1- // Copyright 2020 Google LLC
1+ // Copyright 2021 Google LLC
22//
33// Licensed under the Apache License, Version 2.0 (the "License");
44// you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@ import "google/longrunning/operations.proto";
2525import "google/protobuf/duration.proto" ;
2626import "google/protobuf/empty.proto" ;
2727import "google/protobuf/field_mask.proto" ;
28+ import "google/protobuf/struct.proto" ;
2829import "google/protobuf/timestamp.proto" ;
2930import "google/type/expr.proto" ;
3031
@@ -61,6 +62,15 @@ service AssetService {
6162 };
6263 }
6364
65+ // Lists assets with time and resource types and returns paged results in
66+ // response.
67+ rpc ListAssets (ListAssetsRequest ) returns (ListAssetsResponse ) {
68+ option (google.api.http ) = {
69+ get : "/v1/{parent=*/*}/assets"
70+ };
71+ option (google.api.method_signature ) = "parent" ;
72+ }
73+
6474 // Batch gets the update history of assets that overlap a time window.
6575 // For IAM_POLICY content, this API outputs history when the asset and its
6676 // attached IAM POLICY both exist. This can create gaps in the output history.
@@ -234,6 +244,74 @@ message ExportAssetsResponse {
234244 OutputResult output_result = 3 ;
235245}
236246
247+ // ListAssets request.
248+ message ListAssetsRequest {
249+ // Required. Name of the organization or project the assets belong to. Format:
250+ // "organizations/[organization-number]" (such as "organizations/123"),
251+ // "projects/[project-id]" (such as "projects/my-project-id"), or
252+ // "projects/[project-number]" (such as "projects/12345").
253+ string parent = 1 [
254+ (google.api.field_behavior ) = REQUIRED ,
255+ (google.api.resource_reference ) = {
256+ child_type : "cloudasset.googleapis.com/Asset"
257+ }
258+ ];
259+
260+ // Timestamp to take an asset snapshot. This can only be set to a timestamp
261+ // between the current time and the current time minus 35 days (inclusive).
262+ // If not specified, the current time will be used. Due to delays in resource
263+ // data collection and indexing, there is a volatile window during which
264+ // running the same query may get different results.
265+ google.protobuf.Timestamp read_time = 2 ;
266+
267+ // A list of asset types to take a snapshot for. For example:
268+ // "compute.googleapis.com/Disk".
269+ //
270+ // Regular expression is also supported. For example:
271+ //
272+ // * "compute.googleapis.com.*" snapshots resources whose asset type starts
273+ // with "compute.googleapis.com".
274+ // * ".*Instance" snapshots resources whose asset type ends with "Instance".
275+ // * ".*Instance.*" snapshots resources whose asset type contains "Instance".
276+ //
277+ // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
278+ // regular expression syntax. If the regular expression does not match any
279+ // supported asset type, an INVALID_ARGUMENT error will be returned.
280+ //
281+ // If specified, only matching assets will be returned, otherwise, it will
282+ // snapshot all asset types. See [Introduction to Cloud Asset
283+ // Inventory](https://cloud.google.com/asset-inventory/docs/overview)
284+ // for all supported asset types.
285+ repeated string asset_types = 3 ;
286+
287+ // Asset content type. If not specified, no content but the asset name will
288+ // be returned.
289+ ContentType content_type = 4 ;
290+
291+ // The maximum number of assets to be returned in a single response. Default
292+ // is 100, minimum is 1, and maximum is 1000.
293+ int32 page_size = 5 ;
294+
295+ // The `next_page_token` returned from the previous `ListAssetsResponse`, or
296+ // unspecified for the first `ListAssetsRequest`. It is a continuation of a
297+ // prior `ListAssets` call, and the API should return the next page of assets.
298+ string page_token = 6 ;
299+ }
300+
301+ // ListAssets response.
302+ message ListAssetsResponse {
303+ // Time the snapshot was taken.
304+ google.protobuf.Timestamp read_time = 1 ;
305+
306+ // Assets.
307+ repeated Asset assets = 2 ;
308+
309+ // Token to retrieve the next page of results. It expires 72 hours after the
310+ // page token for the first page is generated. Set to empty if there are no
311+ // remaining results.
312+ string next_page_token = 3 ;
313+ }
314+
237315// Batch get assets history request.
238316message BatchGetAssetsHistoryRequest {
239317 // Required. The relative name of the root asset. It can only be an
@@ -388,6 +466,10 @@ message GcsDestination {
388466 // Editing Object
389467 // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
390468 // for more information.
469+ //
470+ // If the specified Cloud Storage object already exists and there is no
471+ // [hold](https://cloud.google.com/storage/docs/object-holds), it will be
472+ // overwritten with the exported result.
391473 string uri = 1 ;
392474
393475 // The uri prefix of all generated Cloud Storage objects. Example:
@@ -586,7 +668,7 @@ message Feed {
586668message SearchAllResourcesRequest {
587669 // Required. A scope can be a project, a folder, or an organization. The search is
588670 // limited to the resources within the `scope`. The caller must be granted the
589- // [`cloudasset.assets.searchAllResources`](http ://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
671+ // [`cloudasset.assets.searchAllResources`](https ://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
590672 // permission on the desired scope.
591673 //
592674 // The allowed values are:
@@ -598,36 +680,41 @@ message SearchAllResourcesRequest {
598680 string scope = 1 [(google.api.field_behavior ) = REQUIRED ];
599681
600682 // Optional. The query statement. See [how to construct a
601- // query](http ://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
683+ // query](https ://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query)
602684 // for more information. If not specified or empty, it will search all the
603- // resources within the specified `scope`. Note that the query string is
604- // compared against each Cloud IAM policy binding, including its members,
605- // roles, and Cloud IAM conditions. The returned Cloud IAM policies will only
606- // contain the bindings that match your query. To learn more about the IAM
607- // policy structure, see [IAM policy
608- // doc](https://cloud.google.com/iam/docs/policies#structure).
685+ // resources within the specified `scope`.
609686 //
610687 // Examples:
611688 //
612689 // * `name:Important` to find Cloud resources whose name contains
613690 // "Important" as a word.
691+ // * `name=Important` to find the Cloud resource whose name is exactly
692+ // "Important".
614693 // * `displayName:Impor*` to find Cloud resources whose display name
615- // contains "Impor" as a prefix.
616- // * `description:*por*` to find Cloud resources whose description
617- // contains "por" as a substring.
618- // * `location:us-west*` to find Cloud resources whose location is
619- // prefixed with "us-west".
694+ // contains "Impor" as a prefix of any word in the field.
695+ // * `location:us-west*` to find Cloud resources whose location contains both
696+ // "us" and "west" as prefixes.
620697 // * `labels:prod` to find Cloud resources whose labels contain "prod" as
621698 // a key or value.
622699 // * `labels.env:prod` to find Cloud resources that have a label "env"
623700 // and its value is "prod".
624701 // * `labels.env:*` to find Cloud resources that have a label "env".
702+ // * `kmsKey:key` to find Cloud resources encrypted with a customer-managed
703+ // encryption key whose name contains the word "key".
704+ // * `state:ACTIVE` to find Cloud resources whose state contains "ACTIVE" as a
705+ // word.
706+ // * `NOT state:ACTIVE` to find {{gcp_name}} resources whose state
707+ // doesn't contain "ACTIVE" as a word.
708+ // * `createTime<1609459200` to find Cloud resources that were created before
709+ // "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of
710+ // "2021-01-01 00:00:00 UTC" in seconds.
711+ // * `updateTime>1609459200` to find Cloud resources that were updated after
712+ // "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of
713+ // "2021-01-01 00:00:00 UTC" in seconds.
625714 // * `Important` to find Cloud resources that contain "Important" as a word
626715 // in any of the searchable fields.
627- // * `Impor*` to find Cloud resources that contain "Impor" as a prefix
628- // in any of the searchable fields.
629- // * `*por*` to find Cloud resources that contain "por" as a substring in
630- // any of the searchable fields.
716+ // * `Impor*` to find Cloud resources that contain "Impor" as a prefix of any
717+ // word in any of the searchable fields.
631718 // * `Important location:(us-west1 OR global)` to find Cloud
632719 // resources that contain "Important" as a word in any of the searchable
633720 // fields and are also located in the "us-west1" region or the "global"
@@ -637,6 +724,17 @@ message SearchAllResourcesRequest {
637724 // Optional. A list of asset types that this request searches for. If empty, it will
638725 // search all the [searchable asset
639726 // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
727+ //
728+ // Regular expressions are also supported. For example:
729+ //
730+ // * "compute.googleapis.com.*" snapshots resources whose asset type starts
731+ // with "compute.googleapis.com".
732+ // * ".*Instance" snapshots resources whose asset type ends with "Instance".
733+ // * ".*Instance.*" snapshots resources whose asset type contains "Instance".
734+ //
735+ // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported
736+ // regular expression syntax. If the regular expression does not match any
737+ // supported asset type, an INVALID_ARGUMENT error will be returned.
640738 repeated string asset_types = 3 [(google.api.field_behavior ) = OPTIONAL ];
641739
642740 // Optional. The page size for search result pagination. Page size is capped at 500 even
@@ -651,12 +749,24 @@ message SearchAllResourcesRequest {
651749 // identical to those in the previous call.
652750 string page_token = 5 [(google.api.field_behavior ) = OPTIONAL ];
653751
654- // Optional. A comma separated list of fields specifying the sorting order of the
752+ // Optional. A comma- separated list of fields specifying the sorting order of the
655753 // results. The default order is ascending. Add " DESC" after the field name
656754 // to indicate descending order. Redundant space characters are ignored.
657- // Example: "location DESC, name". Only string fields in the response are
658- // sortable, including `name`, `displayName`, `description`, `location`. All
659- // the other fields such as repeated fields (e.g., `networkTags`), map
755+ // Example: "location DESC, name".
756+ // Only singular primitive fields in the response are sortable:
757+ // * name
758+ // * assetType
759+ // * project
760+ // * displayName
761+ // * description
762+ // * location
763+ // * kmsKey
764+ // * createTime
765+ // * updateTime
766+ // * state
767+ // * parentFullResourceName
768+ // * parentAssetType
769+ // All the other fields such as repeated fields (e.g., `networkTags`), map
660770 // fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
661771 // are not supported.
662772 string order_by = 6 [(google.api.field_behavior ) = OPTIONAL ];
@@ -679,7 +789,7 @@ message SearchAllIamPoliciesRequest {
679789 // Required. A scope can be a project, a folder, or an organization. The search is
680790 // limited to the IAM policies within the `scope`. The caller must be granted
681791 // the
682- // [`cloudasset.assets.searchAllIamPolicies`](http ://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
792+ // [`cloudasset.assets.searchAllIamPolicies`](https ://cloud.google.com/asset-inventory/docs/access-control#required_permissions)
683793 // permission on the desired scope.
684794 //
685795 // The allowed values are:
@@ -693,26 +803,38 @@ message SearchAllIamPoliciesRequest {
693803 // Optional. The query statement. See [how to construct a
694804 // query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query)
695805 // for more information. If not specified or empty, it will search all the
696- // IAM policies within the specified `scope`.
806+ // IAM policies within the specified `scope`. Note that the query string is
807+ // compared against each Cloud IAM policy binding, including its members,
808+ // roles, and Cloud IAM conditions. The returned Cloud IAM policies will only
809+ // contain the bindings that match your query. To learn more about the IAM
810+ // policy structure, see [IAM policy
811+ // doc](https://cloud.google.com/iam/docs/policies#structure).
697812 //
698813 // Examples:
699814 //
700815 // * `policy:amy@gmail.com` to find IAM policy bindings that specify user
701816 // "amy@gmail.com".
702817 // * `policy:roles/compute.admin` to find IAM policy bindings that specify
703818 // the Compute Admin role.
819+ // * `policy:comp*` to find IAM policy bindings that contain "comp" as a
820+ // prefix of any word in the binding.
704821 // * `policy.role.permissions:storage.buckets.update` to find IAM policy
705822 // bindings that specify a role containing "storage.buckets.update"
706823 // permission. Note that if callers don't have `iam.roles.get` access to a
707824 // role's included permissions, policy bindings that specify this role will
708825 // be dropped from the search results.
826+ // * `policy.role.permissions:upd*` to find IAM policy bindings that specify a
827+ // role containing "upd" as a prefix of any word in the role permission.
828+ // Note that if callers don't have `iam.roles.get` access to a role's
829+ // included permissions, policy bindings that specify this role will be
830+ // dropped from the search results.
709831 // * `resource:organizations/123456` to find IAM policy bindings
710832 // that are set on "organizations/123456".
833+ // * `resource=//cloudresourcemanager.googleapis.com/projects/myproject` to
834+ // find IAM policy bindings that are set on the project named "myproject".
711835 // * `Important` to find IAM policy bindings that contain "Important" as a
712836 // word in any of the searchable fields (except for the included
713837 // permissions).
714- // * `*por*` to find IAM policy bindings that contain "por" as a substring
715- // in any of the searchable fields (except for the included permissions).
716838 // * `resource:(instance1 OR instance2) policy:amy` to find
717839 // IAM policy bindings that are set on resources "instance1" or
718840 // "instance2" and also specify user "amy".
@@ -743,7 +865,7 @@ message SearchAllIamPoliciesResponse {
743865 string next_page_token = 2 ;
744866}
745867
746- // IAM policy analysis query message.
868+ // ## IAM policy analysis query message.
747869message IamPolicyAnalysisQuery {
748870 // Specifies the resource to analyze for access policies, which may be set
749871 // directly on the resource, or on ancestors such as organizations, folders or
@@ -869,6 +991,17 @@ message IamPolicyAnalysisQuery {
869991 bool analyze_service_account_impersonation = 6 [(google.api.field_behavior ) = OPTIONAL ];
870992 }
871993
994+ // The IAM conditions context.
995+ message ConditionContext {
996+ // The IAM conditions time context.
997+ oneof TimeContext {
998+ // The hypothetical access timestamp to evaluate IAM conditions. Note that
999+ // this value must not be earlier than the current time; otherwise, an
1000+ // INVALID_ARGUMENT error will be returned.
1001+ google.protobuf.Timestamp access_time = 1 ;
1002+ }
1003+ }
1004+
8721005 // Required. The relative name of the root asset. Only resources and IAM policies within
8731006 // the scope will be analyzed.
8741007 //
@@ -894,6 +1027,9 @@ message IamPolicyAnalysisQuery {
8941027
8951028 // Optional. The query options.
8961029 Options options = 5 [(google.api.field_behavior ) = OPTIONAL ];
1030+
1031+ // Optional. The hypothetical context for IAM conditions evaluation.
1032+ ConditionContext condition_context = 6 [(google.api.field_behavior ) = OPTIONAL ];
8971033}
8981034
8991035// A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy].
@@ -952,9 +1088,14 @@ message IamPolicyAnalysisOutputConfig {
9521088 // A Cloud Storage location.
9531089 message GcsDestination {
9541090 // Required. The uri of the Cloud Storage object. It's the same uri that is used by
955- // gsutil. For example: "gs://bucket_name/object_name". See
956- // [Quickstart: Using the gsutil tool]
957- // (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
1091+ // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and
1092+ // Editing Object
1093+ // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
1094+ // for more information.
1095+ //
1096+ // If the specified Cloud Storage object already exists and there is no
1097+ // [hold](https://cloud.google.com/storage/docs/object-holds), it will be
1098+ // overwritten with the analysis result.
9581099 string uri = 1 [(google.api.field_behavior ) = REQUIRED ];
9591100 }
9601101
0 commit comments