vSrSSKJr SSKJr SSKJr SSKJr SSKJr SSS S .r S S S S .r Sr Sr \R"\RR5\R"SS\R 555r\R"\RR$5\R"SS\R 555r\R"\RR(5"SS\R 55rg)zCommand to query activities.)absolute_import)division)unicode_literals)policy_troubleshooter)basez%Troubleshoot the IAM Policy. z Performs a check on whether a principal is granted a permission on a resource and how that access is determined according to the resource's effective IAM policy interpretation. am To troubleshoot a permission of a principal on a resource, run: $ {command} //cloudresourcemanager.googleapis.com/projects/project-id --principal-email=my-iam-account@somedomain.com --permission=resourcemanager.projects.get See https://cloud.google.com/iam/help/allow-policies/overview for more information about IAM policies. )brief DESCRIPTIONEXAMPLESz2Troubleshoot IAM allow and deny policies. z Uses a resource's effective IAM allow policy and IAM deny policy to check whether a principal has a specific permission on the resource. aI The following command checks whether the principal ``my-user@example.com'' has the permission ``resourcemanager.projects.get'' on the project ``my-project'': $ {command} //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=resourcemanager.projects.get The following command checks whether the principal ``my-user@example.com'' has the ``compute.images.get'' permission on the project ``my-project''. The command also provides additional context that lets Troubleshooter evaluate conditional role bindings: $ {command} //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=compute.images.get --resource-name=//compute.googleapis.com/projects/my-project/zones/images/my-image' --resource-service='compute.googleapis.com' --resource-type='compute.googleapis.com/Image' --destination-ip='192.2.2.2'--destination-port=8080 --request-time='2023-01-01T00:00:00Z' cURSS[SS9 URSSS[SS 9 URS SS [S S 9 URS S[SS9 URSS[SS9 URSS[SS9 URSS[SS9 URSS[SS9 URSS[SS9 g)"Parses arguments for the commands.resourceRESOURCEzFull resource name that access is checked against. For a list of full resource name formats, see: https://cloud.google.com/iam/docs/resource-names. )metavartypehelpz--principal-emailTEMAILz{Email address that identifies the principal to check. Only Google Accounts and service accounts are supported. )requiredrrrz --permission PERMISSIONa[IAM permission to check. The permssion can be in the `v1` or `v2` format. For example, `resourcemanager.projects.get` or `cloudresourcemanager.googleapis.com/projects.get`. For a list of permissions, see https://cloud.google.com/iam/docs/permissions-reference and https://cloud.google.com/iam/docs/deny-permissions-support z--resource-serviceFzThe resource service value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service )rrrz--resource-typezThe resource type value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type z--resource-namezThe resource name value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name. z--request-timezThe request timestamp to use when checking conditional bindings. This string must adhere to UTC format (RFC 3339). For example,2021-01-01T00:00:00Z. For more information, see: https://tools.ietf.org/html/rfc3339 z--destination-ipznThe request destination IP address to use when checking conditional bindings. For example, `198.1.1.1`. z--destination-portzaThe request destination port to use when checking conditional bindings. For example, 8080. N) add_argumentstrintparsers :lib/surface/policy_intelligence/troubleshoot_policy/iam.py_ArgsrLsA                           c~URURURS9nURURS9nUR UR URURS9nURUUUS9nURUURURURS9nURU5$)Troubleshoot the IAM Policies.)destination_ipdestination_port) request_time) resource_nameresource_service resource_type) destinationrequestr )condition_contextfull_resource_nameprincipal_email permission)GetPolicyTroubleshooterPeerrr GetPolicyTroubleshooterRequestr!GetPolicyTroubleshooterResourcer"r#r$'GetPolicyTroubleshooterConditionContext"GetPolicyTroubleshooterAccessTupler r)r*TroubleshootIAMPolicies)policy_troubleshooter_apiargsdestination_contextrequest_contextresource_contextr' access_tuples r_Runr7s1MM((,,N.LL$$M//NN&&,,&&O  GG)!#H+MM)** N, # : :< HHrc2\rSrSrSr\r\S5rSr Sr g)TroubleshootAlpharc[U5 gr Nrrs rArgsTroubleshootAlpha.Args  &Mrc^[[R"UR55U5$Nr7rPolicyTroubleshooterApi ReleaseTrackselfr2s rRunTroubleshootAlpha.Run( 55d6G6G6IJD rN __name__ __module__ __qualname____firstlineno____doc___DETAILED_HELP detailed_help staticmethodr>rH__static_attributes__rKrrr9r9s#' -rr9c2\rSrSrSr\r\S5rSr Sr g)TroubleshootBeta)Troubleshoot IAM allow and deny policies.c[U5 gr<r=rs rr>TroubleshootBeta.Argsr@rc^[[R"UR55U5$rBrCrFs rrHTroubleshootBeta.RunrJrrKNrLrKrrrWrWs#2 -rrWc2\rSrSrSr\r\S5rSr Sr g) TroubleshootrYc[U5 gr<r=rs rr>Troubleshoot.Argsr@rc^[[R"UR55U5$rBrCrFs rrHTroubleshoot.RunrJrrKNrLrKrrr_r_s!1 -rr_N)rQ __future__rrr*googlecloudsdk.api_lib.policy_intelligencergooglecloudsdk.callioperrRrr7 ReleaseTracksrEALPHAHiddenCommandr9BETArWGAr_rKrrrns #&'L(   *   @L^I<D%%++,   -  D%%**+ t||  ,  D%%(() 4<< * r