Class: Google::Iam::V1::IAMPolicy::Client

Inherits:

Object

• Object
• Google::Iam::V1::IAMPolicy::Client

Defined in:

lib/google/iam/v1/iam_policy/client.rb

Overview

Client for the IAMPolicy service.

API Overview

Manages Identity and Access Management (IAM) policies.

Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.

Data model

Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.

Policy Structure

See google.iam.v1.Policy

This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.

Defined Under Namespace

Classes: Configuration

Instance Attribute Summary

• #location_client ⇒ Google::Cloud::Location::Locations::Client readonly

  Get the associated client for mix-in of the Locations.

Class Method Summary

• .configure {|config| ... } ⇒ Client::Configuration

  Configure the IAMPolicy Client class.

Instance Method Summary

• #configure {|config| ... } ⇒ Client::Configuration

  Configure the IAMPolicy Client instance.

• #get_iam_policy(request, options = nil) {|response, operation| ... } ⇒ ::Google::Iam::V1::Policy

  Gets the access control policy for a resource.

• #initialize {|config| ... } ⇒ Client constructor

  Create a new IAMPolicy client object.

• #set_iam_policy(request, options = nil) {|response, operation| ... } ⇒ ::Google::Iam::V1::Policy

  Sets the access control policy on the specified resource.

• #test_iam_permissions(request, options = nil) {|response, operation| ... } ⇒ ::Google::Iam::V1::TestIamPermissionsResponse

  Returns permissions that a caller has on the specified resource.

Constructor Details

#initialize {|config| ... } ⇒ Client

Create a new IAMPolicy client object.

Examples:

# Create a client using the default configuration
client = ::Google::Iam::V1::IAMPolicy::Client.new

# Create a client using a custom configuration
client = ::Google::Iam::V1::IAMPolicy::Client.new do |config|
  config.timeout = 10.0
end

Yields:

• (config) —

  Configure the IAMPolicy client.

Yield Parameters:

• config (Client::Configuration)

# File 'lib/google/iam/v1/iam_policy/client.rb', line 132

def initialize
  # These require statements are intentionally placed here to initialize
  # the gRPC module only when it's required.
  # See https://github.com/googleapis/toolkit/issues/446
  require "gapic/grpc"
  require "google/iam/v1/iam_policy_services_pb"

  # Create the configuration object
  @config = Configuration.new Client.configure

  # Yield the configuration if needed
  yield @config if block_given?

  # Create credentials
  credentials = @config.credentials
  # Use self-signed JWT if the endpoint is unchanged from default,
  # but only if the default endpoint does not have a region prefix.
  enable_self_signed_jwt = @config.endpoint == Configuration::DEFAULT_ENDPOINT &&
                           !@config.endpoint.split(".").first.include?("-")
  credentials ||= Credentials.default scope: @config.scope,
                                      enable_self_signed_jwt: enable_self_signed_jwt
  if credentials.is_a?(::String) || credentials.is_a?(::Hash)
    credentials = Credentials.new credentials, scope: @config.scope
  end
  @quota_project_id = @config.quota_project
  @quota_project_id ||= credentials.quota_project_id if credentials.respond_to? :quota_project_id

  @location_client = Google::Cloud::Location::Locations::Client.new do |config|
    config.credentials = credentials
    config.quota_project = @quota_project_id
    config.endpoint = @config.endpoint
  end

  @iam_policy_stub = ::Gapic::ServiceStub.new(
    ::Google::Iam::V1::IAMPolicy::Stub,
    credentials:  credentials,
    endpoint:     @config.endpoint,
    channel_args: @config.channel_args,
    interceptors: @config.interceptors,
    channel_pool_config: @config.channel_pool
  )
end

Instance Attribute Details

#location_client ⇒ Google::Cloud::Location::Locations::Client (readonly)

Get the associated client for mix-in of the Locations.

Returns:

• (Google::Cloud::Location::Locations::Client)

# File 'lib/google/iam/v1/iam_policy/client.rb', line 180

def location_client
  @location_client
end

Class Method Details

.configure {|config| ... } ⇒ Client::Configuration

Configure the IAMPolicy Client class.

See Configuration for a description of the configuration fields.

Examples:

# Modify the configuration for all IAMPolicy clients
::Google::Iam::V1::IAMPolicy::Client.configure do |config|
  config.timeout = 10.0
end

Yields:

• (config) —

  Configure the Client client.

Yield Parameters:

• config (Client::Configuration)

Returns:

• (Client::Configuration)

# File 'lib/google/iam/v1/iam_policy/client.rb', line 79

def self.configure
  @configure ||= begin
    namespace = ["Google", "Iam", "V1"]
    parent_config = while namespace.any?
                      parent_name = namespace.join "::"
                      parent_const = const_get parent_name
                      break parent_const.configure if parent_const.respond_to? :configure
                      namespace.pop
                    end
    default_config = Client::Configuration.new parent_config

    default_config
  end
  yield @configure if block_given?
  @configure
end

Instance Method Details

#configure {|config| ... } ⇒ Client::Configuration

Configure the IAMPolicy Client instance.

The configuration is set to the derived mode, meaning that values can be changed, but structural changes (adding new fields, etc.) are not allowed. Structural changes should be made on configure.

See Configuration for a description of the configuration fields.

Yields:

• (config) —

  Configure the Client client.

Yield Parameters:

• config (Client::Configuration)

Returns:

• (Client::Configuration)

# File 'lib/google/iam/v1/iam_policy/client.rb', line 111

def configure
  yield @config if block_given?
  @config
end

#get_iam_policy(request, options = nil) ⇒ ::Google::Iam::V1::Policy #get_iam_policy(resource: nil, options: nil) ⇒ ::Google::Iam::V1::Policy

Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.

Examples:

Basic example

require "google/iam/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::V1::IAMPolicy::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::V1::GetIamPolicyRequest.new

# Call the get_iam_policy method.
result = client.get_iam_policy request

# The returned object is of type Google::Iam::V1::Policy.
p result

Overloads:

• #get_iam_policy(request, options = nil) ⇒ ::Google::Iam::V1::Policy

  Pass arguments to get_iam_policy via a request object, either of type GetIamPolicyRequest or an equivalent Hash.

  Parameters:

  • request (::Google::Iam::V1::GetIamPolicyRequest, ::Hash) —

    A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.

  • options (::Gapic::CallOptions, ::Hash) (defaults to: nil) —

    Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

• #get_iam_policy(resource: nil, options: nil) ⇒ ::Google::Iam::V1::Policy

  Pass arguments to get_iam_policy via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).

  Parameters:

  • resource (::String) (defaults to: nil) —

    REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.

  • options (::Google::Iam::V1::GetPolicyOptions, ::Hash) (defaults to: nil) —

    OPTIONAL: A GetPolicyOptions object for specifying options to GetIamPolicy.

Yields:

• (response, operation) —

  Access the result along with the RPC operation

Yield Parameters:

• response (::Google::Iam::V1::Policy)
• operation (::GRPC::ActiveCall::Operation)

Returns:

• (::Google::Iam::V1::Policy)

Raises:

• (::Google::Cloud::Error) —

  if the RPC is aborted.

# File 'lib/google/iam/v1/iam_policy/client.rb', line 334

def get_iam_policy request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Iam::V1::GetIamPolicyRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.get_iam_policy.metadata.to_h

  # Set x-goog-api-client and x-goog-user-project headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::Batch::V1::VERSION
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.resource
    header_params["resource"] = request.resource
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.get_iam_policy.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.get_iam_policy.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @iam_policy_stub.call_rpc :get_iam_policy, request, options: options do |response, operation|
    yield response, operation if block_given?
    return response
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end

#set_iam_policy(request, options = nil) ⇒ ::Google::Iam::V1::Policy #set_iam_policy(resource: nil, policy: nil, update_mask: nil) ⇒ ::Google::Iam::V1::Policy

Sets the access control policy on the specified resource. Replaces any existing policy.

Can return NOT_FOUND, INVALID_ARGUMENT, and PERMISSION_DENIED errors.

Examples:

Basic example

require "google/iam/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::V1::IAMPolicy::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::V1::SetIamPolicyRequest.new

# Call the set_iam_policy method.
result = client.set_iam_policy request

# The returned object is of type Google::Iam::V1::Policy.
p result

Overloads:

• #set_iam_policy(request, options = nil) ⇒ ::Google::Iam::V1::Policy

  Pass arguments to set_iam_policy via a request object, either of type SetIamPolicyRequest or an equivalent Hash.

  Parameters:

  • request (::Google::Iam::V1::SetIamPolicyRequest, ::Hash) —

    A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.

  • options (::Gapic::CallOptions, ::Hash) (defaults to: nil) —

    Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

• #set_iam_policy(resource: nil, policy: nil, update_mask: nil) ⇒ ::Google::Iam::V1::Policy

  Pass arguments to set_iam_policy via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).

  Parameters:

  • resource (::String) (defaults to: nil) —

    REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.

  • policy (::Google::Iam::V1::Policy, ::Hash) (defaults to: nil) —

    REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.

  • update_mask (::Google::Protobuf::FieldMask, ::Hash) (defaults to: nil) —

    OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used:

    paths: "bindings, etag"

Yields:

• (response, operation) —

  Access the result along with the RPC operation

Yield Parameters:

• response (::Google::Iam::V1::Policy)
• operation (::GRPC::ActiveCall::Operation)

Returns:

• (::Google::Iam::V1::Policy)

Raises:

• (::Google::Cloud::Error) —

  if the RPC is aborted.

# File 'lib/google/iam/v1/iam_policy/client.rb', line 243

def set_iam_policy request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Iam::V1::SetIamPolicyRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.set_iam_policy.metadata.to_h

  # Set x-goog-api-client and x-goog-user-project headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::Batch::V1::VERSION
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.resource
    header_params["resource"] = request.resource
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.set_iam_policy.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.set_iam_policy.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @iam_policy_stub.call_rpc :set_iam_policy, request, options: options do |response, operation|
    yield response, operation if block_given?
    return response
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end

#test_iam_permissions(request, options = nil) ⇒ ::Google::Iam::V1::TestIamPermissionsResponse #test_iam_permissions(resource: nil, permissions: nil) ⇒ ::Google::Iam::V1::TestIamPermissionsResponse

Returns permissions that a caller has on the specified resource. If the resource does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

Examples:

Basic example

require "google/iam/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Iam::V1::IAMPolicy::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Iam::V1::TestIamPermissionsRequest.new

# Call the test_iam_permissions method.
result = client.test_iam_permissions request

# The returned object is of type Google::Iam::V1::TestIamPermissionsResponse.
p result

Overloads:

• #test_iam_permissions(request, options = nil) ⇒ ::Google::Iam::V1::TestIamPermissionsResponse

  Pass arguments to test_iam_permissions via a request object, either of type TestIamPermissionsRequest or an equivalent Hash.

  Parameters:

  • request (::Google::Iam::V1::TestIamPermissionsRequest, ::Hash) —

    A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.

  • options (::Gapic::CallOptions, ::Hash) (defaults to: nil) —

    Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

• #test_iam_permissions(resource: nil, permissions: nil) ⇒ ::Google::Iam::V1::TestIamPermissionsResponse

  Pass arguments to test_iam_permissions via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).

  Parameters:

  • resource (::String) (defaults to: nil) —

    REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.

  • permissions (::Array<::String>) (defaults to: nil) —

    The set of permissions to check for the resource. Permissions with wildcards (such as '' or 'storage.') are not allowed. For more information see IAM Overview.

Yields:

• (response, operation) —

  Access the result along with the RPC operation

Yield Parameters:

• response (::Google::Iam::V1::TestIamPermissionsResponse)
• operation (::GRPC::ActiveCall::Operation)

Returns:

• (::Google::Iam::V1::TestIamPermissionsResponse)

Raises:

• (::Google::Cloud::Error) —

  if the RPC is aborted.

# File 'lib/google/iam/v1/iam_policy/client.rb', line 431

def test_iam_permissions request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Iam::V1::TestIamPermissionsRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.test_iam_permissions.metadata.to_h

  # Set x-goog-api-client and x-goog-user-project headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::Batch::V1::VERSION
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.resource
    header_params["resource"] = request.resource
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.test_iam_permissions.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.test_iam_permissions.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @iam_policy_stub.call_rpc :test_iam_permissions, request, options: options do |response, operation|
    yield response, operation if block_given?
    return response
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end