Lint Policy

30 variables

8 variables

Lints a Cloud IAM policy object or its sub fields. Currently supports google.iam.v1.Policy, google.iam.v1.Binding and google.iam.v1.Binding.condition.

Each lint operation consists of multiple lint validation units. Validation units have the following properties:

Each unit inspects the input object in regard to a particular linting aspect and issues a google.iam.admin.v1.LintResult disclosing the result.
Domain of discourse of each unit can be either google.iam.v1.Policy, google.iam.v1.Binding, or google.iam.v1.Binding.condition depending on the purpose of the validation.
A unit may require additional data (like the list of all possible enumerable values of a particular attribute used in the policy instance) which shall be provided by the caller. Refer to the comments of google.iam.admin.v1.LintPolicyRequest.context for more details.

The set of applicable validation units is determined by the Cloud IAM server and is not configurable.

Regardless of any lint issues or their severities, successful calls to lintPolicy return an HTTP 200 OK status code

Authorization

To use this building block you will have to grant access to at least one of the following scopes:

View and manage your data across Google Cloud Platform services

Input

This building block consumes 30 input parameters

Name	Format	Description
`context`	`OBJECT`	`context` contains additional permission-controlled data that any lint unit may depend on, in form of `{key: value}` pairs. Currently, this field is non-operational and it will not be used during the lint operation
`context.customKey.value` Required	`ANY`	`context` contains additional permission-controlled data that any lint unit may depend on, in form of `{key: value}` pairs. Currently, this field is non-operational and it will not be used during the lint operation
`condition`	`OBJECT`	Represents an expression text. Example: `title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"`
`condition.expression`	`STRING`	Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported
`condition.title`	`STRING`	An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression
`condition.location`	`STRING`	An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file
`condition.description`	`STRING`	An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI
`fullResourceName`	`STRING`	The full resource name of the policy this lint request is about. The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID `my-project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`. The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object
`binding`	`OBJECT`	Associates `members` with a `role`
`binding.members[]`	`STRING`
`binding.role`	`STRING`	Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`
`binding.condition`	`OBJECT`	Represents an expression text. Example: `title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"`
`binding.condition.expression`	`STRING`	Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported
`binding.condition.title`	`STRING`	An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression
`binding.condition.location`	`STRING`	An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file
`binding.condition.description`	`STRING`	An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI
`policy`	`OBJECT`	Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A `Policy` consists of a list of `bindings`. A `binding` binds a list of `members` to a `role`, where the members can be user accounts, Google groups, Google domains, and service accounts. A `role` is a named list of permissions defined by IAM. JSON Example `{ "bindings": [ { "role": "roles/owner", "members": [ "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]" ] }, { "role": "roles/viewer", "members": ["user:[email protected]"] } ] }` YAML Example `bindings: - members: - user:[email protected] - group:[email protected] - domain:google.com - serviceAccount:[email protected] role: roles/owner - members: - user:[email protected] role: roles/viewer` For a description of IAM and its features, see the IAM developer's guide
`policy.etag`	`BINARY`	`etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. If no `etag` is provided in the call to `setIamPolicy`, then the existing policy is overwritten blindly
`policy.version`	`INTEGER`	Deprecated
`policy.auditConfigs[]`	`OBJECT`	Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: `{ "audit_configs": [ { "service": "allServices" "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", }, { "log_type": "ADMIN_READ", } ] }, { "service": "fooservice.googleapis.com" "audit_log_configs": [ { "log_type": "DATA_READ", }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] }` For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging
`policy.auditConfigs[].service`	`STRING`	Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services
`policy.auditConfigs[].auditLogConfigs[]`	`OBJECT`	Provides the configuration for logging a type of permissions. Example: `{ "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE", } ] }` This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging
`policy.bindings[]`	`OBJECT`	Associates `members` with a `role`
`policy.bindings[].members[]`	`STRING`
`policy.bindings[].role`	`STRING`	Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`
`policy.bindings[].condition`	`OBJECT`	Represents an expression text. Example: `title: "User account presence" description: "Determines whether the request has a user account" expression: "size(request.user) > 0"`
`policy.bindings[].condition.expression`	`STRING`	Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported
`policy.bindings[].condition.title`	`STRING`	An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression
`policy.bindings[].condition.location`	`STRING`	An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file
`policy.bindings[].condition.description`	`STRING`	An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

= Parameter name
= Format

context OBJECT

context contains additional permission-controlled data that any lint unit may depend on, in form of {key: value} pairs. Currently, this field is non-operational and it will not be used during the lint operation

context.customKey.value ANY Required

condition OBJECT

Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

fullResourceName STRING

The full resource name of the policy this lint request is about.

The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object

binding OBJECT

Associates members with a role

binding.members[] STRING

binding.role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

binding.condition OBJECT

Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

binding.condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

binding.condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

binding.condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

binding.condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

policy OBJECT

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.

A Policy consists of a list of bindings. A binding binds a list of members to a role, where the members can be user accounts, Google groups, Google domains, and service accounts. A role is a named list of permissions defined by IAM.

JSON Example

{
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:[email protected]",
        "group:[email protected]",
        "domain:google.com",
        "serviceAccount:[email protected]"
      ]
    },
    {
      "role": "roles/viewer",
      "members": ["user:[email protected]"]
    }
  ]
}

YAML Example

bindings:
- members:
  - user:[email protected]
  - group:[email protected]
  - domain:google.com
  - serviceAccount:[email protected]
  role: roles/owner
- members:
  - user:[email protected]
  role: roles/viewer

For a description of IAM and its features, see the IAM developer's guide

policy.etag BINARY

etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.

If no etag is provided in the call to setIamPolicy, then the existing policy is overwritten blindly

policy.version INTEGER

Deprecated

policy.auditConfigs[] OBJECT

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.

If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.

Example Policy with multiple AuditConfigs:

{
  "audit_configs": [
    {
      "service": "allServices"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
          "exempted_members": [
            "user:[email protected]"
          ]
        },
        {
          "log_type": "DATA_WRITE",
        },
        {
          "log_type": "ADMIN_READ",
        }
      ]
    },
    {
      "service": "fooservice.googleapis.com"
      "audit_log_configs": [
        {
          "log_type": "DATA_READ",
        },
        {
          "log_type": "DATA_WRITE",
          "exempted_members": [
            "user:[email protected]"
          ]
        }
      ]
    }
  ]
}

For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging

policy.auditConfigs[].service STRING

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services

policy.auditConfigs[].auditLogConfigs[] OBJECT

Provides the configuration for logging a type of permissions. Example:

{
  "audit_log_configs": [
    {
      "log_type": "DATA_READ",
      "exempted_members": [
        "user:[email protected]"
      ]
    },
    {
      "log_type": "DATA_WRITE",
    }
  ]
}

This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging

policy.bindings[] OBJECT

Associates members with a role

policy.bindings[].members[] STRING

policy.bindings[].role STRING

Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner

policy.bindings[].condition OBJECT

Represents an expression text. Example:

title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"

policy.bindings[].condition.expression STRING

Textual representation of an expression in Common Expression Language syntax.

The application context of the containing message determines which well-known feature set of CEL is supported

policy.bindings[].condition.title STRING

An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression

policy.bindings[].condition.location STRING

An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file

policy.bindings[].condition.description STRING

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI

Output

This building block provides 8 output parameters

Name	Format	Description
`lintResults[]`	`OBJECT`	Structured response of a single validation unit
`lintResults[].severity`	`ENUMERATION`	The validation unit severity
`lintResults[].bindingOrdinal`	`INTEGER`	0-based index ordinality of the binding in the input object associated with this result. This field is populated only if the input object to lint is of type google.iam.v1.Policy, which can comprise more than one binding. It is set to -1 if the result is not associated with any particular binding and only targets the policy as a whole, such as results about policy size violations
`lintResults[].validationUnitName`	`STRING`	The validation unit name, for instance “lintValidationUnits/ConditionComplexityCheck”
`lintResults[].locationOffset`	`INTEGER`	0-based character position of problematic construct within the object identified by `field_name`. Currently, this is populated only for condition expression
`lintResults[].debugMessage`	`STRING`	Human readable debug message associated with the issue
`lintResults[].fieldName`	`STRING`	The name of the field for which this lint result is about. For nested messages, `field_name` consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For instance, if the lint request is on a google.iam.v1.Policy and this lint result is about a condition expression of one of the input policy bindings, the field would be populated as `policy.bindings.condition.expression`. This field does not identify the ordinality of the repetitive fields (for instance bindings in a policy)
`lintResults[].level`	`ENUMERATION`	The validation unit level

= Parameter name
= Format

lintResults[] OBJECT

Structured response of a single validation unit

lintResults[].severity ENUMERATION

The validation unit severity

lintResults[].bindingOrdinal INTEGER

0-based index ordinality of the binding in the input object associated with this result. This field is populated only if the input object to lint is of type google.iam.v1.Policy, which can comprise more than one binding. It is set to -1 if the result is not associated with any particular binding and only targets the policy as a whole, such as results about policy size violations

lintResults[].validationUnitName STRING

The validation unit name, for instance “lintValidationUnits/ConditionComplexityCheck”

lintResults[].locationOffset INTEGER

0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression

lintResults[].debugMessage STRING

Human readable debug message associated with the issue

lintResults[].fieldName STRING

The name of the field for which this lint result is about.

For nested messages, field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For instance, if the lint request is on a google.iam.v1.Policy and this lint result is about a condition expression of one of the input policy bindings, the field would be populated as policy.bindings.condition.expression.

This field does not identify the ordinality of the repetitive fields (for instance bindings in a policy)

lintResults[].level ENUMERATION

The validation unit level

Iam Policies

Lint Policy

Authorization

Input

Output