MCP Tools Reference: cloudasset.googleapis.com

string

Required. Name of the organization, folder, or project the assets belong to. Format: "organizations/[organization-number]" (such as "organizations/123"), "projects/[project-id]" (such as "projects/my-project-id"), "projects/[project-number]" (such as "projects/12345"), or "folders/[folder-number]" (such as "folders/12345").

string (Timestamp format)

Timestamp to take an asset snapshot. This can only be set to a timestamp between the current time and the current time minus 35 days (inclusive). If not specified, the current time will be used. Due to delays in resource data collection and indexing, there is a volatile window during which running the same query may get different results.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

A list of asset types to take a snapshot for. For example: "compute.googleapis.com/Disk".

Regular expression is also supported. For example:

• "compute.googleapis.com.*" snapshots resources whose asset type starts with "compute.googleapis.com".
• ".*Instance" snapshots resources whose asset type ends with "Instance".
• ".*Instance.*" snapshots resources whose asset type contains "Instance".

See RE2 for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned.

If specified, only matching assets will be returned, otherwise, it will snapshot all asset types. See Introduction to Cloud Asset Inventory for all supported asset types.

enum (ContentType)

Asset content type. If not specified, no content but the asset name will be returned.

integer

The maximum number of assets to be returned in a single response. Default is 100, minimum is 1, and maximum is 1000.

string

The next_page_token returned from the previous ListAssetsResponse, or unspecified for the first ListAssetsRequest. It is a continuation of a prior ListAssets call, and the API should return the next page of assets.

string

A list of relationship types to output, for example: INSTANCE_TO_INSTANCEGROUP. This field should only be specified if content_type=RELATIONSHIP. * If specified: it snapshots specified relationships. It returns an error if any of the [relationship_types] doesn't belong to the supported relationship types of the [asset_types] or if any of the [asset_types] doesn't belong to the source types of the [relationship_types]. * Otherwise: it snapshots the supported relationships for all [asset_types] or returns an error if any of the [asset_types] has no relationship support. An unspecified asset types field means all supported asset_types. See Introduction to Cloud Asset Inventory for all supported asset types and relationship types.

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

string (Timestamp format)

Time the snapshot was taken.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

object (Asset)

Assets.

string

Token to retrieve the next page of results. It expires 72 hours after the page token for the first page is generated. Set to empty if there are no remaining results.

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

string (Timestamp format)

The last update timestamp of an asset. update_time is updated when create/update/delete operation is performed.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1

See Resource names for more information.

string

The type of the asset. Example: compute.googleapis.com/Disk

See Supported asset types for more information.

object (Resource)

A representation of the resource.

object (Policy)

A representation of the IAM policy set on a Google Cloud resource. There can be a maximum of one IAM policy set on any given resource. In addition, IAM policies inherit their granted access scope from any policies set on parent resources in the resource hierarchy. Therefore, the effectively policy is the union of both the policy set on this resource and each policy set on all of the resource's ancestry resource levels in the hierarchy. See this topic for more information.

object (Policy)

A representation of an organization policy. There can be more than one organization policy with different constraints set on a given resource.

object (Inventory)

A representation of runtime OS Inventory information. See this topic for more information.

object (RelatedAssets)

DEPRECATED. This field only presents for the purpose of backward-compatibility. The server will never generate responses with this field. The related assets of the asset of one relationship type. One asset only represents one type of relationship.

object (RelatedAsset)

One related asset of the current asset.

string

The ancestry path of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. If the asset is a project, folder, or organization, the ancestry path starts from the asset itself.

Example: ["projects/123456789", "folders/5432", "organizations/1234"]

object (AssetException)

The exceptions of a resource.

object (AccessPolicy)

Also refer to the access policy user guide.

object (AccessLevel)

Also refer to the access level user guide.

object (ServicePerimeter)

Also refer to the service perimeter user guide.

string

The API version. Example: v1

string

The URL of the discovery document containing the resource's JSON schema. Example: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest

This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable.

string

The JSON schema name listed in the discovery document. Example: Project

This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable.

string

The REST URL for accessing the resource. An HTTP GET request using this URL returns the resource itself. Example: https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123

This value is unspecified for resources without a REST API.

string

The full name of the immediate parent of this resource. See Resource Names for more information.

For Google Cloud assets, this value is the parent resource defined in the IAM policy hierarchy. Example: //cloudresourcemanager.googleapis.com/projects/my_project_123

object (Struct format)

The content of the resource, in which some sensitive fields are removed and may not be present.

string

The location of the resource in Google Cloud, such as its zone and region. For more information, see https://cloud.google.com/about/locations/.

map (key: string, value: value (Value format))

Unordered map of dynamically typed values.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

value (Value format)

null

Represents a JSON null.

number

Represents a JSON number. Must not be NaN, Infinity or -Infinity, since those are not supported in JSON. This also cannot represent large Int64 values, since JSON format generally does not support them in its number type.

string

Represents a JSON string.

boolean

Represents a JSON boolean (true or false literal in JSON).

object (Struct format)

Represents a JSON object.

array (ListValue format)

Represents a JSON array.

value (Value format)

Repeated field of dynamically typed values.

integer

Specifies the format of the policy.

Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected.

Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations:

• Getting a policy that includes a conditional role binding
• Adding a conditional role binding to a policy
• Changing a conditional role binding in a policy
• Removing any role binding, with or without a condition, from a policy that includes conditions

Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset.

To learn which resources support conditions in their IAM policies, see the IAM documentation.

object (Binding)

Associates a list of members, or principals, with a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one principal.

The bindings in a Policy can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the bindings grant 50 different roles to user:alice@example.com, and not to any other principal, then you can add another 1,450 principals to the bindings in the Policy.

object (AuditConfig)

Specifies cloud audit logging configuration for this policy.

string (bytes format)

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.

A base64-encoded string.

string

Role that is assigned to the list of members, or principals. For example, roles/viewer, roles/editor, or roles/owner.

For an overview of the IAM roles and permissions, see the IAM documentation. For a list of the available pre-defined roles, see here.

string

Specifies the principals requesting access for a Google Cloud resource. members can have the following values:

• allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.

• allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation.

• user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com .

• serviceAccount:{emailid}: An email address that represents a Google service account. For example, my-other-app@appspot.gserviceaccount.com.

• serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]: An identifier for a Kubernetes service account. For example, my-project.svc.id.goog[my-namespace/my-kubernetes-sa].

• group:{emailid}: An email address that represents a Google group. For example, admins@example.com.

• domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.

• principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workforce identity pool.

• principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}: All workforce identities in a group.

• principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All workforce identities with a specific attribute value.

• principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*: All identities in a workforce identity pool.

• principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workload identity pool.

• principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}: A workload identity pool group.

• principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All identities in a workload identity pool with a certain attribute.

• principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*: All identities in a workload identity pool.

• deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding.

• deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding.

• deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding.

• deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}: Deleted single identity in a workforce identity pool. For example, deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value.

object (Expr)

The condition that is associated with this binding.

If the condition evaluates to true, then this binding applies to the current request.

If the condition evaluates to false, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding.

To learn which resources support conditions in their IAM policies, see the IAM documentation.

string

Textual representation of an expression in Common Expression Language syntax.

string

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

string

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

string

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

string

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

object (AuditLogConfig)

The configuration for logging of each type of permission.

enum (LogType)

The log type that this config enables.

string

Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members.

integer

Version of the Policy. Default version is 0;

string

The name of the Constraint the Policy is configuring, for example, constraints/serviceuser.services.

A list of available constraints is available.

Immutable after creation.

string (bytes format)

An opaque tag indicating the current version of the Policy, used for concurrency control.

When the Policy is returned from either a GetPolicy or a ListOrgPolicy request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop.

When the Policy is returned from a GetEffectivePolicy request, the etag will be unset.

When the Policy is used in a SetOrgPolicy method, use the etag value that was returned from a GetOrgPolicy request as part of a read-modify-write loop for concurrency control. Not setting the etagin a SetOrgPolicy request will result in an unconditional write of the Policy.

A base64-encoded string.

string (Timestamp format)

The time stamp the Policy was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to SetOrgPolicy was made for that Policy. Any value set by the client will be ignored.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

object (ListPolicy)

List of values either allowed or disallowed.

object (BooleanPolicy)

For boolean Constraints, whether to enforce the Constraint or not.

object (RestoreDefault)

Restores the default behavior of the constraint; independent of Constraint type.

string

List of values allowed at this resource. Can only be set if all_values is set to ALL_VALUES_UNSPECIFIED.

string

List of values denied at this resource. Can only be set if all_values is set to ALL_VALUES_UNSPECIFIED.

enum (AllValues)

The policy all_values state.

string

Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this Policy. If suggested_value is not set, it will inherit the value specified higher in the hierarchy, unless inherit_from_parent is false.

boolean

Determines the inheritance behavior for this Policy.

By default, a ListPolicy set at a resource supersedes any Policy set anywhere up the resource hierarchy. However, if inherit_from_parent is set to true, then the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

Setting Policy hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a Policy with allowed_values set that inherits a Policy with denied_values set. In this case, the values that are allowed must be in allowed_values and not present in denied_values.

For example, suppose you have a Constraint constraints/serviceuser.services, which has a constraint_type of list_constraint, and with constraint_default set to ALLOW. Suppose that at the Organization level, a Policy is applied that restricts the allowed API activations to {E1, E2}. Then, if a Policy is applied to a project below the Organization that has inherit_from_parent set to false and field all_values set to DENY, then an attempt to activate any API will be denied.

The following examples demonstrate different possible layerings for projects/bar parented by organizations/foo:

Example 1 (no inherited values): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values:"E2"} projects/bar has inherit_from_parent false and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are E3, and E4.

Example 2 (inherited values): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values:"E2"} projects/bar has a Policy with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are E1, E2, E3, and E4.

Example 3 (inheriting both allowed and denied values): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values: "E2"} projects/bar has a Policy with: {denied_values: "E1"} The accepted values at organizations/foo are E1, E2. The value accepted at projects/bar is E2.

Example 4 (RestoreDefault): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values:"E2"} projects/bar has a Policy with values: {RestoreDefault: {}} The accepted values at organizations/foo are E1, E2. The accepted values at projects/bar are either all or none depending on the value of constraint_default (if ALLOW, all; if DENY, none).

Example 5 (no policy inherits parent policy): organizations/foo has no Policy set. projects/bar has no Policy set. The accepted values at both levels are either all or none depending on the value of constraint_default (if ALLOW, all; if DENY, none).

Example 6 (ListConstraint allowing all): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values: "E2"} projects/bar has a Policy with: {all: ALLOW} The accepted values at organizations/foo are E1, E2. Any value is accepted atprojects/bar`.

Example 7 (ListConstraint allowing none): organizations/foo has a Policy with values: {allowed_values: "E1" allowed_values: "E2"} projects/bar has a Policy with: {all: DENY} The accepted values at organizations/foo are E1, E2. No value is accepted atprojects/bar`.

Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, organizations/foo has a Policy with values: {allowed_values: "under:organizations/O1"} projects/bar has a Policy with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at organizations/foo are organizations/O1, folders/F1, folders/F2, projects/P1, projects/P2, projects/P3. The accepted values at projects/bar are organizations/O1, folders/F1, projects/P1.

boolean

If true, then the Policy is enforced. If false, then any configuration is acceptable.

Suppose you have a Constraint constraints/compute.disableSerialPortAccess with constraint_default set to ALLOW. A Policy for that Constraint exhibits the following behavior: - If the Policy at this resource has enforced set to false, serial port connection attempts will be allowed. - If the Policy at this resource has enforced set to true, serial port connection attempts will be refused. - If the Policy at this resource is RestoreDefault, serial port connection attempts will be allowed. - If no Policy is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no Policy is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if thePolicy were set at this resource.

The following examples demonstrate the different possible layerings:

Example 1 (nearest Constraint wins): organizations/foo has a Policy with: {enforced: false} projects/bar has no Policy set. The constraint at projects/bar and organizations/foo will not be enforced.

Example 2 (enforcement gets replaced): organizations/foo has a Policy with: {enforced: false} projects/bar has a Policy with: {enforced: true} The constraint at organizations/foo is not enforced. The constraint at projects/bar is enforced.

Example 3 (RestoreDefault): organizations/foo has a Policy with: {enforced: true} projects/bar has a Policy with: {RestoreDefault: {}} The constraint at organizations/foo is enforced. The constraint at projects/bar is not enforced, because constraint_default for the Constraint is ALLOW.

string

Output only. Identifier. Resource name of the AccessPolicy. Format: accessPolicies/{access_policy}

string

Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id}

string

Required. Human readable title. Does not affect behavior.

string

The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with scopes=["folders/123"] has the following behavior:

• ServicePerimeter can only restrict projects within folders/123.
• ServicePerimeter within policy A can only reference access levels defined within policy A.
• Only one policy can include a given scope; thus, attempting to create a second policy which includes folders/123 will result in an error.

If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number}

string

Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format.

string

Identifier. Resource name for the AccessLevel. Format: accessPolicies/{access_policy}/accessLevels/{access_level}.

The access_level component must begin with a letter, followed by alphanumeric characters or _. Its maximum length is 50 characters.

After you create an AccessLevel, you cannot change its name.

string

Human readable title. Must be unique within the Policy.

string

Description of the AccessLevel and its use. Does not affect behavior.

object (BasicLevel)

A BasicLevel composed of Conditions.

object (CustomLevel)

A CustomLevel written in the Common Expression Language.

object (Condition)

Required. A list of requirements for the AccessLevel to be granted.

enum (ConditionCombiningFunction)

How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition in conditions must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition in conditions must be satisfied for the AccessLevel to be applied. Default behavior is AND.

string

CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed.

object (DevicePolicy)

Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed.

string

A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"

boolean

Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields. Any non-empty field criteria evaluating to false will result in the Condition to be satisfied. Defaults to false.

string

The request must be made by one of the provided user or service accounts. Groups are not supported. Syntax: user:{emailid} serviceAccount:{emailid} If not specified, a request may come from any user.

string

The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes.

object (VpcNetworkSource)

The request must originate from one of the provided VPC networks in Google Cloud. Cannot specify this field together with ip_subnetworks.

boolean

Whether or not screenlock is required for the DevicePolicy to be true. Defaults to false.

enum (DeviceEncryptionStatus)

Allowed encryptions statuses, an empty list allows all statuses.

object (OsConstraint)

Allowed OS versions, an empty list allows all types and all versions.

enum (DeviceManagementLevel)

Allowed device management levels, an empty list allows all management levels.

boolean

Whether the device needs to be approved by the customer admin.

boolean

Whether the device needs to be corp owned.

enum (OsType)

Required. The allowed OS type.

string

The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: "major.minor.patch". Examples: "10.5.301", "9.2.1".

boolean

Only allows requests from devices with a verified Chrome OS. Verifications includes requirements that the device is enterprise-managed, conformant to domain policies, and the caller has permission to call the API targeted by the request.

object (VpcSubNetwork)

Sub-segment ranges of a VPC network.

string

Required. Network name. If the network is not part of the organization, the compute.network.get permission must be granted to the caller. Format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NETWORK_NAME} Example: //compute.googleapis.com/projects/my-project/global/networks/network-1

string

CIDR block IP subnetwork specification. The IP address must be an IPv4 address and can be a public or private IP address. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. If empty, all IP addresses are allowed.

object (Expr)

Required. A Cloud CEL expression evaluating to a boolean.

string

Identifier. Resource name for the ServicePerimeter. Format: accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}.

The service_perimeter component must begin with a letter, followed by alphanumeric characters or _.

After you create a ServicePerimeter, you cannot change its name.

string

Human readable title. Must be unique within the Policy.

string

Description of the ServicePerimeter and its use. Does not affect behavior.

enum (PerimeterType)

Perimeter type indicator. A single project or VPC network is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.

object (ServicePerimeterConfig)

Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.

object (ServicePerimeterConfig)

Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "use_explicit_dry_run_spec" flag is set.

boolean

Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. use_explicit_dry_run_spec must bet set to True if any of the fields in the spec are set to non-default values.

string

Optional. An opaque identifier for the current version of the ServicePerimeter. This identifier does not follow any specific format. If an etag is not provided, the operation will be performed as if a valid etag is provided.

string

A list of Google Cloud resources that are inside of the service perimeter. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}.

string

A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.

string

Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.

object (VpcAccessibleServices)

Configuration for APIs allowed within Perimeter.

object (IngressPolicy)

List of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.

object (EgressPolicy)

List of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.

boolean

Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowed_services'.

string

The list of APIs usable within the Service Perimeter. Must be empty unless 'enable_restriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.

object (IngressFrom)

Defines the conditions on the source of a request causing this IngressPolicy to apply.

object (IngressTo)

Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.

string

Optional. Human-readable title for the ingress rule. The title must be unique within the perimeter and can not exceed 100 characters. Within the access policy, the combined length of all rule titles must not exceed 240,000 characters.

object (IngressSource)

Sources that this IngressPolicy authorizes access from.

string

A list of identities that are allowed access through [IngressPolicy]. Identities can be an individual user, service account, Google group, third-party identity, or agent identity. For the list of supported identity types, see https://docs.cloud.google.com/vpc-service-controls/docs/supported-identities.

enum (IdentityType)

Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.

string

An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all IngressSources will be allowed.

string

A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects and VPCs are allowed. Project format: projects/{project_number} VPC network format: //compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}. The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.

object (ApiOperation)

A list of ApiOperations allowed to be performed by the sources specified in corresponding IngressFrom in this ServicePerimeter.

string

A list of resources, currently only projects in the form projects/<projectnumber>, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed.

string

IAM roles that represent the set of operations that the sources specified in the corresponding IngressFrom are allowed to perform in this ServicePerimeter.

string

The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with service_name field set to * will allow all methods AND permissions for all services.

object (MethodSelector)

API methods or permissions to allow. Method or permission must belong to the service specified by service_name field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in service_name.

string

A valid method name for the corresponding service_name in ApiOperation. If * is used as the value for the method, then ALL methods and permissions are allowed.

string

A valid Cloud IAM permission for the corresponding service_name in ApiOperation.

object (EgressFrom)

Defines conditions on the source of a request causing this EgressPolicy to apply.

object (EgressTo)

Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.

string

Optional. Human-readable title for the egress rule. The title must be unique within the perimeter and can not exceed 100 characters. Within the access policy, the combined length of all rule titles must not exceed 240,000 characters.

string

A list of identities that are allowed access through [EgressPolicy]. Identities can be an individual user, service account, Google group, third-party identity, or agent identity. For the list of supported identity types, see https://docs.cloud.google.com/vpc-service-controls/docs/supported-identities.

enum (IdentityType)

Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.

object (EgressSource)

Sources that this [EgressPolicy] [google.identity.accesscontextmanager.v1alpha.ServicePerimeterConfig.EgressPolicy] authorizes access from. If this field is not empty, then source_restriction must be set to SOURCE_RESTRICTION_ENABLED.

enum (SourceRestriction)

Whether to enforce traffic restrictions based on sources field. If the sources fields is non-empty, then this field must be set to SOURCE_RESTRICTION_ENABLED.

string

An [AccessLevel] [google.identity.accesscontextmanager.v1alpha.AccessLevel] resource name that allows protected resources inside the [ServicePerimeters] [google.identity.accesscontextmanager.v1alpha.ServicePerimeter] to access outside the [ServicePerimeter] [google.identity.accesscontextmanager.v1alpha.ServicePerimeter] boundaries. [AccessLevels] [google.identity.accesscontextmanager.v1alpha.AccessLevel] listed must be in the same policy as this [ServicePerimeter] [google.identity.accesscontextmanager.v1alpha.ServicePerimeter]. Referencing a nonexistent [AccessLevel] [google.identity.accesscontextmanager.v1alpha.AccessLevel] will cause an error. If an [AccessLevel] [google.identity.accesscontextmanager.v1alpha.AccessLevel] name is not specified, only resources within the perimeter can be accessed through Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for access_level, then all [EgressSources] [google.identity.accesscontextmanager.v1alpha.ServicePerimeterConfig.EgressSource] will be allowed.

string

A Google Cloud resource from the service perimeter that you want to allow to access data outside the perimeter. This field supports only projects. The project format is projects/{project_number}. You can't use * in this field to allow all Google Cloud resources.

string

A list of resources, currently only projects in the form projects/<projectnumber>, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.

object (ApiOperation)

A list of ApiOperations allowed to be performed by the sources specified in the corresponding EgressFrom. A request matches if it uses an operation/service in this list.

string

A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported formats are s3://BUCKET_NAME, s3a://BUCKET_NAME, and s3n://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed.

string

IAM roles that represent the set of operations that the sources specified in the corresponding EgressFrom. are allowed to perform in this ServicePerimeter.

string

Output only. The Inventory API resource name.

Format: projects/{project_number}/locations/{location}/instances/{instance_id}/inventory

object (OsInfo)

Base level operating system information for the VM.

map (key: string, value: object (Item))

Inventory items related to the VM keyed by an opaque unique identifier for each inventory item. The identifier is unique to each distinct and addressable inventory item and will change, when there is a new package version.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string (Timestamp format)

Output only. Timestamp of the last reported inventory for the VM.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

The VM hostname.

string

The operating system long name. For example 'Debian GNU/Linux 9' or 'Microsoft Window Server 2019 Datacenter'.

string

The operating system short name. For example, 'windows' or 'debian'.

string

The version of the operating system.

string

The system architecture of the operating system.

string

The kernel version of the operating system.

string

The kernel release of the operating system.

string

The current version of the OS Config agent running on the VM.

string

object (Item)

string

Identifier for this item, unique across items for this VM.

enum (OriginType)

The origin of this inventory item.

string (Timestamp format)

When this inventory item was first detected.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string (Timestamp format)

When this inventory item was last modified.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

enum (Type)

The specific type of inventory, correlating to its specific details.

object (SoftwarePackage)

Software package present on the VM instance.

object (SoftwarePackage)

Software package available to be installed on the VM instance.

object (VersionedPackage)

Yum package info. For details about the yum package manager, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-yum.

object (VersionedPackage)

Details of an APT package. For details about the apt package manager, see https://wiki.debian.org/Apt.

object (VersionedPackage)

Details of a Zypper package. For details about the Zypper package manager, see https://en.opensuse.org/SDB:Zypper_manual.

object (VersionedPackage)

Details of a Googet package. For details about the googet package manager, see https://github.com/google/googet.

object (ZypperPatch)

Details of a Zypper patch. For details about the Zypper package manager, see https://en.opensuse.org/SDB:Zypper_manual.

object (WindowsUpdatePackage)

Details of a Windows Update package. See https://docs.microsoft.com/en-us/windows/win32/api/_wua/ for information about Windows Update.

object (WindowsQuickFixEngineeringPackage)

Details of a Windows Quick Fix engineering package. See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-quickfixengineering for info in Windows Quick Fix Engineering.

object (VersionedPackage)

Details of a COS package.

object (WindowsApplication)

Details of Windows Application.

string

The name of the package.

string

The system architecture this package is intended for.

string

The version of the package.

string

The name of the patch.

string

The category of the patch.

string

The severity specified for this patch

string

Any summary information provided about this patch.

string

The localized title of the update package.

string

The localized description of the update package.

object (WindowsUpdateCategory)

The categories that are associated with this update package.

string

A collection of Microsoft Knowledge Base article IDs that are associated with the update package.

string

A hyperlink to the language-specific support information for the update.

string

A collection of URLs that provide more information about the update package.

string

Gets the identifier of an update package. Stays the same across revisions.

integer

The revision number of this update package.

string (Timestamp format)

The last published date of the update, in (UTC) date and time.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

The identifier of the windows update category.

string

The name of the windows update category.

string

A short textual description of the QFE update.

string

A textual description of the QFE update.

string

Unique identifier associated with a particular QFE update.

string (Timestamp format)

Date that the QFE update was installed. Mapped from installed_on field.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string

The name of the application or product.

string

The version of the product or application in string format.

string

The name of the manufacturer for the product or application.

object (Date)

The last time this product received service. The value of this property is replaced each time a patch is applied or removed from the product or the command-line option is used to repair the product.

string

The internet address for technical support.

integer

Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

integer

Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

integer

Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

object (RelationshipAttributes)

The detailed relationship attributes.

object (RelatedAsset)

The peer resources of the relationship.

string

The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP

string

The source asset type. Example: compute.googleapis.com/Instance

string

The target asset type. Example: compute.googleapis.com/Disk

string

The detail of the relationship, e.g. contains, attaches

string

The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1

See Resource names for more information.

string

The type of the asset. Example: compute.googleapis.com/Disk

See Supported asset types for more information.

string

The ancestors of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root.

Example: ["projects/123456789", "folders/5432", "organizations/1234"]

string

The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP

enum (ExceptionType)

The type of exception.

string

The details of the exception.