google.cloud.forseti.common.gcp_type.iam_policy module

GCP IAM Policy.

See: https://cloud.google.com/iam/reference/rest/v1/Policy

class IamAuditConfig(service_configs)[source]

Bases: object

IAM Audit Config.

Captures the mapping from service to log type to exempted members for a project, folder or organization.

ALL_SERVICES = 'allServices'
VALID_LOG_TYPES = frozenset(['DATA_WRITE', 'DATA_READ', 'AUDIT_READ'])
__eq__(other)[source]

Tests equality of IamAuditConfig.

Parameters:other (object) – Object to compare.
Returns:Whether objects are equal.
Return type:bool
__ne__(other)[source]

Tests inequality of IamAuditConfig.

Parameters:other (object) – Object to compare.
Returns:Whether objects are not equal.
Return type:bool
__repr__()[source]

String representation of IamAuditConfig.

Returns:The representation of IamAuditConfig.
Return type:str
classmethod create_from(audit_configs_list)[source]

Creates an IamAuditConfig from a list of auditConfig dicts.

Parameters:audit_configs_list (list) – A list of auditConfigs for each service.
Returns:
A new IamAuditConfig created with the service audit
configs.
Return type:IamAuditConfig
merge_configs(other)[source]

Adds other audit configs to mine, combining exempted member.

Use case: merging audit configs from ancestor IAM policies.

Parameters:other (IamAuditConfig) – the other IAM audit configs
class IamPolicy[source]

Bases: object

GCP IAM Policy.

__eq__(other)[source]

Tests equality of IamPolicy.

Parameters:other (object) – Object to compare.
Returns:True if equals, False otherwise.
Return type:bool
__ne__(other)[source]

Tests inequality of IamPolicy.

Parameters:other (object) – Object to compare.
Returns:True if not equals, False otherwise.
Return type:bool
__repr__()[source]

String representation of IamPolicy.

Returns:Representation of IamPolicy
Return type:str
classmethod create_from(policy_json)[source]

Create an IamPolicy object from json representation.

Parameters:policy_json (dict) – The json representing the IAM policy.
Returns:An IamPolicy.
Return type:IamPolicy
is_empty()[source]

Tests whether this policy’s bindings are empty.

Returns:True if bindings are empty; False otherwise.
Return type:bool
class IamPolicyBinding(role_name, members=None)[source]

Bases: object

IAM Policy Binding.

__eq__(other)[source]

Tests equality of IamPolicyBinding.

Parameters:other (object) – Object to compare.
Returns:Whether objects are equal.
Return type:bool
__ne__(other)[source]

Tests inequality of IamPolicyBinding.

Parameters:other (object) – Object to compare.
Returns:Whether objects are not equal.
Return type:bool
__repr__()[source]

String representation of IamPolicyBinding.

Returns:The representation of IamPolicyBinding.
Return type:str
classmethod create_from(binding)[source]

Create an IamPolicyBinding from a binding dict.

Parameters:binding (dict) – The binding (role mapped to members).
Returns:
A new IamPolicyBinding created with the
role and members.
Return type:IamPolicyBinding
merge_members(other)[source]

Add other members to mine if the role names are the same.

Use case: merging members from ancestor bindings with the same role name.

Parameters:other (IamPolicyBinding) – the other IAM policy binding
class IamPolicyMember(member_type, member_name=None)[source]

Bases: object

IAM Policy Member.

See https://cloud.google.com/iam/reference/rest/v1/Policy#Binding.

Parse an identity from a policy binding.

ALL_AUTH_USERS = 'allAuthenticatedUsers'
ALL_USERS = 'allUsers'
__eq__(other)[source]

Tests equality of IamPolicyMember.

Parameters:other (object) – The object to compare.
Returns:Whether the objects are equal.
Return type:bool
__hash__()[source]

Hash function for IamPolicyMember.

Returns:The hashed object.
Return type:hash
__ne__(other)[source]

Tests inequality of IamPolicyMember.

Parameters:other (object) – The object to compare.
Returns:Whether the objects are not equal.
Return type:bool
__repr__()[source]

String representation of IamPolicyMember.

Returns:The representation of IamPolicyMember.
Return type:str
_is_matching_domain(other)[source]

Determine whether IAM policy member belongs to domain.

This applies to a situation where a rule has a domain style members specification and the policy to check specifies users.

Parameters:other (IamPolicyMember) – The policy binding member to check.
Returns:True if other is a member of the domain, False otherwise.
Return type:bool
_member_type_exists(member_type)[source]

Determine if the member type exists in valid member types.

Parameters:member_type (str) – Member type.
Returns:If member type is valid.
Return type:bool
classmethod create_from(member)[source]

Create an IamPolicyMember from the member identity string.

Parameters:member (str) – The IAM policy binding member.
Returns:Created from the member string.
Return type:IamPolicyMember
matches(other)[source]

Determine if another member matches.

Parameters:other (str) – The policy binding member name.
Returns:True if the member matches this member, otherwise False.
Return type:bool
member_types = set(['allAuthenticatedUsers', 'allUsers', 'domain', 'group', 'serviceAccount', 'user'])
_get_iam_members(members)[source]

Get a list of this binding’s members as IamPolicyMembers.

Parameters:members (list) – A list of members (strings).
Returns:A list of IamPolicyMembers.
Return type:list