1. Packages
  2. Google Cloud Native
  3. API Docs
  4. cloudasset
  5. cloudasset/v1
  6. getSavedQuery

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.cloudasset/v1.getSavedQuery

Explore with Pulumi AI

google-native logo

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

    Gets details about a saved query.

    Using getSavedQuery

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getSavedQuery(args: GetSavedQueryArgs, opts?: InvokeOptions): Promise<GetSavedQueryResult>
    function getSavedQueryOutput(args: GetSavedQueryOutputArgs, opts?: InvokeOptions): Output<GetSavedQueryResult>
    def get_saved_query(saved_query_id: Optional[str] = None,
                        v1_id: Optional[str] = None,
                        v1_id1: Optional[str] = None,
                        opts: Optional[InvokeOptions] = None) -> GetSavedQueryResult
    def get_saved_query_output(saved_query_id: Optional[pulumi.Input[str]] = None,
                        v1_id: Optional[pulumi.Input[str]] = None,
                        v1_id1: Optional[pulumi.Input[str]] = None,
                        opts: Optional[InvokeOptions] = None) -> Output[GetSavedQueryResult]
    func LookupSavedQuery(ctx *Context, args *LookupSavedQueryArgs, opts ...InvokeOption) (*LookupSavedQueryResult, error)
    func LookupSavedQueryOutput(ctx *Context, args *LookupSavedQueryOutputArgs, opts ...InvokeOption) LookupSavedQueryResultOutput

    > Note: This function is named LookupSavedQuery in the Go SDK.

    public static class GetSavedQuery 
    {
        public static Task<GetSavedQueryResult> InvokeAsync(GetSavedQueryArgs args, InvokeOptions? opts = null)
        public static Output<GetSavedQueryResult> Invoke(GetSavedQueryInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetSavedQueryResult> getSavedQuery(GetSavedQueryArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: google-native:cloudasset/v1:getSavedQuery
      arguments:
        # arguments dictionary

    The following arguments are supported:

    SavedQueryId string
    V1Id string
    V1Id1 string
    SavedQueryId string
    V1Id string
    V1Id1 string
    savedQueryId String
    v1Id String
    v1Id1 String
    savedQueryId string
    v1Id string
    v1Id1 string
    savedQueryId String
    v1Id String
    v1Id1 String

    getSavedQuery Result

    The following output properties are available:

    Content Pulumi.GoogleNative.CloudAsset.V1.Outputs.QueryContentResponse
    The query content.
    CreateTime string
    The create time of this saved query.
    Creator string
    The account's email address who has created this saved query.
    Description string
    The description of this saved query. This value should be fewer than 255 characters.
    Labels Dictionary<string, string>
    Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
    LastUpdateTime string
    The last update time of this saved query.
    LastUpdater string
    The account's email address who has updated this saved query most recently.
    Name string
    The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
    Content QueryContentResponse
    The query content.
    CreateTime string
    The create time of this saved query.
    Creator string
    The account's email address who has created this saved query.
    Description string
    The description of this saved query. This value should be fewer than 255 characters.
    Labels map[string]string
    Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
    LastUpdateTime string
    The last update time of this saved query.
    LastUpdater string
    The account's email address who has updated this saved query most recently.
    Name string
    The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
    content QueryContentResponse
    The query content.
    createTime String
    The create time of this saved query.
    creator String
    The account's email address who has created this saved query.
    description String
    The description of this saved query. This value should be fewer than 255 characters.
    labels Map<String,String>
    Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
    lastUpdateTime String
    The last update time of this saved query.
    lastUpdater String
    The account's email address who has updated this saved query most recently.
    name String
    The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
    content QueryContentResponse
    The query content.
    createTime string
    The create time of this saved query.
    creator string
    The account's email address who has created this saved query.
    description string
    The description of this saved query. This value should be fewer than 255 characters.
    labels {[key: string]: string}
    Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
    lastUpdateTime string
    The last update time of this saved query.
    lastUpdater string
    The account's email address who has updated this saved query most recently.
    name string
    The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
    content QueryContentResponse
    The query content.
    create_time str
    The create time of this saved query.
    creator str
    The account's email address who has created this saved query.
    description str
    The description of this saved query. This value should be fewer than 255 characters.
    labels Mapping[str, str]
    Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
    last_update_time str
    The last update time of this saved query.
    last_updater str
    The account's email address who has updated this saved query most recently.
    name str
    The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id
    content Property Map
    The query content.
    createTime String
    The create time of this saved query.
    creator String
    The account's email address who has created this saved query.
    description String
    The description of this saved query. This value should be fewer than 255 characters.
    labels Map<String>
    Labels applied on the resource. This value should not contain more than 10 entries. The key and value of each entry must be non-empty and fewer than 64 characters.
    lastUpdateTime String
    The last update time of this saved query.
    lastUpdater String
    The account's email address who has updated this saved query most recently.
    name String
    The resource name of the saved query. The format must be: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id

    Supporting Types

    AccessSelectorResponse

    Permissions List<string>
    Optional. The permissions to appear in result.
    Roles List<string>
    Optional. The roles to appear in result.
    Permissions []string
    Optional. The permissions to appear in result.
    Roles []string
    Optional. The roles to appear in result.
    permissions List<String>
    Optional. The permissions to appear in result.
    roles List<String>
    Optional. The roles to appear in result.
    permissions string[]
    Optional. The permissions to appear in result.
    roles string[]
    Optional. The roles to appear in result.
    permissions Sequence[str]
    Optional. The permissions to appear in result.
    roles Sequence[str]
    Optional. The roles to appear in result.
    permissions List<String>
    Optional. The permissions to appear in result.
    roles List<String>
    Optional. The roles to appear in result.

    ConditionContextResponse

    AccessTime string
    The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
    AccessTime string
    The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
    accessTime String
    The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
    accessTime string
    The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
    access_time str
    The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
    accessTime String
    The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.

    IamPolicyAnalysisQueryResponse

    AccessSelector Pulumi.GoogleNative.CloudAsset.V1.Inputs.AccessSelectorResponse
    Optional. Specifies roles or permissions for analysis. This is optional.
    ConditionContext Pulumi.GoogleNative.CloudAsset.V1.Inputs.ConditionContextResponse
    Optional. The hypothetical context for IAM conditions evaluation.
    IdentitySelector Pulumi.GoogleNative.CloudAsset.V1.Inputs.IdentitySelectorResponse
    Optional. Specifies an identity for analysis.
    Options Pulumi.GoogleNative.CloudAsset.V1.Inputs.OptionsResponse
    Optional. The query options.
    ResourceSelector Pulumi.GoogleNative.CloudAsset.V1.Inputs.ResourceSelectorResponse
    Optional. Specifies a resource for analysis.
    Scope string
    The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
    AccessSelector AccessSelectorResponse
    Optional. Specifies roles or permissions for analysis. This is optional.
    ConditionContext ConditionContextResponse
    Optional. The hypothetical context for IAM conditions evaluation.
    IdentitySelector IdentitySelectorResponse
    Optional. Specifies an identity for analysis.
    Options OptionsResponse
    Optional. The query options.
    ResourceSelector ResourceSelectorResponse
    Optional. Specifies a resource for analysis.
    Scope string
    The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
    accessSelector AccessSelectorResponse
    Optional. Specifies roles or permissions for analysis. This is optional.
    conditionContext ConditionContextResponse
    Optional. The hypothetical context for IAM conditions evaluation.
    identitySelector IdentitySelectorResponse
    Optional. Specifies an identity for analysis.
    options OptionsResponse
    Optional. The query options.
    resourceSelector ResourceSelectorResponse
    Optional. Specifies a resource for analysis.
    scope String
    The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
    accessSelector AccessSelectorResponse
    Optional. Specifies roles or permissions for analysis. This is optional.
    conditionContext ConditionContextResponse
    Optional. The hypothetical context for IAM conditions evaluation.
    identitySelector IdentitySelectorResponse
    Optional. Specifies an identity for analysis.
    options OptionsResponse
    Optional. The query options.
    resourceSelector ResourceSelectorResponse
    Optional. Specifies a resource for analysis.
    scope string
    The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
    access_selector AccessSelectorResponse
    Optional. Specifies roles or permissions for analysis. This is optional.
    condition_context ConditionContextResponse
    Optional. The hypothetical context for IAM conditions evaluation.
    identity_selector IdentitySelectorResponse
    Optional. Specifies an identity for analysis.
    options OptionsResponse
    Optional. The query options.
    resource_selector ResourceSelectorResponse
    Optional. Specifies a resource for analysis.
    scope str
    The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .
    accessSelector Property Map
    Optional. Specifies roles or permissions for analysis. This is optional.
    conditionContext Property Map
    Optional. The hypothetical context for IAM conditions evaluation.
    identitySelector Property Map
    Optional. Specifies an identity for analysis.
    options Property Map
    Optional. The query options.
    resourceSelector Property Map
    Optional. Specifies a resource for analysis.
    scope String
    The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed. This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345"). To know how to get organization id, visit here . To know how to get folder or project id, visit here .

    IdentitySelectorResponse

    Identity string
    The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
    Identity string
    The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
    identity String
    The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
    identity string
    The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
    identity str
    The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.
    identity String
    The identity appear in the form of principals in IAM policy binding. The examples of supported forms are: "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com". Notice that wildcard characters (such as * and ?) are not supported. You must give a specific identity.

    OptionsResponse

    AnalyzeServiceAccountImpersonation bool
    Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.
    ExpandGroups bool
    Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
    ExpandResources bool
    Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
    ExpandRoles bool
    Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
    OutputGroupEdges bool
    Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
    OutputResourceEdges bool
    Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
    AnalyzeServiceAccountImpersonation bool
    Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.
    ExpandGroups bool
    Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
    ExpandResources bool
    Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
    ExpandRoles bool
    Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
    OutputGroupEdges bool
    Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
    OutputResourceEdges bool
    Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
    analyzeServiceAccountImpersonation Boolean
    Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.
    expandGroups Boolean
    Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
    expandResources Boolean
    Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
    expandRoles Boolean
    Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
    outputGroupEdges Boolean
    Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
    outputResourceEdges Boolean
    Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
    analyzeServiceAccountImpersonation boolean
    Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.
    expandGroups boolean
    Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
    expandResources boolean
    Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
    expandRoles boolean
    Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
    outputGroupEdges boolean
    Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
    outputResourceEdges boolean
    Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
    analyze_service_account_impersonation bool
    Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.
    expand_groups bool
    Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
    expand_resources bool
    Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
    expand_roles bool
    Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
    output_group_edges bool
    Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
    output_resource_edges bool
    Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.
    analyzeServiceAccountImpersonation Boolean
    Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a Google Cloud folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the Google Cloud folder F, then user A potentially has access to the Google Cloud folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis: * iam.serviceAccounts.actAs * iam.serviceAccounts.signBlob * iam.serviceAccounts.signJwt * iam.serviceAccounts.getAccessToken * iam.serviceAccounts.getOpenIdToken * iam.serviceAccounts.implicitDelegation Default is false.
    expandGroups Boolean
    Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.
    expandResources Boolean
    Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a Google Cloud folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resources cannot be used together with this option. For example, if the request analyzes for which users have permission P on a Google Cloud project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
    expandRoles Boolean
    Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.
    outputGroupEdges Boolean
    Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.
    outputResourceEdges Boolean
    Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.

    QueryContentResponse

    IamPolicyAnalysisQuery Pulumi.GoogleNative.CloudAsset.V1.Inputs.IamPolicyAnalysisQueryResponse
    An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
    IamPolicyAnalysisQuery IamPolicyAnalysisQueryResponse
    An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
    iamPolicyAnalysisQuery IamPolicyAnalysisQueryResponse
    An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
    iamPolicyAnalysisQuery IamPolicyAnalysisQueryResponse
    An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
    iam_policy_analysis_query IamPolicyAnalysisQueryResponse
    An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.
    iamPolicyAnalysisQuery Property Map
    An IAM Policy Analysis query, which could be used in the AssetService.AnalyzeIamPolicy RPC or the AssetService.AnalyzeIamPolicyLongrunning RPC.

    ResourceSelectorResponse

    FullResourceName string
    The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
    FullResourceName string
    The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
    fullResourceName String
    The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
    fullResourceName string
    The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
    full_resource_name str
    The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.
    fullResourceName String
    The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of a resource of supported resource types.

    Package Details

    Repository
    Google Cloud Native pulumi/pulumi-google-native
    License
    Apache-2.0
    google-native logo

    Google Cloud Native is in preview. Google Cloud Classic is fully supported.

    Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi