feat: serviceAccountKeyName, serviceAccountDelegationInfo, and principalSubject attributes added to the existing access attribute. These new attributes provide additional context about the principals that are associated with the finding

Google APIs · copybara-github · commit c7a52f4e986a · 2022-08-24T11:56:28.000-07:00
PiperOrigin-RevId: 469787268
diff --git a/google/cloud/securitycenter/v1/access.proto b/google/cloud/securitycenter/v1/access.proto
@@ -27,6 +27,13 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1";
 // Represents an access event.
 message Access {
   // Associated email, such as "foo@google.com".
+  //
+  // The email address of the authenticated user (or service account on behalf
+  // of third party principal) making the request. For third party identity
+  // callers, the `principal_subject` field is populated instead of this field.
+  // For privacy reasons, the principal email address is sometimes redacted.
+  // For more information, see [Caller identities in audit
+  // logs](https://cloud.google.com/logging/docs/audit#user-id).
   string principal_email = 1;
 
   // Caller's IP address, such as "1.1.1.1".
@@ -45,6 +52,45 @@ message Access {
 
   // The method that the service account called, e.g. "SetIamPolicy".
   string method_name = 6;
+
+  // A string representing the principal_subject associated with the identity.
+  // As compared to `principal_email`, supports principals that aren't
+  // associated with email addresses, such as third party principals. For most
+  // identities, the format will be `principal://iam.googleapis.com/{identity
+  // pool name}/subjects/{subject}` except for some GKE identities
+  // (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy
+  // format `serviceAccount:{identity pool name}[{subject}]`
+  string principal_subject = 7;
+
+  // The name of the service account key used to create or exchange
+  // credentials for authenticating the service account making the request.
+  // This is a scheme-less URI full resource name. For example:
+  //
+  // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
+  //
+  string service_account_key_name = 8;
+
+  // Identity delegation history of an authenticated service account that makes
+  // the request. It contains information on the real authorities that try to
+  // access GCP resources by delegating on a service account. When multiple
+  // authorities are present, they are guaranteed to be sorted based on the
+  // original ordering of the identity delegation events.
+  repeated ServiceAccountDelegationInfo service_account_delegation_info = 9;
+}
+
+// Identity delegation history of an authenticated service account.
+message ServiceAccountDelegationInfo {
+  // The email address of a Google account.
+  string principal_email = 1;
+
+  // A string representing the principal_subject associated with the identity.
+  // As compared to `principal_email`, supports principals that aren't
+  // associated with email addresses, such as third party principals. For most
+  // identities, the format will be `principal://iam.googleapis.com/{identity
+  // pool name}/subjects/{subject}` except for some GKE identities
+  // (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy
+  // format `serviceAccount:{identity pool name}[{subject}]`
+  string principal_subject = 2;
 }
 
 // Represents a geographical location for a given access.
