
| { # An IAM role or permission under analysis. |
| "analysisState": { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. # The analysis state of this access. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| "permission": "A String", # The permission. |
| "role": "A String", # The role. |
| }, |
| ], |
| "conditionEvaluation": { # The Condition evaluation. # Condition evaluation for this AccessControlList, if there is a condition defined in the above IAM policy binding. |
| "evaluationValue": "A String", # The evaluation result. |
| }, |
| "resourceEdges": [ # Resource edges of the graph starting from the policy attached resource to any descendant resources. The Edge.source_node contains the full resource name of a parent resource and Edge.target_node contains the full resource name of a child resource. This field is present only if the output_resource_edges option is enabled in request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| "targetNode": "A String", # The target node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| }, |
| ], |
| "resources": [ # The resources that match one of the following conditions: - The resource_selector, if it is specified in request; - Otherwise, resources reachable from the policy attached resource. |
| { # A Google Cloud resource under analysis. |
| "analysisState": { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. # The analysis state of this resource. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| "fullResourceName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) |
| }, |
| ], |
| }, |
| ], |
| "attachedResourceFullName": "A String", # The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) of the resource to which the iam_binding policy attaches. |
| "fullyExplored": True or False, # Represents whether all analyses on the iam_binding have successfully finished. |
| "iamBinding": { # Associates `members`, or principals, with a `role`. # The Cloud IAM policy binding under analysis. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. # The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| "description": "A String", # Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `[email protected]` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `[email protected]`. * `group:{emailid}`: An email address that represents a Google group. For example, `[email protected]`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| }, |
| "identityList": { # The identities and group edges. # The identity list derived from members of the iam_binding that match or potentially match identity selector specified in the request. |
| "groupEdges": [ # Group identity edges of the graph starting from the binding's group members to any node of the identities. The Edge.source_node contains a group, such as `group:[email protected]`. The Edge.target_node contains a member of the group, such as `group:[email protected]` or `user:[email protected]`. This field is present only if the output_group_edges option is enabled in request. |
| { # A directional edge. |
| "sourceNode": "A String", # The source node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| "targetNode": "A String", # The target node of the edge. For example, it could be a full resource name for a resource node or an email of an identity. |
| }, |
| ], |
| "identities": [ # Only the identities that match one of the following conditions will be presented: - The identity_selector, if it is specified in request; - Otherwise, identities reachable from the policy binding's members. |
| { # An identity under analysis. |
| "analysisState": { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. # The analysis state of this identity. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| "name": "A String", # The identity name in any form of members appear in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such as: - user:[email protected] - group:[email protected] - serviceAccount:[email protected] - projectOwner:some_project_id - domain:google.com - allUsers - etc. |
| }, |
| ], |
| }, |
| }, |
| ], |
| "fullyExplored": True or False, # Represents whether all entries in the analysis_results have been fully explored to answer the query. |
| "nonCriticalErrors": [ # A list of non-critical errors happened during the query handling. |
| { # Represents the detailed state of an entity under analysis, such as a resource, an identity or an access. |
| "cause": "A String", # The human-readable description of the cause of failure. |
| "code": "A String", # The Google standard error code that best describes the state. For example: - OK means the analysis on this entity has been successfully finished; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started in time; |
| }, |
| ], |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="analyzeIamPolicyLongrunning">analyzeIamPolicyLongrunning(scope, body=None, x__xgafv=None)</code> |
| <pre>Analyzes IAM policies asynchronously to answer which identities have what accesses on which resources, and writes the analysis results to a Google Cloud Storage or a BigQuery destination. For Cloud Storage destination, the output format is the JSON format that represents a AnalyzeIamPolicyResponse. This method implements the google.longrunning.Operation, which allows you to track the operation status. We recommend intervals of at least 2 seconds with exponential backoff retry to poll the operation result. The metadata contains the metadata for the long-running operation. |
| |
| Args: |
| scope: string, Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # A request message for AssetService.AnalyzeIamPolicyLongrunning. |
| "analysisQuery": { # IAM policy analysis query message. # Required. The request query. |
| "accessSelector": { # Specifies roles and/or permissions to analyze, to determine both the identities possessing them and the resources they control. If multiple values are specified, results will include roles or permissions matching any of them. The total number of roles and permissions should be equal or less than 10. # Optional. Specifies roles or permissions for analysis. This is optional. |
| "permissions": [ # Optional. The permissions to appear in result. |
| "A String", |
| ], |
| "roles": [ # Optional. The roles to appear in result. |
| "A String", |
| ], |
| }, |
| "conditionContext": { # The IAM conditions context. # Optional. The hypothetical context for IAM conditions evaluation. |
| "accessTime": "A String", # The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned. |
| }, |
| "identitySelector": { # Specifies an identity for which to determine resource access, based on roles assigned either directly to them or to the groups they belong to, directly or indirectly. # Optional. Specifies an identity for analysis. |
| "identity": "A String", # Required. The identity appear in the form of principals in [IAM policy binding](https://cloud.google.com/iam/reference/rest/v1/Binding). The examples of supported forms are: "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity. |
| }, |
| "options": { # Contains query options. # Optional. The query options. |
| "analyzeServiceAccountImpersonation": True or False, # Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Default is false. |
| "expandGroups": True or False, # Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| "expandResources": True or False, # Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. Default is false. |
| "expandRoles": True or False, # Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false. |
| "outputGroupEdges": True or False, # Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false. |
| "outputResourceEdges": True or False, # Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false. |
| }, |
| "resourceSelector": { # Specifies the resource to analyze for access policies, which may be set directly on the resource, or on ancestors such as organizations, folders or projects. # Optional. Specifies a resource for analysis. |
| "fullResourceName": "A String", # Required. The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of [supported resource types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). |
| }, |
| "scope": "A String", # Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). To know how to get folder or project id, visit [here ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). |
| }, |
| "outputConfig": { # Output configuration for export IAM policy analysis destination. # Required. Output configuration indicating where the results will be output to. |
| "bigqueryDestination": { # A BigQuery destination. # Destination on BigQuery. |
| "dataset": "A String", # Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId", to which the analysis results should be exported. If this dataset does not exist, the export call will return an INVALID_ARGUMENT error. |
| "partitionKey": "A String", # The partition key for BigQuery partitioned table. |
| "tablePrefix": "A String", # Required. The prefix of the BigQuery tables to which the analysis results will be written. Tables will be created based on this table_prefix if not exist: * _analysis table will contain export operation's metadata. * _analysis_result will contain all the IamPolicyAnalysisResult. When [partition_key] is specified, both tables will be partitioned based on the [partition_key]. |
| "writeDisposition": "A String", # Optional. Specifies the action that occurs if the destination table or partition already exists. The following values are supported: * WRITE_TRUNCATE: If the table or partition already exists, BigQuery overwrites the entire table or all the partitions data. * WRITE_APPEND: If the table or partition already exists, BigQuery appends the data to the table or the latest partition. * WRITE_EMPTY: If the table already exists and contains data, an error is returned. The default value is WRITE_APPEND. Each action is atomic and only occurs if BigQuery is able to complete the job successfully. Details are at https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file. |
| }, |
| "gcsDestination": { # A Cloud Storage location. # Destination on Cloud Storage. |
| "uri": "A String", # Required. The uri of the Cloud Storage object. It's the same uri that is used by gsutil. Example: "gs://bucket_name/object_name". See [Viewing and Editing Object Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) for more information. If the specified Cloud Storage object already exists and there is no [hold](https://cloud.google.com/storage/docs/object-holds), it will be overwritten with the analysis result. |
| }, |
| }, |
| "savedAnalysisQuery": "A String", # Optional. The name of a saved query, which must be in the format of: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id If both `analysis_query` and `saved_analysis_query` are provided, they will be merged together with the `saved_analysis_query` as base and the `analysis_query` as overrides. For more details of the merge behavior, please refer to the [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) doc. Note that you cannot override primitive fields with default value, such as 0 or empty string, etc., because we use proto3, which doesn't support field presence yet. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # This resource represents a long-running operation that is the result of a network API call. |
| "done": True or False, # If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. |
| "error": { # The `Status` type defines a logical error model that is suitable for different programming environments, including R
|
