SrSSKJr SSKJr SSKJr SSKJr Sr "SS\R5r "S S \R5r "S S \R5r "S S\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS \R5r"S!S"\R5r"S#S$\R5r"S%S&\R5r"S'S(\R5r"S)S*\R5r"S+S,\R5r"S-S.\R5r"S/S0\R5r"S1S2\R5r "S3S4\R5r!"S5S6\R5r""S7S8\R5r#"S9S:\R5r$"S;S<\R5r%"S=S>\R5r&"S?S@\R5r'"SASB\R5r("SCSD\R5r)"SESF\R5r*"SGSH\R5r+"SISJ\R5r,"SKSL\R5r-"SMSN\R5r."SOSP\R5r/"SQSR\R5r0"SSST\R5r1"SUSV\R5r2"SWSX\R5r3"SYSZ\R5r4"S[S\\R5r5"S]S^\R5r6"S_S`\R5r7"SaSb\R5r8"ScSd\R5r9"SeSf\R5r:"SgSh\R5r;"SiSj\R5r<"SkSl\R5r="SmSn\R5r>"SoSp\R5r?"SqSr\R5r@"SsSt\R5rA"SuSv\R5rB"SwSx\R5rC"SySz\R5rD"S{S|\R5rE"S}S~\R5rF"SS\R5rG"SS\R5rH"SS\R5rI"SS\R5rJ"SS\R5rK"SS\R5rL"SS\R5rM"SS\R5rN"SS\R5rO"SS\R5rP"SS\R5rQ"SS\R5rR"SS\R5rS"SS\R5rT"SS\R5rU"SS\R5rV"SS\R5rW"SS\R5rX"SS\R5rY"SS\R5rZ"SS\R5r["SS\R5r\"SS\R5r]"SS\R5r^"SS\R5r_"SS\R5r`"SS\R5ra"SS\R5rb"SS\R5rc"SS\R5rd"SS\R5re"SS\R5rf"SS\R5rg"SS\R5rh"SS\R5ri"SS\R5rj"SS\R5rk"SS\R5rl"SS\R5rm"SS\R5rn"SS\R5ro\R"\MSS5 \R"\oSS5 \R"\oRSS5 \R"\oRSS5 g)zEGenerated message classes for policytroubleshooter version v3alpha. )absolute_import)messages)encoding) extra_typespolicytroubleshooterc\rSrSrSr\R "S5r\R"S\RRS9r Sr g)GoogleApiExprEnumValuezkAn enum value. Fields: type: The fully qualified name of the enum type. value: The value of the enum. variantN) __name__ __module__ __qualname____firstlineno____doc__ _messages StringFieldtype IntegerFieldVariantINT32value__static_attributes__rolib/googlecloudsdk/generated_clients/apis/policytroubleshooter/v3alpha/policytroubleshooter_v3alpha_messages.pyr r s7   q !$  I,=,=,C,C D%rr c<\rSrSrSr\R "SSSS9rSrg) GoogleApiExprListValuezA list. Wrapped in a message so 'not set' and empty can be differentiated, which is required for use in a 'oneof'. Fields: values: The ordered values in the list. GoogleApiExprValuer TrepeatedrN) rrrrrr MessageFieldvaluesrrrrr r s  ! !"6D I&rr c<\rSrSrSr\R "SSSS9rSrg) GoogleApiExprMapValue'zA map. Wrapped in a message so 'not set' and empty can be differentiated, which is required for use in a 'oneof'. Fields: entries: The set of map entries. CEL has fewer restrictions on keys, so a protobuf map representation cannot be used. GoogleApiExprMapValueEntryr Tr#rN) rrrrrrr%entriesrrrrr(r('s  " "#?T R'rr(cd\rSrSrSr\R "SS5r\R "SS5rSr g)r*3zA GoogleApiExprMapValueEntry object. Fields: key: The key. Must be unique with in the map. Currently only boolean, int, uint, and string values can be keys. value: The value. r"r r rN) rrrrrrr%keyrrrrrr*r*3s/ 3Q7#  !5q 9%rr*cv\rSrSrSr"SS\R 5r\R"S5"SS\R55r \R"S5r \R"S 5r\R "S 5r\R$"S S 5r\R("S 5r\R$"SS5r\R$"SS5r\R0"SS5r\R$"SS5r\R6"S5r\R6"S5r\R("S\R<R>S9r Sr!g)r"@a}Represents a CEL value. This is similar to `google.protobuf.Value`, but can represent CEL's full range of values. Enums: NullValueValueValuesEnum: Null value. Messages: ObjectValueValue: The proto message backing an object value. Fields: boolValue: Boolean value. bytesValue: Byte string value. doubleValue: Floating point value. enumValue: An enum value. int64Value: Signed integer value. listValue: List value. mapValue: Map value. nullValue: Null value. objectValue: The proto message backing an object value. stringValue: UTF-8 string value. typeValue: Type value. uint64Value: Unsigned integer value. c\rSrSrSrSrSrg)+GoogleApiExprValue.NullValueValueValuesEnumYz/Null value. Values: NULL_VALUE: Null value. rrN)rrrrr NULL_VALUErrrrNullValueValueValuesEnumr2Ys Jrr5additionalPropertiescf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) #GoogleApiExprValue.ObjectValueValueazThe proto message backing an object value. Messages: AdditionalProperty: An additional property for a ObjectValueValue object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cb\rSrSrSr\R "S5r\R"SS5r Sr g)6GoogleApiExprValue.ObjectValueValue.AdditionalPropertynzAn additional property for a ObjectValueValue object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r extra_types.JsonValuer rN rrrrrrrr.r%rrrrrAdditionalPropertyr;n,   ! !! $c$$%>"##$@!D+%.%;%;=XZ[fj&k"##A&)rrc\rSrSrSr\R "SS5r\R"S5r \R"S5r \R"S5r \R"S5r S r g ) 4GoogleCloudPolicytroubleshooterIamV3alphaAccessTuplei(a!Information about the principal, resource, and permission to check. Fields: conditionContext: Optional. Additional context for the request, such as the request time or IP address. This context allows Policy Troubleshooter to troubleshoot conditional role bindings and deny rules. fullResourceName: Required. The full resource name that identifies the resource. For example, `//compute.googleapis.com/projects/my- project/zones/us-central1-a/instances/my-instance`. For examples of full resource names for Google Cloud services, see https://cloud.google.com/iam/help/troubleshooter/full-resource-names. permission: Required. The IAM permission to check for, either in the `v1` permission format or the `v2` permission format. For a complete list of IAM permissions in the `v1` format, see https://cloud.google.com/iam/help/permissions/reference. For a list of IAM permissions in the `v2` format, see https://cloud.google.com/iam/help/deny/supported-permissions. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. permissionFqdn: Output only. The permission that Policy Troubleshooter checked for, in the `v2` format. principal: Required. The email address of the principal whose access you want to check. For example, `alice@example.com` or `my-service- account@my-project.iam.gserviceaccount.com`. The principal must be a Google Account or a service account. Other types of principals are not supported. 9GoogleCloudPolicytroubleshooterIamV3alphaConditionContextr r rErFrGrN)rrrrrrr%conditionContextrfullResourceName permissionpermissionFqdnrrrrrrr(s_8++,gijk**1-$$Q'*((+.##A&)rrch\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r \ R"S 5"S S \R55r\R"SS5r\R""SS5r\R""SS5r\R""SS5r\R""S S5r\R"SS5r\R."S5r\R"S S5r\R"SS5rSrg)@GoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanationiLa"Details about how a role binding in an allow policy affects a principal's ability to use a permission. Enums: AllowAccessStateValueValuesEnum: Required. Indicates whether _this role binding_ gives the specified permission to the specified principal on the specified resource. This field does _not_ indicate whether the principal actually has the permission on the resource. There might be another role binding that overrides this role binding. To determine whether the principal actually has the permission, use the `overall_access_state` field in the TroubleshootIamPolicyResponse. RelevanceValueValuesEnum: The relevance of this role binding to the overall determination for the entire policy. RolePermissionValueValuesEnum: Indicates whether the role granted by this role binding contains the specified permission. RolePermissionRelevanceValueValuesEnum: The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy. Messages: MembershipsValue: Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request. For example, suppose that a role binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` You want to troubleshoot access for `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first principal in the role binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `NOT_INCLUDED`. For the second principal in the role binding, the key is `group:product- eng@example.com`, and the `membership` field in the value is set to `INCLUDED`. Fields: allowAccessState: Required. Indicates whether _this role binding_ gives the specified permission to the specified principal on the specified resource. This field does _not_ indicate whether the principal actually has the permission on the resource. There might be another role binding that overrides this role binding. To determine whether the principal actually has the permission, use the `overall_access_state` field in the TroubleshootIamPolicyResponse. combinedMembership: The combined result of all memberships. Indicates if the principal is included in any role binding, either directly or indirectly. condition: A condition expression that specifies when the role binding grants access. To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview. conditionExplanation: Condition evaluation state for this role binding. memberships: Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request. For example, suppose that a role binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` You want to troubleshoot access for `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first principal in the role binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `NOT_INCLUDED`. For the second principal in the role binding, the key is `group:product- eng@example.com`, and the `membership` field in the value is set to `INCLUDED`. relevance: The relevance of this role binding to the overall determination for the entire policy. role: The role that this role binding grants. For example, `roles/compute.admin`. For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. rolePermission: Indicates whether the role granted by this role binding contains the specified permission. rolePermissionRelevance: The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy. c,\rSrSrSrSrSrSrSrSr Sr g ) `GoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanation.AllowAccessStateValueValuesEnumiaRequired. Indicates whether _this role binding_ gives the specified permission to the specified principal on the specified resource. This field does _not_ indicate whether the principal actually has the permission on the resource. There might be another role binding that overrides this role binding. To determine whether the principal actually has the permission, use the `overall_access_state` field in the TroubleshootIamPolicyResponse. Values: ALLOW_ACCESS_STATE_UNSPECIFIED: Not specified. ALLOW_ACCESS_STATE_GRANTED: The allow policy gives the principal the permission. ALLOW_ACCESS_STATE_NOT_GRANTED: The allow policy doesn't give the principal the permission. ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONAL: The allow policy gives the principal the permission if a condition expression evaluate to `true`. However, the sender of the request didn't provide enough context for Policy Troubleshooter to evaluate the condition expression. ALLOW_ACCESS_STATE_UNKNOWN_INFO: The sender of the request doesn't have access to all of the allow policies that Policy Troubleshooter needs to evaluate the principal's access. rr r rErFrN rrrrrALLOW_ACCESS_STATE_UNSPECIFIEDALLOW_ACCESS_STATE_GRANTEDALLOW_ACCESS_STATE_NOT_GRANTED&ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONALALLOW_ACCESS_STATE_UNKNOWN_INFOrrrrAllowAccessStateValueValuesEnumr',&'"!"%&"-.*&'#rrc$\rSrSrSrSrSrSrSrg)YGoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanation.RelevanceValueValuesEnumiThe relevance of this role binding to the overall determination for the entire policy. Values: HEURISTIC_RELEVANCE_UNSPECIFIED: Not specified. HEURISTIC_RELEVANCE_NORMAL: The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination. HEURISTIC_RELEVANCE_HIGH: The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination. rr r rN rrrrrHEURISTIC_RELEVANCE_UNSPECIFIEDHEURISTIC_RELEVANCE_NORMALHEURISTIC_RELEVANCE_HIGHrrrrRelevanceValueValuesEnumr '(#!" rrc$\rSrSrSrSrSrSrSrg)gGoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanation.RolePermissionRelevanceValueValuesEnumiaThe relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy. Values: HEURISTIC_RELEVANCE_UNSPECIFIED: Not specified. HEURISTIC_RELEVANCE_NORMAL: The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination. HEURISTIC_RELEVANCE_HIGH: The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination. rr r rNrrrr&RolePermissionRelevanceValueValuesEnumrrrrc(\rSrSrSrSrSrSrSrSr g) ^GoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanation.RolePermissionValueValuesEnumiaIndicates whether the role granted by this role binding contains the specified permission. Values: ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIED: Not specified. ROLE_PERMISSION_INCLUDED: The permission is included in the role. ROLE_PERMISSION_NOT_INCLUDED: The permission is not included in the role. ROLE_PERMISSION_UNKNOWN_INFO: The sender of the request is not allowed to access the role definition. rr r rErN) rrrrr+ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIEDROLE_PERMISSION_INCLUDEDROLE_PERMISSION_NOT_INCLUDEDROLE_PERMISSION_UNKNOWN_INFOrrrrRolePermissionValueValuesEnumrs! 34/ #$ #$ rrr6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) QGoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanation.MembershipsValueiaIndicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request. For example, suppose that a role binding includes the following principals: * `user:alice@example.com` * `group:product-eng@example.com` You want to troubleshoot access for `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first principal in the role binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `NOT_INCLUDED`. For the second principal in the role binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `INCLUDED`. Messages: AdditionalProperty: An additional property for a MembershipsValue object. Fields: additionalProperties: Additional properties of type MembershipsValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)dGoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanation.MembershipsValue.AdditionalPropertyizAn additional property for a MembershipsValue object. Fields: key: Name of the additional property. value: A GoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanat ionAnnotatedAllowMembership attribute. r XGoogleCloudPolicytroubleshooterIamV3alphaAllowBindingExplanationAnnotatedAllowMembershipr rNr>rrrr?rs4   ! !! $c$$%BCDerr?r Tr#rNrArrrMembershipsValuers4* DY.. D%112FTXYrrr rr GoogleTypeExprrE=GoogleCloudPolicytroubleshooterIamV3alphaConditionExplanationrFrGrHrIrJrKrN)rrrrrrrOrrrrrrPrBrr[allowAccessStater%combinedMembership conditionconditionExplanation memberships relevancerrolerolePermissionrolePermissionRelevancerrrrrrLs5IV( (:!!"!y~~!"%inn%" !!"89"Z**"Z:"ZH(()JAN --/IKLM$$%5q9)"//0oqrs&&'91=+!!"B*!!"GoogleCloudPolicytroubleshooterIamV3alphaDenyPolicyExplanationi9atDetails about how the relevant IAM deny policies affect the final access state. Enums: DenyAccessStateValueValuesEnum: Indicates whether the principal is denied the specified permission for the specified resource, based on evaluating all applicable IAM deny policies. RelevanceValueValuesEnum: The relevance of the deny policy result to the overall access state. Fields: denyAccessState: Indicates whether the principal is denied the specified permission for the specified resource, based on evaluating all applicable IAM deny policies. explainedResources: List of resources with IAM deny policies that were evaluated to check the principal's denied permissions, with annotations to indicate how each policy contributed to the final result. The list of resources includes the policy for the resource itself, as well as policies that are inherited from higher levels of the resource hierarchy, including the organization, the folder, and the project. The order of the resources starts from the resource and climbs up the resource hierarchy. To learn more about the resource hierarchy, see https://cloud.google.com/iam/help/resource-hierarchy. permissionDeniable: Indicates whether the permission to troubleshoot is supported in deny policies. relevance: The relevance of the deny policy result to the overall access state. c,\rSrSrSrSrSrSrSrSr Sr g ) ]GoogleCloudPolicytroubleshooterIamV3alphaDenyPolicyExplanation.DenyAccessStateValueValuesEnumiWaYIndicates whether the principal is denied the specified permission for the specified resource, based on evaluating all applicable IAM deny policies. Values: DENY_ACCESS_STATE_UNSPECIFIED: Not specified. DENY_ACCESS_STATE_DENIED: The deny policy denies the principal the permission. DENY_ACCESS_STATE_NOT_DENIED: The deny policy doesn't deny the principal the permission. DENY_ACCESS_STATE_UNKNOWN_CONDITIONAL: The deny policy denies the principal the permission if a condition expression evaluates to `true`. However, the sender of the request didn't provide enough context for Policy Troubleshooter to evaluate the condition expression. DENY_ACCESS_STATE_UNKNOWN_INFO: The sender of the request does not have access to all of the deny policies that Policy Troubleshooter needs to evaluate the principal's access. rr r rErFrN rrrrrDENY_ACCESS_STATE_UNSPECIFIEDDENY_ACCESS_STATE_DENIEDDENY_ACCESS_STATE_NOT_DENIED%DENY_ACCESS_STATE_UNKNOWN_CONDITIONALDENY_ACCESS_STATE_UNKNOWN_INFOrrrrDenyAccessStateValueValuesEnumrWs'&%&! #$ ,-)%&"rr!c$\rSrSrSrSrSrSrSrg)WGoogleCloudPolicytroubleshooterIamV3alphaDenyPolicyExplanation.RelevanceValueValuesEnumiqaThe relevance of the deny policy result to the overall access state. Values: HEURISTIC_RELEVANCE_UNSPECIFIED: Not specified. HEURISTIC_RELEVANCE_NORMAL: The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination. HEURISTIC_RELEVANCE_HIGH: The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination. rr r rNrrrrrr#qrrrr >GoogleCloudPolicytroubleshooterIamV3alphaExplainedDenyResourcer Tr#rErFrN)rrrrrrrOr!rr[denyAccessStater%explainedResourcesrQpermissionDeniablerrrrrrr9s:'y~~'4!! ''(H!L/ --.npq}AB --a0!!"rrrr?r14   ! !! $c$$%~ABCerr?r Tr#rNrArrrDeniedPermissionsValuer/ 4  CY.. C%112FTXYrr4cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) RGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanation.DeniedPrincipalsValuei'aLists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set. Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request. Messages: AdditionalProperty: An additional property for a DeniedPrincipalsValue object. Fields: additionalProperties: Additional properties of type DeniedPrincipalsValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)eGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanation.DeniedPrincipalsValue.AdditionalPropertyi8zAn additional property for a DeniedPrincipalsValue object. Fields: key: Name of the additional property. value: A GoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanationA nnotatedDenyPrincipalMatching attribute. r ZGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanationAnnotatedDenyPrincipalMatchingr rNr>rrrr?r987   ! !! $c$$&BDEFerr?r Tr#rNrArrrDeniedPrincipalsValuer7'4  FY.. F%112FTXYrr<cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) VGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanation.ExceptionPermissionsValueiFaLists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request. Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request. Messages: AdditionalProperty: An additional property for a ExceptionPermissionsValue object. Fields: additionalProperties: Additional properties of type ExceptionPermissionsValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)iGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanation.ExceptionPermissionsValue.AdditionalPropertyiVzAn additional property for a ExceptionPermissionsValue object. Fields: key: Name of the additional property. value: A GoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanationA nnotatedPermissionMatching attribute. r r2r rNr>rrrr?rAVr3rr?r Tr#rNrArrrExceptionPermissionsValuer?Fr5rrBcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) UGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanation.ExceptionPrincipalsValueida Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set. Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request. Messages: AdditionalProperty: An additional property for a ExceptionPrincipalsValue object. Fields: additionalProperties: Additional properties of type ExceptionPrincipalsValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)hGoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanation.ExceptionPrincipalsValue.AdditionalPropertyiuzAn additional property for a ExceptionPrincipalsValue object. Fields: key: Name of the additional property. value: A GoogleCloudPolicytroubleshooterIamV3alphaDenyRuleExplanationA nnotatedDenyPrincipalMatching attribute. r r:r rNr>rrrr?rFur;rr?r Tr#rNrArrrExceptionPrincipalsValuerDdr=rrGr2r r:r rErFrrGrrHrIrJrKrLrMrNrN)rrrrrrrOr!rrrPrBr4r<rBrGr%combinedDeniedPermissioncombinedDeniedPrincipalcombinedExceptionPermissioncombinedExceptionPrincipalrrdeniedPermissionsdeniedPrincipalsr[r%exceptionPermissionsexceptionPrincipalsrrrrrr)r)sQf'y~~':!!" !!"89Zy00Z:Z: !!"89Zi//Z:Z< !!"89Z)"3"3Z:Z: !!"89Z!2!2Z:Z<'335NPQR%224PRST ) 6 68QST!U(557SUV W$$%5q9)"//0oqrs,,-EqI++,CQG''(H!L/"//0KRP!../I2N!!"B*!!">&8!!"!* 3 34`bc d**+hjkl/$112suvw!!">((()npqr-  " "1 %( ,,Q/##$@!D+rrc\rSrSrSr"SS\R 5r\R"SSSS9r \R"SS SS9r \R"S S 5r \R"S S 5r S rg)OGoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPoliciesExplanationiaExplanation of a pair of source and target resources evaluated against all egress policies. NextTAG: 5 Enums: EgressPolicyEvalStatesValueListEntryValuesEnum: Fields: egressPolicyEvalStates: Evaluation states for the pair of source and target resources evaluated against all the egress policies in the service perimeter egressPolicyExplanations: Explanation details about how the pair of source and target resources are evaluated against all the egress policies in the service perimeter sourceResource: The source resource that egress_from policies are evaluated against targetResource: The target resource that egress_to policies are evaluated against c0\rSrSrSrSrSrSrSrSr Sr S r g ) ~GoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPoliciesExplanation.EgressPolicyEvalStatesValueListEntryValuesEnumianEgressPolicyEvalStatesValueListEntryValuesEnum enum type. Values: EGRESS_POLICY_EVAL_STATE_UNSPECIFIED: Not used EGRESS_POLICY_EVAL_STATE_IN_SAME_SERVICE_PERIMETER: The resources are in the same regular service perimeter EGRESS_POLICY_EVAL_STATE_GRANTED_OVER_BRIDGE: The resources are in the same bridge service perimeter EGRESS_POLICY_EVAL_STATE_GRANTED_BY_POLICY: The request is granted by the egress policy EGRESS_POLICY_EVAL_STATE_DENIED_BY_POLICY: The request is denied by the egress policy EGRESS_POLICY_EVAL_STATE_NOT_APPLICABLE: The egress policy is not applicable for the request rr r rErFrGrN rrrrr$EGRESS_POLICY_EVAL_STATE_UNSPECIFIED2EGRESS_POLICY_EVAL_STATE_IN_SAME_SERVICE_PERIMETER,EGRESS_POLICY_EVAL_STATE_GRANTED_OVER_BRIDGE*EGRESS_POLICY_EVAL_STATE_GRANTED_BY_POLICY)EGRESS_POLICY_EVAL_STATE_DENIED_BY_POLICY'EGRESS_POLICY_EVAL_STATE_NOT_APPLICABLErrrr.EgressPolicyEvalStatesValueListEntryValuesEnumr$-,-(9:634012.01-./+rr,r Tr#MGoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPolicyExplanationr >GoogleCloudPolicytroubleshooterServiceperimeterV3alphaResourcerErFrN)rrrrrrrOr,r[egressPolicyEvalStatesr%egressPolicyExplanationssourceResourcetargetResourcerrrrr"r"s&0y~~0.%../_abmqr&335DFGRVW))*jlmn.))*jlmn.rr"c\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r "S S \R 5r \R"SS SS9r \R"SS5r\R"SSSS9r\R "SSSS9r\R"S S5r\R"S SSS9rSrg)r.i aXExplanation of an egress policy NextTAG: 8 Enums: ApiOperationEvalStatesValueListEntryValuesEnum: EgressPolicyEvalStateValueValuesEnum: The overall evaluation state of the egress policy ExternalResourceEvalStatesValueListEntryValuesEnum: IdentityTypeEvalStateValueValuesEnum: Details of the evaluation state of the identity type ResourceEvalStatesValueListEntryValuesEnum: Fields: apiOperationEvalStates: Details of the evaluation states of api operations egressPolicyEvalState: The overall evaluation state of the egress policy externalResourceEvalStates: Details of the evaluation states of external resources identityExplanations: Detailed explanation of the identities. identityTypeEvalState: Details of the evaluation state of the identity type resourceEvalStates: Details of the evaluation states of resources c$\rSrSrSrSrSrSrSrg)|GoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPolicyExplanation.ApiOperationEvalStatesValueListEntryValuesEnumi3 ApiOperationEvalStatesValueListEntryValuesEnum enum type. Values: API_OPERATION_EVAL_STATE_UNSPECIFIED: Not used API_OPERATION_EVAL_STATE_MATCH: The request matches the api operation API_OPERATION_EVAL_STATE_NOT_MATCH: The request doesn't match the api operation rr r rN rrrrr$API_OPERATION_EVAL_STATE_UNSPECIFIEDAPI_OPERATION_EVAL_STATE_MATCH"API_OPERATION_EVAL_STATE_NOT_MATCHrrrr.ApiOperationEvalStatesValueListEntryValuesEnumr63 ,-(%&")*&rr<c0\rSrSrSrSrSrSrSrSr Sr S r g ) rGoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPolicyExplanation.EgressPolicyEvalStateValueValuesEnumi@ afThe overall evaluation state of the egress policy Values: EGRESS_POLICY_EVAL_STATE_UNSPECIFIED: Not used EGRESS_POLICY_EVAL_STATE_IN_SAME_SERVICE_PERIMETER: The resources are in the same regular service perimeter EGRESS_POLICY_EVAL_STATE_GRANTED_OVER_BRIDGE: The resources are in the same bridge service perimeter EGRESS_POLICY_EVAL_STATE_GRANTED_BY_POLICY: The request is granted by the egress policy EGRESS_POLICY_EVAL_STATE_DENIED_BY_POLICY: The request is denied by the egress policy EGRESS_POLICY_EVAL_STATE_NOT_APPLICABLE: The egress policy is not applicable for the request rr r rErFrGrNr%rrr$EgressPolicyEvalStateValueValuesEnumr?@ r-rr@c$\rSrSrSrSrSrSrSrg)ڀGoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPolicyExplanation.ExternalResourceEvalStatesValueListEntryValuesEnumiW zExternalResourceEvalStatesValueListEntryValuesEnum enum type. Values: RESOURCE_EVAL_STATE_UNSPECIFIED: Not used RESOURCE_EVAL_STATE_MATCH: The request matches the resource RESOURCE_EVAL_STATE_NOT_MATCH: The request doesn't match the resource rr r rN rrrrrRESOURCE_EVAL_STATE_UNSPECIFIEDRESOURCE_EVAL_STATE_MATCHRESOURCE_EVAL_STATE_NOT_MATCHrrrr2ExternalResourceEvalStatesValueListEntryValuesEnumrBW '(# !$%!rrGc(\rSrSrSrSrSrSrSrSr g) rGoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPolicyExplanation.IdentityTypeEvalStateValueValuesEnumic bDetails of the evaluation state of the identity type Values: IDENTITY_TYPE_EVAL_STATE_UNSPECIFIED: Not used IDENTITY_TYPE_EVAL_STATE_GRANTED: The request type matches the identity IDENTITY_TYPE_EVAL_STATE_NOT_GRANTED: The request type doesn't match the identity IDENTITY_TYPE_EVAL_STATE_NOT_SUPPORTED: The identity type is not supported rr r rErN rrrrr$IDENTITY_TYPE_EVAL_STATE_UNSPECIFIED IDENTITY_TYPE_EVAL_STATE_GRANTED$IDENTITY_TYPE_EVAL_STATE_NOT_GRANTED&IDENTITY_TYPE_EVAL_STATE_NOT_SUPPORTEDrrrr$IdentityTypeEvalStateValueValuesEnumrJc ! ,-('($+,(-.*rrQc$\rSrSrSrSrSrSrSrg)xGoogleCloudPolicytroubleshooterServiceperimeterV3alphaEgressPolicyExplanation.ResourceEvalStatesValueListEntryValuesEnumis ResourceEvalStatesValueListEntryValuesEnum enum type. Values: RESOURCE_EVAL_STATE_UNSPECIFIED: Not used RESOURCE_EVAL_STATE_MATCH: The request matches the resource RESOURCE_EVAL_STATE_NOT_MATCH: The request doesn't match the resource rr r rNrCrrr*ResourceEvalStatesValueListEntryValuesEnumrTs rHrrVr Tr#r rEIGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIdentityExplanationrFrGrHrN)rrrrrrrOr<r@rGrQrVr[apiOperationEvalStatesegressPolicyEvalStateexternalResourceEvalStatesr%identityExplanationsidentityTypeEvalStateresourceEvalStatesrrrrr.r. s, +y~~ +0Y^^0. &9>> &/Y^^/ &9>> &%../_abmqr#--.TVWX(223gijuyz"//0{}~JNO#--.TVWX **+WYZeijrr.ch\rSrSrSr"SS\R 5r\R"SS5r Sr g)rWi zExplanation of an identity. NextTAG: 3 Enums: IdentityEvalStateValueValuesEnum: Details about the evaluation state of the identity set in policy. Fields: identityEvalState: Details about the evaluation state of the identity set in policy. c,\rSrSrSrSrSrSrSrSr Sr g ) jGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIdentityExplanation.IdentityEvalStateValueValuesEnumi aXDetails about the evaluation state of the identity set in policy. Values: IDENTITY_EVAL_STATE_UNSPECIFIED: Not used MATCH: The request matches the identity NOT_MATCH: The request doesn't match the identity NOT_SUPPORTED: The identity is not supported INFO_DENIED: The sender of the request is not allowed to verify the identity. rr r rErFrN) rrrrrIDENTITY_EVAL_STATE_UNSPECIFIEDMATCH NOT_MATCH NOT_SUPPORTED INFO_DENIEDrrrr IdentityEvalStateValueValuesEnumr` s# '(# EIMKrrfr rN) rrrrrrrOrfr[identityEvalStaterrrrrWrW s- " ))*LaPrrWc\rSrSrSr"SS\R 5r"SS\R 5r\R"SSSS 9r \R"S S SS 9r \R"S S 5r \R"SS5rSrg)PGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPoliciesExplanationi a Explanation of ingress policies NextTAG: 5 Enums: IngressPolicyEvalStatesValueListEntryValuesEnum: TopLevelAccessLevelsEvalStateValueValuesEnum: The overall evaluation state of the top level access levels Fields: ingressPolicyEvalStates: Details about the evaluation state of the ingress policy ingressPolicyExplanations: Explanations of ingress policies targetResource: The target resource to ingress to topLevelAccessLevelsEvalState: The overall evaluation state of the top level access levels c0\rSrSrSrSrSrSrSrSr Sr S r g ) ڀGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPoliciesExplanation.IngressPolicyEvalStatesValueListEntryValuesEnumi axIngressPolicyEvalStatesValueListEntryValuesEnum enum type. Values: INGRESS_POLICY_EVAL_STATE_UNSPECIFIED: Not used INGRESS_POLICY_EVAL_STATE_IN_SAME_SERVICE_PERIMETER: The resources are in the same regular service perimeter INGRESS_POLICY_EVAL_STATE_GRANTED_OVER_BRIDGE: The resources are in the same bridge service perimeter INGRESS_POLICY_EVAL_STATE_GRANTED_BY_POLICY: The request is granted by the ingress policy INGRESS_POLICY_EVAL_STATE_DENIED_BY_POLICY: The request is denied by the ingress policy INGRESS_POLICY_EVAL_STATE_NOT_APPLICABLE: The ingress policy is not applicable for the request rr r rErFrGrN rrrrr%INGRESS_POLICY_EVAL_STATE_UNSPECIFIED3INGRESS_POLICY_EVAL_STATE_IN_SAME_SERVICE_PERIMETER-INGRESS_POLICY_EVAL_STATE_GRANTED_OVER_BRIDGE+INGRESS_POLICY_EVAL_STATE_GRANTED_BY_POLICY*INGRESS_POLICY_EVAL_STATE_DENIED_BY_POLICY(INGRESS_POLICY_EVAL_STATE_NOT_APPLICABLErrrr/IngressPolicyEvalStatesValueListEntryValuesEnumrk --.):;745123/12./0,rrsc(\rSrSrSrSrSrSrSrSr g) }GoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPoliciesExplanation.TopLevelAccessLevelsEvalStateValueValuesEnumi aThe overall evaluation state of the top level access levels Values: TOP_LEVEL_ACCESS_LEVELS_EVAL_STATE_UNSPECIFIED: Not used NOT_APPLICABLE: The overall evaluation state of the top level access levels is not applicable GRANTED: The overall evaluation state of the top level access levels is granted DENIED: The overall evaluation state of the top level access levels is denied rr r rErN) rrrrr.TOP_LEVEL_ACCESS_LEVELS_EVAL_STATE_UNSPECIFIEDNOT_APPLICABLEGRANTEDDENIEDrrrr,TopLevelAccessLevelsEvalStateValueValuesEnumrv s 672NG Frr{r Tr#NGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPolicyExplanationr r/rErFrN)rrrrrrrOrsr{r[ingressPolicyEvalStatesr%ingressPolicyExplanationsr3topLevelAccessLevelsEvalStaterrrrriri s 1 1.Y^^"&//0acdost'446FHITXY))*jlmn."+"5"56dfg"hrric\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r "S S \R 5r \R"SS SS9r \R"SSSS9r\R"SS5r\R"SS5r\R"S SSS9r\R"S SSS9rSrg)r|i aTExplanation of an ingress policy NextTAG: 8 Enums: ApiOperationEvalStatesValueListEntryValuesEnum: IdentityTypeEvalStateValueValuesEnum: Details of the evaluation state of the identity type IngressPolicyEvalStateValueValuesEnum: The overall evaluation state of the ingress policy IngressSourceEvalStatesValueListEntryValuesEnum: ResourceEvalStatesValueListEntryValuesEnum: Fields: apiOperationEvalStates: Details of the evaluation states of api operations identityExplanations: Detailed explanation of the identities. identityTypeEvalState: Details of the evaluation state of the identity type ingressPolicyEvalState: The overall evaluation state of the ingress policy ingressSourceEvalStates: Details of the evaluation states of ingress sources resourceEvalStates: Details of the evaluation states of resources c$\rSrSrSrSrSrSrSrg)}GoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPolicyExplanation.ApiOperationEvalStatesValueListEntryValuesEnumi r7rr r rNr8rrrr<r r=rr<c(\rSrSrSrSrSrSrSrSr g) sGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPolicyExplanation.IdentityTypeEvalStateValueValuesEnumi rKrr r rErNrLrrrrQr rRrrQc0\rSrSrSrSrSrSrSrSr Sr S r g ) tGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPolicyExplanation.IngressPolicyEvalStateValueValuesEnumi apThe overall evaluation state of the ingress policy Values: INGRESS_POLICY_EVAL_STATE_UNSPECIFIED: Not used INGRESS_POLICY_EVAL_STATE_IN_SAME_SERVICE_PERIMETER: The resources are in the same regular service perimeter INGRESS_POLICY_EVAL_STATE_GRANTED_OVER_BRIDGE: The resources are in the same bridge service perimeter INGRESS_POLICY_EVAL_STATE_GRANTED_BY_POLICY: The request is granted by the ingress policy INGRESS_POLICY_EVAL_STATE_DENIED_BY_POLICY: The request is denied by the ingress policy INGRESS_POLICY_EVAL_STATE_NOT_APPLICABLE: The ingress policy is not applicable for the request rr r rErFrGrNrlrrr%IngressPolicyEvalStateValueValuesEnumr rtrrc$\rSrSrSrSrSrSrSrg)~GoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPolicyExplanation.IngressSourceEvalStatesValueListEntryValuesEnumi1 aIngressSourceEvalStatesValueListEntryValuesEnum enum type. Values: INGRESS_SOURCE_EVAL_STATE_UNSPECIFIED: Not used INGRESS_SOURCE_EVAL_STATE_MATCH: The request matches the ingress source INGRESS_SOURCE_EVAL_STATE_NOT_MATCH: The request doesn't match the ingress source rr r rN) rrrrr%INGRESS_SOURCE_EVAL_STATE_UNSPECIFIEDINGRESS_SOURCE_EVAL_STATE_MATCH#INGRESS_SOURCE_EVAL_STATE_NOT_MATCHrrrr/IngressSourceEvalStatesValueListEntryValuesEnumr1 s-.)&'#*+'rrc$\rSrSrSrSrSrSrSrg)yGoogleCloudPolicytroubleshooterServiceperimeterV3alphaIngressPolicyExplanation.ResourceEvalStatesValueListEntryValuesEnumi> rUrr r rNrCrrrrVr> rHrrVr Tr#rWr rErFrGrHrN)rrrrrrrOr<rQrrrVr[rXr%r[r\ingressPolicyEvalStateingressSourceEvalStatesr]rrrrr|r| s, +y~~ +/Y^^/ 1inn1. ,  , &9>> &%../_abmqr"//0{}~JNO#--.TVWX$../VXYZ%//0acdost **+WYZeijrr|c`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) AGoogleCloudPolicytroubleshooterServiceperimeterV3alphaRemediationiR acRemediation details for one service perimeter. Customers are expected to select one [Option[google.cloud.policytroubleshooter.serviceperimeter.v3main .Remediation.Option] and apply all of its remediations. NextTAG: 3 Fields: options: A list of remediation options for the service perimeter. Customers are expected to pick one Option and apply all of its remediations, including the ingress policy remediations, egress policy remediations, and access levels. servicePerimeter: The name of the service perimeter. Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` GGoogleCloudPolicytroubleshooterServiceperimeterV3alphaRemediationOptionr Tr#r rN) rrrrrrr%optionsrservicePerimeterrrrrrrR s1   " "#lnoz~ '**1-rrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"SS5r S rg ) XGoogleCloudPolicytroubleshooterServiceperimeterV3alphaRemediationEgressPolicyRemediationid aHThe details of a single egress policy remediation. Enums: EgressPolicyRemediationTypeValueValuesEnum: The remediation type of the egress policy. Fields: egressPolicy: The proposed egress policy. This represents a single egress policy. egressPolicyIndex: The index of the egress policy in the service perimeter config in the range of [0, R), where R = number of egress policies in the service perimeter config if the policy remediation is a modification and -1 if it is an addition. egressPolicyRemediationType: The remediation type of the egress policy. c \rSrSrSrSrSrSrg)ڃGoogleCloudPolicytroubleshooterServiceperimeterV3alphaRemediationEgressPolicyRemediation.EgressPolicyRemediationTypeValueValuesEnumiu zThe remediation type of the egress policy. Values: POLICY_REMEDIATION_TYPE_UNSPECIFIED: Not used ADDITION: Add a new policy. rr rNrrrrr#POLICY_REMEDIATION_TYPE_UNSPECIFIEDADDITIONrrrr*EgressPolicyRemediationTypeValueValuesEnumru  +,'HrrFGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigEgressPolicyr r rErN)rrrrrrrOrr% egressPolicyregressPolicyIndexr[egressPolicyRemediationTyperrrrrrd sS 9>>''(prst,,,Q/ ) 3 34`bc drrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"SS5r S rg ) YGoogleCloudPolicytroubleshooterServiceperimeterV3alphaRemediationIngressPolicyRemediationi aSThe details of a single ingress policy remediation. Enums: IngressPolicyRemediationTypeValueValuesEnum: The remediation type of the ingress policy. Fields: ingressPolicy: The proposed ingress policy. This represents a single ingress policy. ingressPolicyIndex: The index of the ingress policy in the service perimeter config in the range of [0, R), where R = number of ingress policies in the service perimeter config if the policy remediation is a modification and -1 if it is an addition. ingressPolicyRemediationType: The remediation type of the ingress policy. c \rSrSrSrSrSrSrg)څGoogleCloudPolicytroubleshooterServiceperimeterV3alphaRemediationIngressPolicyRemediation.IngressPolicyRemediationTypeValueValuesEnumi zThe remediation type of the ingress policy. Values: POLICY_REMEDIATION_TYPE_UNSPECIFIED: Not used ADDITION: Add a new policy. rr rNrrrr+IngressPolicyRemediationTypeValueValuesEnumr rrrGGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigIngressPolicyr r rErN)rrrrrrrOrr% ingressPolicyringressPolicyIndexr[ingressPolicyRemediationTyperrrrrr sS INN(()rtuv- --a0!*!4!45bde!frrc\rSrSrSr\R "S5r\R"SSSS9r \R"SS SS9r S r g ) ri aiRepresents a single remediation option. This includes the proposed ingress and egress policy remediations and new access levels. NextTAG: 4 Fields: containsRedaction: Whether the remediation option contains redaction. egressPolicyRemediations: The proposed egress policy remediations. ingressPolicyRemediations: The proposed ingress policy remediations. r rr Tr#rrErN) rrrrrrrQcontainsRedactionr%egressPolicyRemediationsingressPolicyRemediationsrrrrrr sf ,,Q/&335OQR]ab'446QST_cdrrc\rSrSrSr"SS\R 5r"SS\R 5r\R"SSS 9r \R"S SS 9r \R"S SS 9r \R"S SS 9r \R"S 5r\R"SS5r\R"S5r\R"SSS 9r\R&"SS5r\R"SS5r\R"SSS 9r\R&"SS5rSrg)FGoogleCloudPolicytroubleshooterServiceperimeterV3alphaResolvedResourcei aThe details of a resolved resource. NextTAG: 13 Enums: ResolvedStateValueValuesEnum: The resolved resource's state ResourceTypeValueValuesEnum: The resource type of the resource. Fields: bridgeServicePerimeters: Full resource names of the bridge service perimeters that restrict the resource Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` dryrunBridgeServicePerimeters: Full resource names of the dryrun bridge service perimeters that restrict the resource Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` dryrunRegularServicePerimeters: Full resource name of the dry run regular service perimeters that restricts the resource Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` permissions: The iam permission names attached to this resource. This only applies to resources generated from resource containers. projectId: Project string identifier, in the format of "projects/{project_id}". e.g. "projects/my-project-123". projectInfo: Details of the project associated with this resolved resource. projectNumber: The project number of the project associated with this resolved resource. In the format of "projects/{project_number}". regularServicePerimeters: Full resource name of the regular service perimeters that restricts the resource Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}` resolvedState: The resolved resource's state resource: Details of the resource resourceNames: The resource names belonging to this resource. For network resource, this is its network full name or redacted name. resourceType: The resource type of the resource. c,\rSrSrSrSrSrSrSrSr Sr g ) cGoogleCloudPolicytroubleshooterServiceperimeterV3alphaResolvedResource.ResolvedStateValueValuesEnumi aOThe resolved resource's state Values: RESOLVED_STATE_UNSPECIFIED: Not used INFO_DENIED: The caller doesn't have permission to resolve this resource COMPLETED: The resource has been fully resolved NOT_APPLICABLE: The resource cannot be restricted by service perimeters ERROR: The resource cannot be resolved due to an error. rr r rErFrN) rrrrrRESOLVED_STATE_UNSPECIFIEDre COMPLETEDrxERRORrrrrResolvedStateValueValuesEnumr s#"#KIN Errc \rSrSrSrSrSrSrg)bGoogleCloudPolicytroubleshooterServiceperimeterV3alphaResolvedResource.ResourceTypeValueValuesEnumi ztThe resource type of the resource. Values: RESOURCE_TYPE_UNSPECIFIED: Not used NETWORK: Network resource type. rr rN)rrrrrRESOURCE_TYPE_UNSPECIFIEDNETWORKrrrrResourceTypeValueValuesEnumr s !"Grrr Tr#r rErFrGQGoogleCloudPolicytroubleshooterServiceperimeterV3alphaResolvedResourceProjectInforHrIrJrKr/rLrMrNrN)rrrrrrrOrrrbridgeServicePerimetersdryrunBridgeServicePerimetersdryrunRegularServicePerimeters permissions projectIdr% projectInfo projectNumberregularServicePerimetersr[ resolvedStater resourceNames resourceTyperrrrrr s DY^^ INN&11!dC"+"7"7D"I#,#8#8T#J %%a$7+##A&)&&'z|}~+''*-&221tD%%&DaH-  # #$dfh i(''T:-$$%BBG,rrc<\rSrSrSr\R "S5rSrg)ri zmThe details of a project. NextTAG: 2 Fields: projectId: Project string identifier, e.g. "my-project-123". r rN) rrrrrrrrrrrrrr s ##A&)rrc^\rSrSrSr\R "S5r\R "SSS9rSr g) r/i zResource checked by service perimeter check NextTAG: 3 Fields: name: The name of the resource permissions: The iam permission names r r Tr#rN) rrrrrrrr rrrrrr/r/ s+   q !$%%a$7+rr/c8\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r "S S \R 5r \R"SS SS9r \R"SSSS9r\R"SS5r\R"SSSS9r\R"SS5r\R"S S5r\R"SSSS9r\R"S S5r\R"SS5rSrg)WGoogleCloudPolicytroubleshooterServiceperimeterV3alphaServicePerimeterConfigExplanationi aExplanation of service perimeter config NextTAG: 10 Enums: AccessLevelsEvalStatesValueListEntryValuesEnum: EvalStateValueValuesEnum: Details about the evaluation state of a service perimeter config OverallEgressPoliciesEvalStateValueValuesEnum: Overall evaluation state of the egress policies OverallIngressPoliciesEvalStateValueValuesEnum: Overall evaluation state of the ingress policies RestrictedServicesEvalStateValueValuesEnum: Eval state of the restricted services Fields: accessLevelsEvalStates: Details about the evaluation state of access levels egressPoliciesExplanations: Explanation of egress policies evalState: Details about the evaluation state of a service perimeter config ingressPoliciesExplanations: Explanation of ingress policies overallEgressPoliciesEvalState: Overall evaluation state of the egress policies overallIngressPoliciesEvalState: Overall evaluation state of the ingress policies restrictedResources: Resources that are restricted by this service perimeter config restrictedServicesEvalState: Eval state of the restricted services vpcAccessibleServicesExplanation: Explanation of the vpc accessible service policy c,\rSrSrSrSrSrSrSrSr Sr g ) چGoogleCloudPolicytroubleshooterServiceperimeterV3alphaServicePerimeterConfigExplanation.AccessLevelsEvalStatesValueListEntryValuesEnumi4 aAccessLevelsEvalStatesValueListEntryValuesEnum enum type. Values: ACCESS_LEVEL_EVAL_STATE_UNSPECIFIED: Not used ACCESS_LEVEL_EVAL_STATE_SATISFIED: The access level is satisfied ACCESS_LEVEL_EVAL_STATE_UNSATISFIED: The access level is unsatisfied ACCESS_LEVEL_EVAL_STATE_ERROR: The access level is not satisfied nor unsatisfied ACCESS_LEVEL_EVAL_STATE_NOT_EXIST: The access level does not exist rr r rErFrN) rrrrrrvrwrxryrzrrrr.AccessLevelsEvalStatesValueListEntryValuesEnumr4 s' +,'()%*+'$%!()%rrc,\rSrSrSrSrSrSrSrSr Sr g ) pGoogleCloudPolicytroubleshooterServiceperimeterV3alphaServicePerimeterConfigExplanation.EvalStateValueValuesEnumiE aPDetails about the evaluation state of a service perimeter config Values: EVAL_STATE_UNSPECIFIED: Not used NOT_APPLICABLE: The evaluation state of a service perimeter config is not applicable GRANTED: The service perimeter config grants the request DENIED: The service perimeter config denies the request INHERITED_FROM_ACTIVE: The service perimeter dry run config is inherited from the active service perimeter. The dry run evaluation state is the same as the active service perimeter evaluation state. This should only be set for dry run service perimeter config. rr r rErFrN) rrrrrrrxryrzINHERITED_FROM_ACTIVErrrrrrE s$ NG Frrc,\rSrSrSrSrSrSrSrSr Sr g ) څGoogleCloudPolicytroubleshooterServiceperimeterV3alphaServicePerimeterConfigExplanation.OverallEgressPoliciesEvalStateValueValuesEnumiY aOverall evaluation state of the egress policies Values: OVERALL_EGRESS_POLICIES_EVAL_STATE_UNSPECIFIED: Not used OVERALL_EGRESS_POLICIES_EVAL_STATE_GRANTED: The request is granted by the egress policies OVERALL_EGRESS_POLICIES_EVAL_STATE_DENIED: The request is denied by the egress policies OVERALL_EGRESS_POLICIES_EVAL_STATE_NOT_APPLICABLE: The egress policies are applicable for the request OVERALL_EGRESS_POLICIES_EVAL_STATE_SKIPPED: The request skips the egress policies check rr r rErFrN) rrrrr.OVERALL_EGRESS_POLICIES_EVAL_STATE_UNSPECIFIED*OVERALL_EGRESS_POLICIES_EVAL_STATE_GRANTED)OVERALL_EGRESS_POLICIES_EVAL_STATE_DENIED1OVERALL_EGRESS_POLICIES_EVAL_STATE_NOT_APPLICABLE*OVERALL_EGRESS_POLICIES_EVAL_STATE_SKIPPEDrrrr-OverallEgressPoliciesEvalStateValueValuesEnumrY s' 67212.01-89512.rrc,\rSrSrSrSrSrSrSrSr Sr g ) چGoogleCloudPolicytroubleshooterServiceperimeterV3alphaServicePerimeterConfigExplanation.OverallIngressPoliciesEvalStateValueValuesEnumim aOverall evaluation state of the ingress policies Values: OVERALL_INGRESS_POLICIES_EVAL_STATE_UNSPECIFIED: Not used OVERALL_INGRESS_POLICIES_EVAL_STATE_GRANTED: The request is granted by the ingress policies OVERALL_INGRESS_POLICIES_EVAL_STATE_DENIED: The request is denied by the ingress policies OVERALL_INGRESS_POLICIES_EVAL_STATE_NOT_APPLICABLE: The ingress policies are applicable for the request OVERALL_INGRESS_POLICIES_EVAL_STATE_SKIPPED: The request skips the ingress policies check rr r rErFrN) rrrrr/OVERALL_INGRESS_POLICIES_EVAL_STATE_UNSPECIFIED+OVERALL_INGRESS_POLICIES_EVAL_STATE_GRANTED*OVERALL_INGRESS_POLICIES_EVAL_STATE_DENIED2OVERALL_INGRESS_POLICIES_EVAL_STATE_NOT_APPLICABLE+OVERALL_INGRESS_POLICIES_EVAL_STATE_SKIPPEDrrrr.OverallIngressPoliciesEvalStateValueValuesEnumrm s' 78323/12.9:623/rrc$\rSrSrSrSrSrSrSrg)ڂGoogleCloudPolicytroubleshooterServiceperimeterV3alphaServicePerimeterConfigExplanation.RestrictedServicesEvalStateValueValuesEnumi zEval state of the restricted services Values: RESTRICTED_SERVICES_EVAL_STATE_UNSPECIFIED: Not used IS_RESTRICTED: The request service is restricted IS_NOT_RESTRICTED: The request service is not restricted rr r rN) rrrrr*RESTRICTED_SERVICES_EVAL_STATE_UNSPECIFIED IS_RESTRICTEDIS_NOT_RESTRICTEDrrrr*RestrictedServicesEvalStateValueValuesEnumr s23.Mrrr Tr#r"r rErirFrGrHr/rIrJVGoogleCloudPolicytroubleshooterServiceperimeterV3alphaVpcAccessibleServicesExplanationrKrN)rrrrrrrOrrrrrr[accessLevelsEvalStatesr%egressPoliciesExplanationsringressPoliciesExplanationsoverallEgressPoliciesEvalStateoverallIngressPoliciesEvalStaterestrictedResourcesrestrictedServicesEvalState vpcAccessibleServicesExplanationrrrrrr sM>*y~~*"(3inn3(4y~~4( 9>> %../_abmqr(557HJKVZ [!!"WYZ'[#rrc<\rSrSrSr\R "S5rSrg)YGoogleCloudPolicytroubleshooterServiceperimeterV3alphaTroubleshootServicePerimeterRequesti zRequest to troubleshoot service perimeters Fields: troubleshootingToken: The troubleshooting token can be generated when customers get access denied by the service perimeter r rNrrrrrr rrrcH\rSrSrSr"SS\R 5r"SS\R 5r\R"SSS S 9r \R"SS 5r \R"S S 5r \R"SS5r\R"S5r\R"S5r\R"S5r\R"S5r\R"SSS S 9r\R"S5r\R"SSS S 9r\R"S5r\R"SS5rSrg)ZGoogleCloudPolicytroubleshooterServiceperimeterV3alphaTroubleshootServicePerimeterResponsei a3Response to troubleshoot service perimeters NextTAG: 15 Enums: AccessStateValueValuesEnum: The access state of the active service perimeters. DryrunAccessStateValueValuesEnum: The access state of the dry run service perimeters Fields: accessPolicyExplanations: Explanation of access policies accessState: The access state of the active service perimeters. deviceInfo: Device information of the device from troubleshoot token. dryrunAccessState: The access state of the dry run service perimeters operation: Fully qualified name of the operation. principal: The principal email address of the violation principal from troubleshoot token. principalIp: The ip address of the violation principal from troubleshoot token. principalIpRegion: The region code of the principal ip address from troubleshoot token. remediation: Details about the remediations for each Service Perimeter involved in the violation. requestTime: The request_time from troubleshooting token. It captures when the request generating the token was made. The violation time when token is logged because of the VPC SC violation. resolvedResources: Details about the resolved resources. service: The service name as specified in its service configuration. For example, `"pubsub.googleapis.com"`. See [google.api.Service](https://cloud.google.com/service- management/reference/rpc/google.api#google.api.Service) for the definition of a service name. supportedService: Supported service that indicates the current VPC-SC integration status. c(\rSrSrSrSrSrSrSrSr g) uGoogleCloudPolicytroubleshooterServiceperimeterV3alphaTroubleshootServicePerimeterResponse.AccessStateValueValuesEnumi aThe access state of the active service perimeters. Values: ACCESS_STATE_UNSPECIFIED: Not used NOT_APPLICABLE: The request is not restricted by any service perimeters GRANTED: The request is granted by service perimeters DENIED: The request is denied by service perimeters rr r rErN rrrrrrrxryrzrrrrrr  !NG Frrc(\rSrSrSrSrSrSrSrSr g) {GoogleCloudPolicytroubleshooterServiceperimeterV3alphaTroubleshootServicePerimeterResponse.DryrunAccessStateValueValuesEnumi aThe access state of the dry run service perimeters Values: ACCESS_STATE_UNSPECIFIED: Not used NOT_APPLICABLE: The request is not restricted by any service perimeters GRANTED: The request is granted by service perimeters DENIED: The request is denied by service perimeters rr r rErNrrrr DryrunAccessStateValueValuesEnumr rrrrr Tr#r rrErFrGrHrIrJrrKrLrrMrN4GoogleIdentityAccesscontextmanagerV1SupportedService rN)rrrrrrrOrrr%accessPolicyExplanationsr[r deviceInfodryrunAccessStater operationr principalIpprincipalIpRegion remediation requestTimeresolvedResourcesrsupportedServicerrrrrr s7!F 9>>   '335DFGRVW##$@!D+%%&hjkl*))*LaP##A&)##A&)%%a(+++A.&&'jlmx|}+%%b)+,,-uwyEIJ  ! !" %'++,bdfgrrch\rSrSrSr"SS\R 5r\R"SS5r Sr g)ri aExplanation of the vpc accessible service policy NextTAG: 2 Enums: EvalStateValueValuesEnum: Details about the evaluation state of the vpc accessible service policy Fields: evalState: Details about the evaluation state of the vpc accessible service policy c,\rSrSrSrSrSrSrSrSr Sr g ) oGoogleCloudPolicytroubleshooterServiceperimeterV3alphaVpcAccessibleServicesExplanation.EvalStateValueValuesEnumi aWDetails about the evaluation state of the vpc accessible service policy Values: EVAL_STATE_UNSPECIFIED: Not used NOT_APPLICABLE: Vpc accessible service evaluation is not applicable GRANTED: Vpc accessible service policy grants the request DENIED: Vpc accessible service policy denies the request INTERNAL: It is an internal traffic rr r rErFrN) rrrrrrrxryrzINTERNALrrrrrr s# NG FHrrr rN) rrrrrrrOrr[rrrrrrr s, "!!">CJ)..( 9>> " 0!4#.2"a #0!4#  T 2&rr"c\rSrSrSr\R "SS5r\R "SS5r\R "SS5r S r g ) GoogleIamV1LogConfigi? zSpecifies what kind of log the caller must write Fields: cloudAudit: Cloud audit options. counter: Counter options. dataAccess: Data access options. %GoogleIamV1LogConfigCloudAuditOptionsr "GoogleIamV1LogConfigCounterOptionsr %GoogleIamV1LogConfigDataAccessOptionsrErN) rrrrrrr% cloudAuditcounter dataAccessrrrrrCrC? sB%%&MqQ*  " "#G K'%%&MqQ*rrCc\rSrSrSr"SS\R 5r"SS\R 5r\R"SS5r \R"SS 5r \R"SS 5r S rg ) rDiM aWrite a Cloud Audit log Enums: LogNameValueValuesEnum: The log_name to populate in the Cloud Audit Record. PermissionTypeValueValuesEnum: The type associated with the permission. Fields: authorizationLoggingOptions: Information used by the Cloud Audit Logging pipeline. Will be deprecated once the migration to PermissionType is complete (b/201806118). logName: The log_name to populate in the Cloud Audit Record. permissionType: The type associated with the permission. c$\rSrSrSrSrSrSrSrg) increment counter /iam/policy/debug_access_count {iam_principal=[value of IAMContext.principal]} Fields: customFields: Custom fields. field: The field value to attribute. metric: The metric to update. -GoogleIamV1LogConfigCounterOptionsCustomFieldr Tr#r rErN) rrrrrrr% customFieldsrfieldmetricrrrrrErE s@*''(WYZeij,    "%   #&rrEc`\rSrSrSr\R "S5r\R "S5rSr g)rVi aLCustom fields. These can be used to create a counter with arbitrary field/value pairs. See: go/rpcsp-custom-fields. Fields: name: Name is the field name. value: Value is the field value. It is important that in contrast to the CounterOptions.field, the value here is a constant that is not derived from the IAMContext. r r rN) rrrrrrrr rrrrrrVrV s)   q !$    "%rrVc\rSrSrSr"SS\R 5r\R"S5r \R"SS5r Sr g) rFi zWrite a Data Access (Gin) log Enums: LogModeValueValuesEnum: Fields: isDirectAuth: Indicates that access was granted by a regular grant policy logMode: A LogModeValueValuesEnum attribute. c \rSrSrSrSrSrSrg)Data for an IAM policy. Messages: AnnotationsValue: A key-value map to store arbitrary metadata for the `Policy`. Keys can be up to 63 characters. Values can be up to 255 characters. Fields: annotations: A key-value map to store arbitrary metadata for the `Policy`. Keys can be up to 63 characters. Values can be up to 255 characters. createTime: Output only. The time when the `Policy` was created. deleteTime: Output only. The time when the `Policy` was deleted. Empty if the policy is not deleted. displayName: A user-specified description of the `Policy`. This value can be up to 63 characters. etag: An opaque tag that identifies the current version of the `Policy`. IAM uses this value to help manage concurrent updates, so they do not cause one update to be overwritten by another. If this field is present in a CreatePolicyRequest, the value is ignored. kind: Output only. The kind of the `Policy`. Always contains the value `DenyPolicy`. managingAuthority: Immutable. Specifies that this policy is managed by an authority and can only be modified by that authority. Usage is restricted. name: Immutable. The resource name of the `Policy`, which must be unique. Format: `policies/{attachment_point}/denypolicies/{policy_id}` The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character, `/`, must be written as `%2F`. For example, `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy- project/denypolicies/my-deny-policy`. For organizations and folders, use the numeric ID in the full resource name. For projects, requests can use the alphanumeric or the numeric ID. Responses always contain the numeric ID. rules: A list of rules that specify the behavior of the `Policy`. All of the rules should be of the `kind` specified in the `Policy`. uid: Immutable. The globally unique ID of the `Policy`. Assigned automatically when the `Policy` is created. updateTime: Output only. The time when the `Policy` was last updated. r6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) "GoogleIamV2Policy.AnnotationsValueia.A key-value map to store arbitrary metadata for the `Policy`. Keys can be up to 63 characters. Values can be up to 255 characters. Messages: AdditionalProperty: An additional property for a AnnotationsValue object. Fields: additionalProperties: Additional properties of type AnnotationsValue c`\rSrSrSr\R "S5r\R "S5rSr g)5GoogleIamV2Policy.AnnotationsValue.AdditionalPropertyiAn additional property for a AnnotationsValue object. Fields: key: Name of the additional property. value: A string attribute. r r rN rrrrrrrr.rrrrrr?r)   ! !! $c##A&err?r Tr#rNrArrrAnnotationsValuers2  'Y.. '%112FTXYrrr r rErFrGrHrIrJGoogleIamV2PolicyRulerKTr#rLrMrN)rrrrrrrPrrBrr% annotationsr createTime deleteTime displayNamergkindmanagingAuthorityr rhuid updateTimerrrrrprps'R !!"89Z**Z:Z2&&'91=+$$Q'*$$Q'*%%a(+   q !$   q !$++A.   q !$  !8!d K%b!#$$R(*rrpc\rSrSrSr\R "SS5r\R "SS5r\R"S5r Sr g ) ri5zA single rule in a `Policy`. Fields: accessBoundaryRule: A rule for an access boundary policy. denyRule: A rule for a deny policy. description: A user-specified description of the rule. This value can be up to 256 characters. ryr r~r rErN) rrrrrrr%accessBoundaryRuledenyRulerrtrrrrrr5s@!--.MqQ  # #$91 =(%%a(+rrcN\rSrSrSr"SS\R 5r\R"S5"SS\R55r \R"SS5r \R"S S 5r\R"S 5r\R"S 5r\R"S 5r\R"S5r\R"S5r\R*"SS5r\R"S5r\R"SS5r\R"S5r\R"S5rSrg)riDa;IAM policy binding resource. Enums: PolicyKindValueValuesEnum: Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Messages: AnnotationsValue: Optional. User-defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Fields: annotations: Optional. User-defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations condition: Optional. The condition to apply to the policy binding. When set, the `expression` field in the `Expr` must include from 1 to 10 subexpressions, joined by the "||"(Logical OR), "&&"(Logical AND) or "!"(Logical NOT) operators and cannot contain more than 250 characters. The condition is currently only supported when bound to policies of kind principal access boundary. When the bound policy is a principal access boundary policy, the only supported attributes in any subexpression are `principal.type` and `principal.subject`. An example expression is: "principal.type == 'iam.googleapis.com/ServiceAccount'" or "principal.subject == 'bob@example.com'". Allowed operations for `principal.subject`: - `principal.subject == ` - `principal.subject != ` - `principal.subject in []` - `principal.subject.startsWith()` - `principal.subject.endsWith()` Allowed operations for `principal.type`: - `principal.type == ` - `principal.type != ` - `principal.type in []` Supported principal types are Workspace, Workforce Pool, Workload Pool and Service Account. Allowed string must be one of: - iam.googleapis.com/WorkspaceIdentity - iam.googleapis.com/WorkforcePoolIdentity - iam.googleapis.com/WorkloadPoolIdentity - iam.googleapis.com/ServiceAccount createTime: Output only. The time when the policy binding was created. displayName: Optional. The description of the policy binding. Must be less than or equal to 63 characters. etag: Optional. The etag for the policy binding. If this is provided on update, it must match the server's etag. name: Identifier. The name of the policy binding, in the format `{binding_parent/locations/{location}/policyBindings/{policy_binding_id} `. The binding parent is the closest Resource Manager resource (project, folder, or organization) to the binding target. Format: * `projects/{pro ject_id}/locations/{location}/policyBindings/{policy_binding_id}` * `pro jects/{project_number}/locations/{location}/policyBindings/{policy_bindi ng_id}` * `folders/{folder_id}/locations/{location}/policyBindings/{poli cy_binding_id}` * `organizations/{organization_id}/locations/{location}/ policyBindings/{policy_binding_id}` policy: Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same organization. policyKind: Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind policyUid: Output only. The globally unique ID of the policy to be bound. target: Required. Immutable. The full resource name of the resource to which the policy will be bound. Immutable once set. uid: Output only. The globally unique ID of the policy binding. Assigned when the policy binding is created. updateTime: Output only. The time when the policy binding was most recently updated. c,\rSrSrSrSrSrSrSrSr Sr g ) 2GoogleIamV3PolicyBinding.PolicyKindValueValuesEnumiaTImmutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Values: POLICY_KIND_UNSPECIFIED: Unspecified policy kind; Not a valid state PRINCIPAL_ACCESS_BOUNDARY: Principal access boundary policy kind ACCESS: Access policy kind. Keep behind visibility label until Access Policy launch. TRUST_BOUNDARY: REGIONAL_ACCESS_BOUNDARY: Regional access boundary policy kind. Keep behind visibility label until Regional Access Boundary launch. rr r rErFrN) rrrrrPOLICY_KIND_UNSPECIFIEDPRINCIPAL_ACCESS_BOUNDARYACCESSTRUST_BOUNDARYREGIONAL_ACCESS_BOUNDARYrrrrPolicyKindValueValuesEnumrs%   ! FN rrr6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) )GoogleIamV3PolicyBinding.AnnotationsValueia/Optional. User-defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Messages: AdditionalProperty: An additional property for a AnnotationsValue object. Fields: additionalProperties: Additional properties of type AnnotationsValue c`\rSrSrSr\R "S5r\R "S5rSr g)@!)..!( !!"89Z**Z:Z4&&'91=+$$%5q9)$$Q'*%%a(+   q !$   q !$   #&""#>B*##A&)  ! !"BB G&b!#$$R(*rrc`\rSrSrSr\R "S5r\R "S5rSr g)ria$The full resource name of the resource to which the policy will be bound. Immutable once set. Fields: principalSet: Immutable. The full resource name that's used for principal access boundary policy bindings. The principal set must be directly parented by the policy binding's parent or same as the parent if the target is a project, folder, or organization. Examples: * For bindings parented by an organization: * Organization: `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` * For bindings parented by a folder: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` * For bindings parented by a project: * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` * Workload Identity Pool: `//iam.googleapis.com/projects/PROJECT_NUMBER/locations/L OCATION/workloadIdentityPools/WORKLOAD_POOL_ID` resource: Immutable. The full resource name that's used for access policy bindings Examples: * Organization: `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` r r rN) rrrrrrr principalSetrrrrrrrs)<&&q),  " "1 %(rrc\rSrSrSr\R "S5"SS\R55r \R"SS5r \R"S5r \R"SS 5r\R"S 5r\R"S 5r\R"S 5r\R"S 5r\R"S5rSrg)riaAn IAM principal access boundary policy resource. Messages: AnnotationsValue: Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Fields: annotations: Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations createTime: Output only. The time when the principal access boundary policy was created. details: Optional. The details for the principal access boundary policy. displayName: Optional. The description of the principal access boundary policy. Must be less than or equal to 63 characters. etag: Optional. The etag for the principal access boundary. If this is provided on update, it must match the server's etag. name: Identifier. The resource name of the principal access boundary policy. The following format is supported: `organizations/{organization_ id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id}` uid: Output only. The globally unique ID of the principal access boundary policy. updateTime: Output only. The time when the principal access boundary policy was most recently updated. r6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) 9GoogleIamV3PrincipalAccessBoundaryPolicy.AnnotationsValueia/Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Messages: AdditionalProperty: An additional property for a AnnotationsValue object. Fields: additionalProperties: Additional properties of type AnnotationsValue c`\rSrSrSr\R "S5r\R "S5rSr g)LGoogleIamV3PrincipalAccessBoundaryPolicy.AnnotationsValue.AdditionalPropertyirr r rNrrrrr?rrrr?r Tr#rNrArrrrrrrrr r /GoogleIamV3PrincipalAccessBoundaryPolicyDetailsrErFrGrHrIrJrN)rrrrrrrPrrBrr%rrrdetailsrrgr rrrrrrrrs6 !!"89Z**Z:Z4&&'91=+$$Q'*  " "#TVW X'%%a(+   q !$   q !$a #$$Q'*rrc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ri&aPrincipal access boundary policy details Fields: enforcementVersion: Optional. The version number (for example, `1` or `latest`) that indicates which permissions are able to be blocked by the policy. If empty, the PAB policy version will be set to the most recent version number at the time of the policy's creation. rules: Required. A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. r ,GoogleIamV3PrincipalAccessBoundaryPolicyRuler Tr#rN) rrrrrrrenforcementVersionr%rhrrrrrr&s1 !,,Q/  !OQR]a b%rrc\rSrSrSr"SS\R 5r\R"S5r \R"SS5r \R"SSS 9r S r g ) ri6aPrincipal access boundary policy rule that defines the resource boundary. Enums: EffectValueValuesEnum: Required. The access relationship of principals to the resources in this rule. Fields: description: Optional. The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. effect: Required. The access relationship of principals to the resources in this rule. resources: Required. A list of Resource Manager resources. If a resource is listed in the rule, then the rule applies for that resource and its descendants. The number of resources in a policy is limited to 500 across all rules in the policy. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`. c \rSrSrSrSrSrSrg)BGoogleIamV3PrincipalAccessBoundaryPolicyRule.EffectValueValuesEnumiNzRequired. The access relationship of principals to the resources in this rule. Values: EFFECT_UNSPECIFIED: Effect unspecified. ALLOW: Allows access to the resources in this rule. rr rNrrrrrrNrrrr r rETr#rN)rrrrrrrOrrrtr[r resourcesrrrrrr6sN. inn %%a(+   6 :&##A5)rrc\rSrSrSr"SS\R 5r\R"S5r \R"S5r \R"S5r \R"SS5r \R"S S 5r\R"S S 5r\R"S 5r\R$"S 5r\R$"S5rSrg)ri^aI`ServicePerimeter` describes a set of Google Cloud resources which can freely import and export data amongst themselves, but not export outside of the `ServicePerimeter`. If a request with a source within this `ServicePerimeter` has a target outside of the `ServicePerimeter`, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter - Regular and Bridge. Regular Service Perimeters cannot overlap, a single Google Cloud project or VPC network can only belong to a single regular Service Perimeter. Service Perimeter Bridges can contain only Google Cloud projects as members, a single Google Cloud project may belong to multiple Service Perimeter Bridges. Enums: PerimeterTypeValueValuesEnum: Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. Fields: description: Description of the `ServicePerimeter` and its use. Does not affect behavior. etag: Optional. An opaque identifier for the current version of the `ServicePerimeter`. This identifier does not follow any specific format. If an etag is not provided, the operation will be performed as if a valid etag is provided. name: Identifier. Resource name for the `ServicePerimeter`. Format: `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`. The `service_perimeter` component must begin with a letter, followed by alphanumeric characters or `_`. After you create a `ServicePerimeter`, you cannot change its `name`. perimeterType: Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. spec: Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set. status: Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries. title: Human readable title. Must be unique within the Policy. useExplicitDryRunSpec: Use explicit dry run spec flag. Ordinarily, a dry- run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry- run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non- default values. weakenedForTesting: Indicates this Perimeter is intentionally weakened for Google internal testing. This will cause the Perimeter to accept non- prod P4 accounts as if they were prod accounts. c \rSrSrSrSrSrSrg)QGoogleIdentityAccesscontextmanagerV1ServicePerimeter.PerimeterTypeValueValuesEnumiaPerimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. Values: PERIMETER_TYPE_REGULAR: Regular Perimeter. When no value is specified, the perimeter uses this type. PERIMETER_TYPE_BRIDGE: Perimeter Bridge. rr rN)rrrrrPERIMETER_TYPE_REGULARPERIMETER_TYPE_BRIDGErrrrPerimeterTypeValueValuesEnumrs rrr r rErF:GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigrGrHrIrJrKrN)rrrrrrrOrrrtrgr r[ perimeterTyper%specstatustitlerQuseExplicitDryRunSpecweakenedForTestingrrrrrr^s;z Y^^ %%a(+   q !$   q !$%%&DaH-    \^_ `$  ! !"^`a b&    "%#003 --a0rrc\rSrSrSr\R "SSS9r\R"SSSS9r \R"SS SS9r \R "S SS9r \R "S SS9r \R"S S 5r Srg)ria)`ServicePerimeterConfig` specifies a set of Google Cloud resources that describe specific Service Perimeter configuration. Fields: accessLevels: A list of `AccessLevel` resource names that allow resources within the `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. Referencing a nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`. For Service Perimeter Bridge, must be empty. egressPolicies: List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge. ingressPolicies: List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge. resources: A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: `projects/{project_number}` VPC network format: `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}`. restrictedServices: Google Cloud services that are subject to the Service Perimeter restrictions. For example, if `storage.googleapis.com` is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. vpcAccessibleServices: Configuration for APIs allowed within Perimeter. r Tr#rr rrErFrGOGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigVpcAccessibleServicesrHrN)rrrrrrr accessLevelsr%egressPoliciesingressPoliciesrrestrictedServicesvpcAccessibleServicesrrrrrrs@&&q48,))*rtuAEF.**+tvwCGH/##A5) ,,Q>#002CEFGrrc`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) FGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigApiOperationiaVIdentification for an API Operation. Fields: methodSelectors: API methods or permissions to allow. Method or permission must belong to the service specified by `service_name` field. A single MethodSelector entry with `*` specified for the `method` field will allow all methods AND permissions for the service specified in `service_name`. serviceName: The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with `service_name` field set to `*` will allow all methods AND permissions for all services. HGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigMethodSelectorr Tr#r rN) rrrrrrr%methodSelectorsr serviceNamerrrrrrs7 **+uwxDHI/%%a(+rrc\rSrSrSr"SS\R 5r"SS\R 5r\R"SSS 9r \R"SS 5r \R"SS 5r \R"S S SS 9rSrg)DGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigEgressFromiaDefines the conditions under which an EgressPolicy matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed. Enums: IdentityTypeValueValuesEnum: Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. SourceRestrictionValueValuesEnum: Whether to enforce traffic restrictions based on `sources` field. If the `sources` fields is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. Fields: identities: A list of identities that are allowed access through [EgressPolicy]. Identities can be an individual user, service account, Google group, or third-party identity. For third-party identity, only single identities are supported and other identity types are not supported. The `v1` identities that have the prefix `user`, `group`, `serviceAccount`, and `principal` in https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. identityType: Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. sourceRestriction: Whether to enforce traffic restrictions based on `sources` field. If the `sources` fields is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. sources: Sources that this EgressPolicy authorizes access from. If this field is not empty, then `source_restriction` must be set to `SOURCE_RESTRICTION_ENABLED`. c(\rSrSrSrSrSrSrSrSr g) `GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigEgressFrom.IdentityTypeValueValuesEnumiaSpecifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. Values: IDENTITY_TYPE_UNSPECIFIED: No blanket identity group specified. ANY_IDENTITY: Authorize access from all identities outside the perimeter. ANY_USER_ACCOUNT: Authorize access from all human users outside the perimeter. ANY_SERVICE_ACCOUNT: Authorize access from all service accounts outside the perimeter. rr r rErN rrrrrIDENTITY_TYPE_UNSPECIFIED ANY_IDENTITYANY_USER_ACCOUNTANY_SERVICE_ACCOUNTrrrrIdentityTypeValueValuesEnumr  !"Lrrc$\rSrSrSrSrSrSrSrg)eGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigEgressFrom.SourceRestrictionValueValuesEnumi(aVWhether to enforce traffic restrictions based on `sources` field. If the `sources` fields is non-empty, then this field must be set to `SOURCE_RESTRICTION_ENABLED`. Values: SOURCE_RESTRICTION_UNSPECIFIED: Enforcement preference unspecified, will not enforce traffic restrictions based on `sources` in EgressFrom. SOURCE_RESTRICTION_ENABLED: Enforcement preference enabled, traffic restrictions will be enforced based on `sources` in EgressFrom. SOURCE_RESTRICTION_DISABLED: Enforcement preference disabled, will not enforce traffic restrictions based on `sources` in EgressFrom. rr r rN) rrrrrSOURCE_RESTRICTION_UNSPECIFIEDSOURCE_RESTRICTION_ENABLEDSOURCE_RESTRICTION_DISABLEDrrrr SourceRestrictionValueValuesEnumr(s &'"!""#rrr Tr#r rEFGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigEgressSourcerFrN)rrrrrrrOrrr identitiesr[ identityTypesourceRestrictionr%sourcesrrrrrrsz DINN&$$"$$Q6*$$%BAF,))*LaP  " "#kmny} ~'rrc\rSrSrSr\R "SS5r\R "SS5r\R"S5r Sr g ) ri?a9Policy for egress from perimeter. EgressPolicies match requests based on `egress_from` and `egress_to` stanzas. For an EgressPolicy to match, both `egress_from` and `egress_to` stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset). EgressPolicies are concerned with the *resources* that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of EgressFrom and EgressTo. Fields: egressFrom: Defines conditions on the source of a request causing this EgressPolicy to apply. egressTo: Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply. title: Optional. Human-readable title for the egress rule. The title must be unique within the perimeter and can not exceed 100 characters. Within the access policy, the combined length of all rule titles must not exceed 240,000 characters. rr BGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigEgressTor rErN) rrrrrrr% egressFromegressTorrrrrrrr?sA0%%&lnop*  # #$hjk l(    "%rrc\rSrSrSr\R "S5r\R"SS5r \R "S5r Sr g) ri]aThe source that EgressPolicy authorizes access from inside the ServicePerimeter to somewhere outside the ServicePerimeter boundaries. Fields: accessLevel: An AccessLevel resource name that allows protected resources inside the ServicePerimeters to access outside the ServicePerimeter boundaries. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If an AccessLevel name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is specified for `access_level`, then all EgressSources will be allowed. pscEndpoint: Requests from this PSC will be allowed from access perimeter data. resource: A Google Cloud resource from the service perimeter that you want to allow to access data outside the perimeter. This field supports only projects. The project format is `projects/{project_number}`. You can't use `*` in this field to allow all Google Cloud resources. r WGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigPrivateServiceConnectEndpointr rErN rrrrrrr accessLevelr% pscEndpointrrrrrrr]sG*%%a(+&&(ACDE+  " "1 %(rrc\rSrSrSr\R "SSS9r\R"SSSS9r \R "SSS9r \R "S SS9r S r g ) rixaDefines the conditions under which an EgressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the `resources` specified. Note that if the destination of the request is also protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed. The request must match `operations` AND `resources` fields in order to be allowed egress out of the perimeter. Fields: externalResources: A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported formats are s3://BUCKET_NAME, s3a://BUCKET_NAME, and s3n://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed. operations: A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list. resources: A list of resources, currently only projects in the form `projects/`, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If `*` is specified for `resources`, then this EgressTo rule will authorize access to all resources outside the perimeter. roles: IAM roles that represent the set of operations that the sources specified in the corresponding EgressFrom. are allowed to perform in this ServicePerimeter. r Tr#rr rErFrN) rrrrrrrexternalResourcesr% operationsrrolesrrrrrrxs^: ++A=%%&npq}AB*##A5)   D 1%rrc\rSrSrSr"SS\R 5r\R"SSS9r \R"SS5r \R"S S SS9r S rg ) EGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigIngressFromiaDefines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the source of the request. The request must satisfy what is defined in `sources` AND identity related fields in order to match. Enums: IdentityTypeValueValuesEnum: Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. Fields: identities: A list of identities that are allowed access through [IngressPolicy]. Identities can be an individual user, service account, Google group, or third-party identity. For third-party identity, only single identities are supported and other identity types are not supported. The `v1` identities that have the prefix `user`, `group`, `serviceAccount`, and `principal` in https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. identityType: Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. sources: Sources that this IngressPolicy authorizes access from. c(\rSrSrSrSrSrSrSrSr g) aGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigIngressFrom.IdentityTypeValueValuesEnumiaSpecifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of `identities` field will be allowed access. Values: IDENTITY_TYPE_UNSPECIFIED: No blanket identity group specified. ANY_IDENTITY: Authorize access from all identities outside the perimeter. ANY_USER_ACCOUNT: Authorize access from all human users outside the perimeter. ANY_SERVICE_ACCOUNT: Authorize access from all service accounts outside the perimeter. rr r rErNrrrrrrrrrr Tr#r GGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigIngressSourcerErN)rrrrrrrOrrrr[rr%rrrrrrrsU2INN&$$Q6*$$%BAF,  " "#lnoz~ 'rrc\rSrSrSr\R "SS5r\R "SS5r\R"S5r Sr g ) riaPolicy for ingress into ServicePerimeter. IngressPolicies match requests based on `ingress_from` and `ingress_to` stanzas. For an ingress policy to match, both the `ingress_from` and `ingress_to` stanzas must be matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from outside the perimeter. For example, access from the internet can be allowed either based on an AccessLevel or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required. Individual ingress policies can be limited by restricting which services and/or actions they match using the `ingress_to` field. Fields: ingressFrom: Defines the conditions on the source of a request causing this IngressPolicy to apply. ingressTo: Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply. title: Optional. Human-readable title for the ingress rule. The title must be unique within the perimeter and can not exceed 100 characters. Within the access policy, the combined length of all rule titles must not exceed 240,000 characters. rr CGoogleIdentityAccesscontextmanagerV1ServicePerimeterConfigIngressTor rErN) rrrrrrr% ingressFrom ingressTorrrrrrrrsA,&&'npqr+$$%jlmn)    "%rrc\rSrSrSr\R "S5r\R"SS5r \R "S5r Sr g) riaThe source that IngressPolicy authorizes access from. Fields: accessLevel: An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is specified for `access_level`, then all IngressSources will be allowed. pscEndpoint: Requests from this PSC will be allowed to access perimeter data. resource: A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: `projects/{project_number}` VPC network format: `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}`. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. `*` is not allowed, the case of allowing all Google Cloud resources only is not supported. r rr rErNrrrrrrsG.%%a(+&&(ACDE+  " "1 %(rrc\rSrSrSr\R "SSSS9r\R"SSS9r \R"SSS9r S r g ) riaDefines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the target resource of the request. The request must satisfy what is defined in `operations` AND `resources` in order to match. Fields: operations: A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter. resources: A list of resources, currently only projects in the form `projects/`, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single `*` is specified, then access to all resources inside the perimeter are allowed. roles: IAM roles that represent the set of operations that the sources specified in the corresponding IngressFrom are allowed to perform in this ServicePerimeter. rr Tr#r rErN) rrrrrrr%rrrrrrrrrrsK$%%&npq}AB*##A5)   D 1%rrc`\rSrSrSr\R "S5r\R "S5rSr g)rianAn allowed method or permission of a service specified in ApiOperation. Fields: method: A valid method name for the corresponding `service_name` in ApiOperation. If `*` is used as the value for the `method`, then ALL methods and permissions are allowed. permission: A valid Cloud IAM permission for the corresponding `service_name` in ApiOperation. r r rN) rrrrrrrmethodrrrrrrrs)   #&$$Q'*rrc<\rSrSrSr\R "S5rSrg)ri.zSpecifies the PSC an API call refers to. Fields: forwardingRule: The global forwarding rule identifier. Forwarding rule format: `//compute.googleapis.com/projects/{PROJECT_ID}/global/forwardin gRules/{FORWARDING_RULE_ID}`. r rN) rrrrrrrforwardingRulerrrrrr.s((+.rrc^\rSrSrSr\R "SSS9r\R"S5r Sr g) ri:aSpecifies how APIs are allowed to communicate within the Service Perimeter. Fields: allowedServices: The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED- SERVICES' value, which automatically includes all of the services protected by the perimeter. enableRestriction: Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'. r Tr#r rN) rrrrrrrallowedServicesrQenableRestrictionrrrrrr:s, ))!d;/,,Q/rrcl\rSrSrSr"SS\R 5r"SS\R 5r\R"S5r \R"S5r \R"S 5r \R"SS 5r\R"SS 5r\R""S S SS9r\R"S5rSrg)riLa/`SupportedService` specifies the VPC Service Controls and its properties. Enums: ServiceSupportStageValueValuesEnum: The support stage of the service. SupportStageValueValuesEnum: The support stage of the service. Fields: availableOnRestrictedVip: True if the service is available on the restricted VIP. Services on the restricted VIP typically either support VPC Service Controls or are core infrastructure services required for the functioning of Google Cloud. knownLimitations: True if the service is supported with some limitations. Check [documentation](https://cloud.google.com/vpc-service- controls/docs/supported-products) for details. name: The service name or address of the supported service, such as `service.googleapis.com`. serviceSupportStage: The support stage of the service. supportStage: The support stage of the service. supportedMethods: The list of the supported methods. This field exists only in response to GetSupportedService title: The name of the supported product, such as 'Cloud Product API'. c(\rSrSrSrSrSrSrSrSr g) WGoogleIdentityAccesscontextmanagerV1SupportedService.ServiceSupportStageValueValuesEnumieaThe support stage of the service. Values: SERVICE_SUPPORT_STAGE_UNSPECIFIED: Do not use this default value. GA: GA features are open to all developers and are considered stable and fully qualified for production use. PREVIEW: PREVIEW indicates a pre-release stage where the product is functionally complete but undergoing real-world testing. DEPRECATED: Deprecated features are scheduled to be shut down and removed. rr r rErN) rrrrr!SERVICE_SUPPORT_STAGE_UNSPECIFIEDGAPREVIEW DEPRECATEDrrrr"ServiceSupportStageValueValuesEnumres )*% BGJrr c8\rSrSrSrSrSrSrSrSr Sr S r S r S r g ) PGoogleIdentityAccesscontextmanagerV1SupportedService.SupportStageValueValuesEnumivaThe support stage of the service. Values: LAUNCH_STAGE_UNSPECIFIED: Do not use this default value. UNIMPLEMENTED: The feature is not yet implemented. Users can not use it. PRELAUNCH: Prelaunch features are hidden from users and are only visible internally. EARLY_ACCESS: Early Access features are limited to a closed group of testers. To use these features, you must sign up in advance and sign a Trusted Tester agreement (which includes confidentiality provisions). These features may be unstable, changed in backward-incompatible ways, and are not guaranteed to be released. ALPHA: Alpha is a limited availability test for releases before they are cleared for widespread use. By Alpha, all significant design issues are resolved and we are in the process of verifying functionality. Alpha customers need to apply for access, agree to applicable terms, and have their projects allowlisted. Alpha releases don't have to be feature complete, no SLAs are provided, and there are no technical support obligations, but they will be far enough along that customers can actually use them in test environments or for limited-use tests -- just like they would in normal production cases. BETA: Beta is the point at which we are ready to open a release for any customer to use. There are no SLA or technical support obligations in a Beta release. Products will be complete from a feature perspective, but may have some open outstanding issues. Beta releases are suitable for limited production use cases. GA: GA features are open to all developers and are considered stable and fully qualified for production use. DEPRECATED: Deprecated features are scheduled to be shut down and removed. For more information, see the "Deprecation Policy" section of our [Terms of Service](https://cloud.google.com/terms/) and the [Google Cloud Platform Subject to the Deprecation Policy](https://cloud.google.com/terms/deprecation) documentation. rr r rErFrGrHrIrN)rrrrrLAUNCH_STAGE_UNSPECIFIED UNIMPLEMENTED PRELAUNCH EARLY_ACCESSALPHABETAr r rrrrSupportStageValueValuesEnumrvs3!D !MIL E D BJrrr r rErFrGrrHTr#rIrN)rrrrrrrOr rrQavailableOnRestrictedVipknownLimitationsrr r[serviceSupportStage supportStager%supportedMethodsrrrrrrrLs09>>"*INN*X'33A6++A.   q !$!++,PRST$$%BAF,++,vxyEIJ    "%rrc\rSrSrSr\R "S5"SS\R55r \R"S\RRS9r \R"SSS S 9r\R "S 5rS rg )riaThe `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). Messages: DetailsValueListEntry: A DetailsValueListEntry object. Fields: code: The status code, which should be an enum value of google.rpc.Code. details: A list of messages that carry the error details. There is a common set of message types for APIs to use. message: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. r6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) %GoogleRpcStatus.DetailsValueListEntryizA DetailsValueListEntry object. Messages: AdditionalProperty: An additional property for a DetailsValueListEntry object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cb\rSrSrSr\R "S5r\R"SS5r Sr g)8GoogleRpcStatus.DetailsValueListEntry.AdditionalPropertyizAn additional property for a DetailsValueListEntry object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r r=r rNr>rrrr?r r@rr?r Tr#rNrArrrDetailsValueListEntryrrDrr!r r r Tr#rErN)rrrrrrrPrrBr!rrrcoder%rrmessagerrrrrrs|& !!"89Zi//Z:Z2   9+<+<+B+B C$  " "#:A M'  ! !! $'rrc\rSrSrSr\R "S5r\R "S5r\R "S5r \R "S5r Sr g) riaqRepresents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Fields: description: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. expression: Textual representation of an expression in Common Expression Language syntax. location: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. title: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. r r rErFrN) rrrrrrrrt expressionlocationrrrrrrrsI:%%a(+$$Q'*  " "1 %(    "%rrcj\rSrSrSr"SS\R 5r\R"S5"SS\R55r \R"S5"SS \R55r \R"S5"S S \R55r \R"SS 5r\R "S S5r\R "SS5r\R&"S5r\R "SS5r\R "S S5r\R "S S5r\R&"S5rSrg)riaExplanation of access level, including the original access level defined by customers, evaluation results and metadata NextTAG: 12 Enums: AccessLevelStateValueValuesEnum: Evaluation state of an access level Messages: NodeMapValue: Map between node.id and cel node Node id: Expr.id (google/api/expr/syntax.proto) NodeNegTroubleshootingMetadataMapValue: Map between node.id and troubleshooting metadata of this node when the state of this access level is expected to be not_granted NodePosTroubleshootingMetadataMapValue: Map between node.id and troubleshooting metadata of this node when the state of this access level is expected to be granted Fields: accessLevelState: Evaluation state of an access level basicLevelExplanation: A IdentityCaaIntelFrontendBasicLevelExplanation attribute. customLevelExplanation: A IdentityCaaIntelFrontendCustomLevelExplanation attribute. name: Resource name for the Access Level. Format: `accessPolicies/{policy_id}/accessLevels/{short_name}` nodeMap: Map between node.id and cel node Node id: Expr.id (google/api/expr/syntax.proto) nodeNegTroubleshootingMetadataMap: Map between node.id and troubleshooting metadata of this node when the state of this access level is expected to be not_granted nodePosTroubleshootingMetadataMap: Map between node.id and troubleshooting metadata of this node when the state of this access level is expected to be granted title: Access Level's title c,\rSrSrSrSrSrSrSrSr Sr g ) NIdentityCaaIntelFrontendAccessLevelExplanation.AccessLevelStateValueValuesEnumi&aEvaluation state of an access level Values: ACCESS_LEVEL_STATE_UNSPECIFIED: Reserved ACCESS_LEVEL_STATE_GRANTED: The access level state is granted ACCESS_LEVEL_STATE_NOT_GRANTED: The access level state is not granted ACCESS_LEVEL_STATE_ERROR: Encounter error when evaluating this access level. Note that such error is on the critical path that blocks the evaluation; e.g. False || -> ACCESS_LEVEL_STATE_NOT_GRANTED True && -> ACCESS_LEVEL_STATE_ERROR ACCESS_LEVEL_NOT_EXIST: The access level doesn't exist rr r rErFrN) rrrrrACCESS_LEVEL_STATE_UNSPECIFIEDACCESS_LEVEL_STATE_GRANTEDACCESS_LEVEL_STATE_NOT_GRANTEDACCESS_LEVEL_STATE_ERRORACCESS_LEVEL_NOT_EXISTrrrrAccessLevelStateValueValuesEnumr)&s' &'"!"%&" rr/r6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) ;IdentityCaaIntelFrontendAccessLevelExplanation.NodeMapValuei9zMap between node.id and cel node Node id: Expr.id (google/api/expr/syntax.proto) Messages: AdditionalProperty: An additional property for a NodeMapValue object. Fields: additionalProperties: Additional properties of type NodeMapValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)NIdentityCaaIntelFrontendAccessLevelExplanation.NodeMapValue.AdditionalPropertyiEzAn additional property for a NodeMapValue object. Fields: key: Name of the additional property. value: A IdentityCaaIntelFrontendCelNode attribute. r IdentityCaaIntelFrontendCelNoder rNr>rrrr?r3Es,   ! !! $c$$%FJerr?r Tr#rNrArrr NodeMapValuer19s4 KY.. K%112FTXYrr5cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) UIdentityCaaIntelFrontendAccessLevelExplanation.NodeNegTroubleshootingMetadataMapValueiRa[Map between node.id and troubleshooting metadata of this node when the state of this access level is expected to be not_granted Messages: AdditionalProperty: An additional property for a NodeNegTroubleshootingMetadataMapValue object. Fields: additionalProperties: Additional properties of type NodeNegTroubleshootingMetadataMapValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)hIdentityCaaIntelFrontendAccessLevelExplanation.NodeNegTroubleshootingMetadataMapValue.AdditionalPropertyi`zAn additional property for a NodeNegTroubleshootingMetadataMapValue object. Fields: key: Name of the additional property. value: A IdentityCaaIntelFrontendTroubleshootingMetadata attribute. r /IdentityCaaIntelFrontendTroubleshootingMetadatar rNr>rrrr?r9`-   ! !! $c$$%VXYZerr?r Tr#rNrArrr&NodeNegTroubleshootingMetadataMapValuer7R4  [Y.. [%112FTXYrr<cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) UIdentityCaaIntelFrontendAccessLevelExplanation.NodePosTroubleshootingMetadataMapValueinaWMap between node.id and troubleshooting metadata of this node when the state of this access level is expected to be granted Messages: AdditionalProperty: An additional property for a NodePosTroubleshootingMetadataMapValue object. Fields: additionalProperties: Additional properties of type NodePosTroubleshootingMetadataMapValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)hIdentityCaaIntelFrontendAccessLevelExplanation.NodePosTroubleshootingMetadataMapValue.AdditionalPropertyi|zAn additional property for a NodePosTroubleshootingMetadataMapValue object. Fields: key: Name of the additional property. value: A IdentityCaaIntelFrontendTroubleshootingMetadata attribute. r r:r rNr>rrrr?rA|r;rr?r Tr#rNrArrr&NodePosTroubleshootingMetadataMapValuer?nr=rrBr -IdentityCaaIntelFrontendBasicLevelExplanationr .IdentityCaaIntelFrontendCustomLevelExplanationrErFrGrHrIrJrN)rrrrrrrOr/rrPrBr5r<rBr[accessLevelStater%basicLevelExplanationcustomLevelExplanationrr nodeMap!nodeNegTroubleshootingMetadataMap!nodePosTroubleshootingMetadataMaprrrrrrrsD!F & !!"89ZY&&Z:Z0 !!"89Zy/@/@Z:Z6 !!"89Zy/@/@Z:Z6(()JAN#001`bcd$112bdef   q !$  " ">1 5'&/&<&<=egh&i#&/&<&<=egh&i#    "%rrc\rSrSrSr\R "S5"SS\R55r \R"SS5r Sr g) rCizThe Explanation of a Basic Level, which contains the explanation in Struct NextTAG: 2 Messages: ExplanationValue: A ExplanationValue object. Fields: explanation: A ExplanationValue attribute. r6cf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) >IdentityCaaIntelFrontendBasicLevelExplanation.ExplanationValueizA ExplanationValue object. Messages: AdditionalProperty: An additional property for a ExplanationValue object. Fields: additionalProperties: Properties of the object. cb\rSrSrSr\R "S5r\R"SS5r Sr g)QIdentityCaaIntelFrontendBasicLevelExplanation.ExplanationValue.AdditionalPropertyizAn additional property for a ExplanationValue object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r r=r rNr>rrrr?rOr@rr?r Tr#rNrArrrExplanationValuerMs4 AY.. A%112FTXYrrPr rN) rrrrrrrPrrBrPr% explanationrrrrrCrCsL !!"89Z**Z:Z0&&'91=+rrCc\rSrSrSr\R "S\RRS9r \R"SSSS9r \R "S \RRS9r S r g ) r4iavCel node, including evaluation results and metadata NextTAG: 7 Fields: endPosition: Optional, it exists if it is CustomLevel Access Level. End position of an expression in the original condition, by character, end included nodeValues: Repeated as one node id may correspond to multiple evaluation values. e.g.in comprehension expr, [1,2,3].all(x, x > 0), call_expr "_>_" has 3 values corresponding to the evaluation of list values individually sequentially startPosition: Optional, it exists if it is CustomLevel Access Level. Start position of an expression in the original condition, by character r r !IdentityCaaIntelFrontendNodeValuer Tr#rErN)rrrrrrrrr endPositionr% nodeValues startPositionrrrrr4r4s[ &&q)2C2C2I2IJ+%%&I1W[\*((I4E4E4K4KL-rr4cb\rSrSrSr\R "SS5r\R"S5r Sr g)rDizThe Explanation of a Custom Level, which contains the original cel expression and the custom level explanation tree NextTAG: 3 Fields: explanation: Custom Level Explanation Tree expression: The raw cel expression from customers 'IdentityCaaIntelFrontendCustomLevelNoder r rN) rrrrrrr%rQrr%rrrrrDrDs-&&'PRST+$$Q'*rrDc\rSrSrSr"SS\R 5r\R"S5r \R"SS5r \R"SSSS 9r S rg ) rXiaCustom Level Node Tree for the Logical Expression Tree NextTAG: 4 Enums: NodeTypeValueValuesEnum: Node type, indicate if it's an expression or AND/OR/NOT Logical Operator Node Fields: nodeId: Node id, used to map to its NodeValue and Troubleshooting metadata nodeType: Node type, indicate if it's an expression or AND/OR/NOT Logical Operator Node nodes: Child nodes c,\rSrSrSrSrSrSrSrSr Sr g ) ?IdentityCaaIntelFrontendCustomLevelNode.NodeTypeValueValuesEnumiaINode type, indicate if it's an expression or AND/OR/NOT Logical Operator Node Values: CUSTOM_LEVEL_NODE_UNSPECIFIED: Reserved CUSTOM_LEVEL_NODE_EXPRESSION: Custom level Expression node CUSTOM_LEVEL_NODE_AND: Custom level AND node CUSTOM_LEVEL_NODE_OR: Custom level OR node CUSTOM_LEVEL_NODE_NOT: Custom level NOT node rr r rErFrN) rrrrrCUSTOM_LEVEL_NODE_UNSPECIFIEDCUSTOM_LEVEL_NODE_EXPRESSIONCUSTOM_LEVEL_NODE_ANDCUSTOM_LEVEL_NODE_ORCUSTOM_LEVEL_NODE_NOTrrrrNodeTypeValueValuesEnumr[s' %&!#$ rrar r rETr#rN)rrrrrrrOrarnodeIdr[nodeTyper%nodesrrrrrXrXsR  "  ! !! $&  !:A >(  !JAX\ ]%rrXc*\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r \R"SS S S 9r \R"SS 5r \R"SS S S 9r \R"SS5rSrg)rSiaEvaluation result of a cel AST node NextTAG: 7 Enums: CriticalNodeErrorsValueListEntryValuesEnum: NodeStateValueValuesEnum: Evaluation state of this node NonCriticalNodeErrorsValueListEntryValuesEnum: Fields: criticalNodeErrors: The errors included depend on the context. It is applicable when node_state is NODE_STATE_ERROR nodeState: Evaluation state of this node nonCriticalNodeErrors: The errors included depend on the context. Note: ACCESS_LEVEL_STATE_GRANTED/ACCESS_LEVEL_STATE_NOT_GRANTED access levels may have non_critical_node_errors errors underneath that don't block the evaluation. value: Evaluation result of this node, It is applicable when node_state is NODE_STATE_NORMAL. cX\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrSrSrSrSrg)LIdentityCaaIntelFrontendNodeValue.CriticalNodeErrorsValueListEntryValuesEnumiaCriticalNodeErrorsValueListEntryValuesEnum enum type. Values: NODE_ERROR_UNSPECIFIED: Reserved NODE_ERROR_INTERNAL_ERROR: Internal error If there is no matching error below, use it by default NODE_ERROR_DEVICE_NOT_FOUND: Device not found NODE_ERROR_DEVICE_STALE: Device is out of sync NODE_ERROR_DEVICE_CROSS_ORG: It is a cross-org device NODE_ERROR_DEVICE_INFO_NOT_AUTHORIZED: Caller doesn't have permission to device info NODE_ERROR_INVALID_SOURCE_IP: Source ip is not valid, from inIpRange function NODE_ERROR_INVALID_IP_SUBNETS: Ip subnets are not valid, from inIpRange function NODE_ERROR_INVALID_DEVICE_VERSION: Device min verion is not valid, from versionAtLeast function NODE_ERROR_NO_MATCHING_OVERLOADED_FUNC: Expr error from a supported function type with invalid parameters e.g. 1 == true NODE_ERROR_AUTH_SESSION_INFO_NOT_AUTHORIZED: Caller doesn't have permission to auth session info NODE_ERROR_NO_BCE_LICENSE: User is not assigned a BCE license. NODE_ERROR_INVALID_NETWORK: The network in the list for `in_vpc_network` is not valid. NODE_ERROR_UNRECOGNIZED_NETWORK: The network in the request for `in_vpc_network` is missing. NODE_ERROR_UNMATCHED_NETWORK_PROJECT: The network project in the request for `in_vpc_network` does not match with the project in policy. NODE_ERROR_UNRECOGNIZED_NETWORK_PROJECT: The network project in the request for `in_vpc_network` is missing. TODO(b/382592764) Add support for NODE_ERROR_UNKNOWN_REGION rr r rErFrGrHrIrJrKrLrMrNrrNrrrrrNODE_ERROR_UNSPECIFIEDNODE_ERROR_INTERNAL_ERRORNODE_ERROR_DEVICE_NOT_FOUNDNODE_ERROR_DEVICE_STALENODE_ERROR_DEVICE_CROSS_ORG%NODE_ERROR_DEVICE_INFO_NOT_AUTHORIZEDNODE_ERROR_INVALID_SOURCE_IPNODE_ERROR_INVALID_IP_SUBNETS!NODE_ERROR_INVALID_DEVICE_VERSION&NODE_ERROR_NO_MATCHING_OVERLOADED_FUNC+NODE_ERROR_AUTH_SESSION_INFO_NOT_AUTHORIZEDNODE_ERROR_NO_BCE_LICENSENODE_ERROR_INVALID_NETWORKNODE_ERROR_UNRECOGNIZED_NETWORK$NODE_ERROR_UNMATCHED_NETWORK_PROJECT'NODE_ERROR_UNRECOGNIZED_NETWORK_PROJECTrrrr*CriticalNodeErrorsValueListEntryValuesEnumrgj@ !"#"#,-)#$ $%!()%-.*24/ "!#&(#+-(.0+rr{c$\rSrSrSrSrSrSrSrg):IdentityCaaIntelFrontendNodeValue.NodeStateValueValuesEnumiFaEvaluation state of this node Values: NODE_STATE_UNSPECIFIED: Reserved NODE_STATE_NORMAL: The node state is normal, which means the evaluation of this node succeeds However, it doesn't mean the evaluated result is a boolean value. NODE_STATE_ERROR: Encounter error when evaluating the result of this node. Only return error if it is in the critical path of evaluation. For example, `( || true) && ` -> ``, ` || true` -> `true` `.foo` -> `` `foo()` -> `` ` + 1` -> `` rr r rN) rrrrrNODE_STATE_UNSPECIFIEDNODE_STATE_NORMALNODE_STATE_ERRORrrrrNodeStateValueValuesEnumr~Fs rrcX\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrSrSrSrSrg)OIdentityCaaIntelFrontendNodeValue.NonCriticalNodeErrorsValueListEntryValuesEnumiWaNonCriticalNodeErrorsValueListEntryValuesEnum enum type. Values: NODE_ERROR_UNSPECIFIED: Reserved NODE_ERROR_INTERNAL_ERROR: Internal error If there is no matching error below, use it by default NODE_ERROR_DEVICE_NOT_FOUND: Device not found NODE_ERROR_DEVICE_STALE: Device is out of sync NODE_ERROR_DEVICE_CROSS_ORG: It is a cross-org device NODE_ERROR_DEVICE_INFO_NOT_AUTHORIZED: Caller doesn't have permission to device info NODE_ERROR_INVALID_SOURCE_IP: Source ip is not valid, from inIpRange function NODE_ERROR_INVALID_IP_SUBNETS: Ip subnets are not valid, from inIpRange function NODE_ERROR_INVALID_DEVICE_VERSION: Device min verion is not valid, from versionAtLeast function NODE_ERROR_NO_MATCHING_OVERLOADED_FUNC: Expr error from a supported function type with invalid parameters e.g. 1 == true NODE_ERROR_AUTH_SESSION_INFO_NOT_AUTHORIZED: Caller doesn't have permission to auth session info NODE_ERROR_NO_BCE_LICENSE: User is not assigned a BCE license. NODE_ERROR_INVALID_NETWORK: The network in the list for `in_vpc_network` is not valid. NODE_ERROR_UNRECOGNIZED_NETWORK: The network in the request for `in_vpc_network` is missing. NODE_ERROR_UNMATCHED_NETWORK_PROJECT: The network project in the request for `in_vpc_network` does not match with the project in policy. NODE_ERROR_UNRECOGNIZED_NETWORK_PROJECT: The network project in the request for `in_vpc_network` is missing. TODO(b/382592764) Add support for NODE_ERROR_UNKNOWN_REGION rr r rErFrGrHrIrJrKrLrMrNrrhrirNrjrrr-NonCriticalNodeErrorsValueListEntryValuesEnumrWr|rrr Tr#r rEr"rFrN)rrrrrrrOr{rrr[criticalNodeErrors nodeStatenonCriticalNodeErrorsr%rrrrrrSrSs&019>>01d"01inn01d!**+WYZeij!!"" to include in api requests. uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). c$\rSrSrSrSrSrSrSrg)*StandardQueryParameters.AltValueValuesEnumizData format for response. Values: json: Responses with Content-Type of application/json media: Media download with context-dependent Content-Type proto: Responses with Content-Type of application/x-protobuf rr r rN) rrrrrjsonmediaprotorrrrAltValueValuesEnumrs D E Errc \rSrSrSrSrSrSrg)-StandardQueryParameters.FXgafvValueValuesEnumizFV1 error format. Values: _1: v1 error format _2: v2 error format rr rN)rrrrr_1_2rrrrFXgafvValueValuesEnumrs B Brrr r rEr)defaultrFrGrHrIrJTrKrLrMrNrN)rrrrrrrOrrr[f__xgafvr access_tokenaltcallbackfieldsr. oauth_tokenrQ prettyPrint quotaUsertrace uploadTypeupload_protocolrrrrrrs4 9>>  inn  !8! <(&&q),0!VD#  " "1 %(   #&a #%%a(+&&q$7+##A&)    #%$$R(*))"-/rrruinrz$.xgafvr1r2N)sr __future__rapitools.base.protorpcliterrapitools.base.pyrrpackagerBr r r(r*r"rcrqrrrrrrrrrrrrrrr)r:r2rrjr$rxrrrrrrrrrrrr"r.rWrir|rrrrrrr/rrrrrrrrr"rCrDrErVrFrfrdryr~rprrrrrrrrrrrrrrrrrrrrrrrrrCr4rDrXrSr:rAddCustomJsonFieldMappingAddCustomJsonEnumMappingrrrrrs '<%( ! EY.. EJY..J SI-- S :!2!2 :FM**FMRK)2C2CK[QZQbQb>[B6AiFWFW6ArHAIDUDUHAV .IL]L] .0tYM^M^0tf&wT]TeTe&wR?/)J[J[?/D$EyGXGX$EN.oV_VgVg.obhkT]TeTehkVQPYPaPaQ@<iW`WhWh<i~ikU^UfUfikX. HYHY.$e_h_p_pe@g`i`q`qg@ diN_N_ dHHYM^M^HHV'XaXiXi' 8YEVEV 8AY^g^o^oAYH [XaXiXi [ 2`i`q`q2LhajararLh^A]f]n]nA@%Y..%:!= 1 1!=HV"**V"r@39,,@3F R9,, R0KI,=,=0Kf$):):$6 #I4E4E #!=I,=,=!=HSG ))SGl28i''28j/I$5$5/>iE)++iEXN) ))N)b )I-- ){)y00{)| &Y%6%6 &F>(y/@/@>(B ci6G6G c %693D3D%6PU19;L;LU1p&GARAR&GR)YM^M^)&J9K\K\JZ#YM^M^#<&YM^M^&6!2IZIZ!2H/@IL]L]/@d#iN_N_#8&iN_N_&:2)J[J[20 (yO`O` ( ,^g^o^o ,0V_VgVg0$\#9;L;L\#~0%i''0%f!#Y&&!#HO#Y5F5FO#d$>I4E4E$>NMi&7&7M( (Y5F5F (!^i.?.?!^HL: (9(9L:^0_i6G6G0_f<.i//<.~ ""UD"""Z4!!114>!!114>r