3SrSSKrSSKrSSKrSSKrSrSrSrSrSr "SS \ 5r "S S \RR5rg) a6Non-API-specific IAM policy definitions For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles Example usage: .. code-block:: python # ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`. policy = resource.get_iam_policy(requested_policy_version=3) phred = "user:phred@example.com" admin_group = "group:admins@groups.example.com" account = "serviceAccount:account-1234@accounts.example.com" policy.version = 3 policy.bindings = [ { "role": "roles/owner", "members": {phred, admin_group, account} }, { "role": "roles/editor", "members": {"allAuthenticatedUsers"} }, { "role": "roles/viewer", "members": {"allUsers"} "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } } ] resource.set_iam_policy(policy) Nz roles/ownerz roles/editorz roles/viewerz_Assigning to '{}' is deprecated. Use the `policy.bindings` property to modify bindings instead.zWDict access is not supported on policies with version > 1 or with conditional bindings.c\rSrSrSrSrg)InvalidOperationExceptionMz1Raised when trying to use Policy class as a dict.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r&lib/third_party/google/api_core/iam.pyrrMs;r rc\rSrSrSr\4r\4r\ 4r SSjr Sr Sr SrSrS rS rS r\S 5r\R*S 5r\S5r\R*S5r\S5r\R*S5r\S5r\R*S5r\S5r\S5r\S5r\S5r\S5r\S5r\ S5r!Sr"Sr#g)PolicySaIAM Policy Args: etag (Optional[str]): ETag used to identify a unique of the policy version (Optional[int]): The syntax schema version of the policy. Note: Using conditions in bindings requires the policy's version to be set to `3` or greater, depending on the versions that are currently supported. Accessing the policy using dict operations will raise InvalidOperationException when the policy's version is set to 3. Use the policy.bindings getter/setter to retrieve and modify the policy's bindings. See: IAM Policy https://cloud.google.com/iam/reference/rest/v1/Policy Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Nc*XlX l/UlgN)etagversion _bindings)selfrrs r__init__Policy.__init__rs  r cHUR5 SUR5$)Nc3B# UHoS(dMUSv M g7f)membersroleNr).0bindings r "Policy.__iter__..zsT~GAS~s  )__check_version__rrs r__iter__Policy.__iter__ws  Tt~~TTr cfUR5 [[UR555$r)r"lenlistr$r#s r__len__Policy.__len__|s$  4 ())r cUR5 URHnUSU:XdMUSs $ U[5S.nURRU5 US$Nrrrr)r"rsetappend)rkeyb new_bindings r __getitem__Policy.__getitem__s]  AyC|# #su5  k*9%%r cUR5 [U5nURHnUSU:XdMX#S' g URRXS.5 gr,)r"r.rr/)rr0valuers r __setitem__Policy.__setitem__sS  E ~~Gv#%%* "& s=>r cUR5 URH)nUSU:XdMURRU5 g [U5e)Nr)r"rremoveKeyError)rr0r1s r __delitem__Policy.__delitem__sI  AyC%%a( smr cURSL=(a URS:nU(dUR5(a[[5eg)z[Raise InvalidOperationException if version is greater than 1 or policy contains conditions.N)r_contains_conditionsr_DICT_ACCESS_MSG)r raise_versions rr"Policy.__check_version__s@ D0ET\\A5E D5577+,<= =8r cRURHnURS5cM g g)N conditionTF)rget)rr1s rr@Policy._contains_conditionss'Auu[!- r cUR$)a=The policy's list of bindings. A binding is specified by a dictionary with keys: * role (str): Role that is assigned to `members`. * members (:obj:`set` of str): Specifies the identities associated to this binding. * condition (:obj:`dict` of str:str): Specifies a condition under which this binding will apply. * title (str): Title for the condition. * description (:obj:str, optional): Description of the condition. * expression: A CEL expression. Type: :obj:`list` of :obj:`dict` See: Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Example: .. code-block:: python USER = "user:phred@example.com" ADMIN_GROUP = "group:admins@groups.example.com" SERVICE_ACCOUNT = "serviceAccount:account-1234@accounts.example.com" CONDITION = { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", # Optional "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } # Set policy's version to 3 before setting bindings containing conditions. policy.version = 3 policy.bindings = [ { "role": "roles/viewer", "members": {USER, ADMIN_GROUP, SERVICE_ACCOUNT}, "condition": CONDITION }, ... ] rr#s rbindingsPolicy.bindingssd~~r cXlgrrI)rrJs rrJrKs!r c[5nURH-nURUS5HnURU5 M M/ [ U5$)zLegacy access to owner role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r. _OWNER_ROLESrFadd frozensetrresultrmembers rowners Policy.ownerssI%%D((4, 6"-&  r cz[R"[RS[5[ 5 X['g)zUpdate owners. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. rTN)warningswarn_ASSIGNMENT_DEPRECATED_MSGformat OWNER_ROLEDeprecationWarningrr6s rrTrUs-  & - -h CEW !Zr c[5nURH-nURUS5HnURU5 M M/ [ U5$)zLegacy access to editor role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r. _EDITOR_ROLESrFrOrPrQs reditorsPolicy.editorsI&&D((4, 6"-'  r cz[R"[RS[5[ 5 X['g)zUpdate editors. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r`N)rWrXrYrZ EDITOR_ROLEr\r]s rr`ra -  & - -i E  "[r c[5nURH-nURUS5HnURU5 M M/ [ U5$)zLegacy access to viewer role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r)r. _VIEWER_ROLESrFrOrPrQs rviewersPolicy.viewersrbr cz[R"[RS[5[ 5 X['g)zUpdate viewers. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. rhN)rWrXrYrZ VIEWER_ROLEr\r]s rrhri(rer cSU<3$)zFactory method for a user member. Args: email (str): E-mail for this particular user. Returns: str: A member string corresponding to the given user. zuser:remails ruser Policy.user6s "##r cSU<3$)zFactory method for a service account member. Args: email (str): E-mail for this particular service account. Returns: str: A member string corresponding to the given service account. zserviceAccount:rrms rservice_accountPolicy.service_accountBs ',--r cSU<3$)zFactory method for a group member. Args: email (str): An id or e-mail for this particular group. Returns: str: A member string corresponding to the given group. zgroup:rrms rgroup Policy.groupOs #$$r cSU<3$)zFactory method for a domain member. Args: domain (str): The domain for this member. Returns: str: A member string corresponding to the given domain. zdomain:r)domains rrx Policy.domain[s %&&r cg)zoFactory method for a member representing all users. Returns: str: A member string representing all users. allUsersrrr r all_usersPolicy.all_usersgsr cg)zFactory method for a member representing all authenticated users. Returns: str: A member string representing all authenticated users. allAuthenticatedUsersrrr rauthenticated_usersPolicy.authenticated_usersps'r cURS5nURS5nU"X25nURS/5UlURH!n[URSS55US'M# U$)zFactory: create a policy from a JSON resource. Args: resource (dict): policy resource returned by ``getIamPolicy`` API. Returns: :class:`Policy`: the parsed policy rrrJrr)rFrJr.)clsresourcerrpolicyrs r from_api_reprPolicy.from_api_reprysk,,y)||F#T#",,z26G!$W[[B%?!@GI ' r c0nURbURUS'URbURUS'UR(a[UR5S:a/nURH[nUR S5nU(dMUS[ U5S.nUR S5nU(aXeS'UR U5 M] U(a"[R"S5n[ X'S9US 'U$) zhRender a JSON policy resource. Returns: dict: a resource to be passed to the ``setIamPolicy`` API. rrrrrr-rE)r0rJ) rrrr'rFsortedr/operator itemgetter)rrrJrrr2rEr0s r to_api_reprPolicy.to_api_reprs  99 #yyHV  << #"&,,HY  >>c$..1A5H>>!++i07+26?vg"WK ' K 8I 3 11f__"" ! ! ]] ! ! ! ! ^^ " " ! ! ^^ " " $ $ . . % % ' '''&r r)r collectionscollections.abcrrWr[rdrkrYrA ExceptionrabcMutableMappingrrr rrsi&P 4 7 7c[  X[__ + +Xr