Types overview

Ancestor

Identifying information for a single ancestor of a project.

Fields

Fields
`resourceId`	`object (ResourceId)` Resource id of the ancestor.

resourceId

object (ResourceId)

Resource id of the ancestor.

AuditConfig

Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.

Fields

Fields
`auditLogConfigs[]`	`object (AuditLogConfig)` The configuration for logging of each type of permission.
`service`	`string` Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.

auditLogConfigs[]

object (AuditLogConfig)

The configuration for logging of each type of permission.

service

string

Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

AuditLogConfig

Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.

Fields
`exemptedMembers[]`	`string` Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members.
`logType`	`enum` The log type that this config enables.
Enum type. Can be one of the following:
`LOG_TYPE_UNSPECIFIED`	Default case. Should never be this.
`ADMIN_READ`	Admin reads. Example: CloudIAM getIamPolicy
`DATA_WRITE`	Data writes. Example: CloudSQL Users create
`DATA_READ`	Data reads. Example: CloudSQL Users list

Binding

Associates members, or principals, with a role.

Fields

Fields
`condition`	`object (Expr)` The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the IAM documentation.
`members[]`	`string` Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
`role`	`string` Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

condition

object (Expr)

The condition that is associated with this binding. If the condition evaluates to true, then this binding applies to the current request. If the condition evaluates to false, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the IAM documentation.

members[]

string

Specifies the principals requesting access for a Cloud Platform resource. members can have the following values: * allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. * allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. * user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com . * serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * group:{emailid}: An email address that represents a Google group. For example, admins@example.com. * deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. * deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. * deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. * domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.

role

string

Role that is assigned to the list of members, or principals. For example, roles/viewer, roles/editor, or roles/owner.

BooleanPolicy

Used in policy_type to specify how boolean_policy will behave at this resource.

Fields

Fields
`enforced`	`boolean` If `true`, then the `Policy` is enforced. If `false`, then any configuration is acceptable. Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` with `constraint_default` set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following behavior: - If the `Policy` at this resource has enforced set to `false`, serial port connection attempts will be allowed. - If the `Policy` at this resource has enforced set to `true`, serial port connection attempts will be refused. - If the `Policy` at this resource is `RestoreDefault`, serial port connection attempts will be allowed. - If no `Policy` is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no `Policy` is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if the`Policy` were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` and `organizations/foo` will not be enforced. Example 2 (enforcement gets replaced): `organizations/foo` has a `Policy` with: {enforced: false} `projects/bar` has a `Policy` with: {enforced: true} The constraint at `organizations/foo` is not enforced. The constraint at `projects/bar` is enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: {}} The constraint at `organizations/foo` is enforced. The constraint at `projects/bar` is not enforced, because `constraint_default` for the `Constraint` is `ALLOW`.

enforced

boolean

If true, then the Policy is enforced. If false, then any configuration is acceptable. Suppose you have a Constraint constraints/compute.disableSerialPortAccess with constraint_default set to ALLOW. A Policy for that Constraint exhibits the following behavior: - If the Policy at this resource has enforced set to false, serial port connection attempts will be allowed. - If the Policy at this resource has enforced set to true, serial port connection attempts will be refused. - If the Policy at this resource is RestoreDefault, serial port connection attempts will be allowed. - If no Policy is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If no Policy is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if thePolicy were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearest Constraint wins): organizations/foo has a Policy with: {enforced: false} projects/bar has no Policy set. The constraint at projects/bar and organizations/foo will not be enforced. Example 2 (enforcement gets replaced): organizations/foo has a Policy with: {enforced: false} projects/bar has a Policy with: {enforced: true} The constraint at organizations/foo is not enforced. The constraint at projects/bar is enforced. Example 3 (RestoreDefault): organizations/foo has a Policy with: {enforced: true} projects/bar has a Policy with: {RestoreDefault: {}} The constraint at organizations/foo is enforced. The constraint at projects/bar is not enforced, because constraint_default for the Constraint is ALLOW.

ClearOrgPolicyRequest

The request sent to the ClearOrgPolicy method.

Fields

Fields
`constraint`	`string` Name of the `Constraint` of the `Policy` to clear.
`etag`	`string (bytes format)` The current version, for concurrency control. Not sending an `etag` will cause the `Policy` to be cleared blindly.

constraint

string

Name of the Constraint of the Policy to clear.

etag

string (bytes format)

The current version, for concurrency control. Not sending an etag will cause the Policy to be cleared blindly.

CloudresourcemanagerGoogleCloudResourcemanagerV2alpha1FolderOperation

Metadata describing a long running folder operation

Fields
`destinationParent`	`string` The resource name of the folder or organization we are either creating the folder under or moving the folder to.
`displayName`	`string` The display name of the folder.
`operationType`	`enum` The type of this operation.
Enum type. Can be one of the following:
`OPERATION_TYPE_UNSPECIFIED`	Operation type not specified.
`CREATE`	A create folder operation.
`MOVE`	A move folder operation.

`sourceParent`	`string` The resource name of the folder's parent. Only applicable when the operation_type is MOVE.

CloudresourcemanagerGoogleCloudResourcemanagerV2beta1FolderOperation

Metadata describing a long running folder operation

Fields
`destinationParent`	`string` The resource name of the folder or organization we are either creating the folder under or moving the folder to.
`displayName`	`string` The display name of the folder.
`operationType`	`enum` The type of this operation.
Enum type. Can be one of the following:
`OPERATION_TYPE_UNSPECIFIED`	Operation type not specified.
`CREATE`	A create folder operation.
`MOVE`	A move folder operation.

`sourceParent`	`string` The resource name of the folder's parent. Only applicable when the operation_type is MOVE.

Constraint

A Constraint describes a way in which a resource's configuration can be restricted. For example, it controls which cloud services can be activated across an organization, or whether a Compute Engine instance can have serial port connections established. Constraints can be configured by the organization's policy administrator to fit the needs of the organzation by setting Policies for Constraints at different locations in the organization's resource hierarchy. Policies are inherited down the resource hierarchy from higher levels, but can also be overridden. For details about the inheritance rules please read about Policies. Constraints have a default behavior determined by the constraint_default field, which is the enforcement behavior that is used in the absence of a Policy being defined or inherited for the resource in question.

Fields
`booleanConstraint`	`object (BooleanConstraint)` Defines this constraint as being a BooleanConstraint.
`constraintDefault`	`enum` The evaluation behavior of this constraint in the absence of 'Policy'.
Enum type. Can be one of the following:
`CONSTRAINT_DEFAULT_UNSPECIFIED`	This is only used for distinguishing unset values and should never be used.
`ALLOW`	Indicate that all values are allowed for list constraints. Indicate that enforcement is off for boolean constraints.
`DENY`	Indicate that all values are denied for list constraints. Indicate that enforcement is on for boolean constraints.

`description`	`string` Detailed description of what this `Constraint` controls as well as how and where it is enforced. Mutable.
`displayName`	`string` The human readable name. Mutable.
`listConstraint`	`object (ListConstraint)` Defines this constraint as being a ListConstraint.
`name`	`string` Immutable value, required to globally be unique. For example, `constraints/serviceuser.services`
`version`	`integer (int32 format)` Version of the `Constraint`. Default version is 0;

CreateFolderMetadata

Metadata pertaining to the Folder creation process.

Fields

Fields
`displayName`	`string` The display name of the folder.
`parent`	`string` The resource name of the folder or organization we are creating the folder under.

displayName

string

The display name of the folder.

parent

string

The resource name of the folder or organization we are creating the folder under.

CreateProjectMetadata

A status object which is used as the metadata field for the Operation returned by CreateProject. It provides insight for when significant phases of Project creation have completed.

Fields

Fields
`createTime`	`string (Timestamp format)` Creation time of the project creation workflow.
`gettable`	`boolean` True if the project can be retrieved using `GetProject`. No other operations on the project are guaranteed to work until the project creation is complete.
`ready`	`boolean` True if the project creation process is complete.

createTime

string (Timestamp format)

Creation time of the project creation workflow.

gettable

boolean

True if the project can be retrieved using GetProject. No other operations on the project are guaranteed to work until the project creation is complete.

ready

boolean

True if the project creation process is complete.

Expr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

Fields
`description`	`string` Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
`expression`	`string` Textual representation of an expression in Common Expression Language syntax.
`location`	`string` Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
`title`	`string` Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

FolderOperation

Metadata describing a long running folder operation

Fields
`destinationParent`	`string` The resource name of the folder or organization we are either creating the folder under or moving the folder to.
`displayName`	`string` The display name of the folder.
`operationType`	`enum` The type of this operation.
Enum type. Can be one of the following:
`OPERATION_TYPE_UNSPECIFIED`	Operation type not specified.
`CREATE`	A create folder operation.
`MOVE`	A move folder operation.

`sourceParent`	`string` The resource name of the folder's parent. Only applicable when the operation_type is MOVE.

FolderOperationError

A classification of the Folder Operation error.

Fields
`errorMessageId`	`enum` The type of operation error experienced.
Enum type. Can be one of the following:
`ERROR_TYPE_UNSPECIFIED`	The error type was unrecognized or unspecified.
`ACTIVE_FOLDER_HEIGHT_VIOLATION`	The attempted action would violate the max folder depth constraint.
`MAX_CHILD_FOLDERS_VIOLATION`	The attempted action would violate the max child folders constraint.
`FOLDER_NAME_UNIQUENESS_VIOLATION`	The attempted action would violate the locally-unique folder display_name constraint.
`RESOURCE_DELETED_VIOLATION`	The resource being moved has been deleted.
`PARENT_DELETED_VIOLATION`	The resource a folder was being added to has been deleted.
`CYCLE_INTRODUCED_VIOLATION`	The attempted action would introduce cycle in resource path.
`FOLDER_BEING_MOVED_VIOLATION`	The attempted action would move a folder that is already being moved.
`FOLDER_TO_DELETE_NON_EMPTY_VIOLATION`	The folder the caller is trying to delete contains active resources.
`DELETED_FOLDER_HEIGHT_VIOLATION`	The attempted action would violate the max deleted folder depth constraint.

GetAncestryResponse

Response from the projects.getAncestry method.

Fields

Fields
`ancestor[]`	`object (Ancestor)` Ancestors are ordered from bottom to top of the resource hierarchy. The first ancestor is the project itself, followed by the project's parent, etc..

ancestor[]

object (Ancestor)

Ancestors are ordered from bottom to top of the resource hierarchy. The first ancestor is the project itself, followed by the project's parent, etc..

GetEffectiveOrgPolicyRequest

The request sent to the GetEffectiveOrgPolicy method.

Fields

Fields
`constraint`	`string` The name of the `Constraint` to compute the effective `Policy`.

constraint

string

The name of the Constraint to compute the effective Policy.

GetIamPolicyRequest

Request message for GetIamPolicy method.

Fields

Fields
`options`	`object (GetPolicyOptions)` OPTIONAL: A `GetPolicyOptions` object for specifying options to `GetIamPolicy`.

options

object (GetPolicyOptions)

OPTIONAL: A GetPolicyOptions object for specifying options to GetIamPolicy.

GetOrgPolicyRequest

The request sent to the GetOrgPolicy method.

Fields

Fields
`constraint`	`string` Name of the `Constraint` to get the `Policy`.

constraint

string

Name of the Constraint to get the Policy.

GetPolicyOptions

Encapsulates settings provided to GetIamPolicy.

Fields

Fields
`requestedPolicyVersion`	`integer (int32 format)` Optional. The maximum policy version that will be used to format the policy. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional role bindings must specify version 3. Policies with no conditional role bindings may specify any valid value or leave the field unset. The policy in the response might use the policy version that you specified, or it might use a lower policy version. For example, if you specify version 3, but the policy has no conditional role bindings, the response uses version 1. To learn which resources support conditions in their IAM policies, see the IAM documentation.

requestedPolicyVersion

integer (int32 format)

Optional. The maximum policy version that will be used to format the policy. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional role bindings must specify version 3. Policies with no conditional role bindings may specify any valid value or leave the field unset. The policy in the response might use the policy version that you specified, or it might use a lower policy version. For example, if you specify version 3, but the policy has no conditional role bindings, the response uses version 1. To learn which resources support conditions in their IAM policies, see the IAM documentation.

Lien

A Lien represents an encumbrance on the actions that can be performed on a resource.

Fields
`createTime`	`string (Timestamp format)` The creation time of this Lien.
`name`	`string` A system-generated unique identifier for this Lien. Example: `liens/1234abcd`
`origin`	`string` A stable, user-visible/meaningful string identifying the origin of the Lien, intended to be inspected programmatically. Maximum length of 200 characters. Example: 'compute.googleapis.com'
`parent`	`string` A reference to the resource this Lien is attached to. The server will validate the parent against those for which Liens are supported. Example: `projects/1234`
`reason`	`string` Concise user-visible strings indicating why an action cannot be performed on a resource. Maximum length of 200 characters. Example: 'Holds production API key'
`restrictions[]`	`string` The types of operations which should be blocked as a result of this Lien. Each value should correspond to an IAM permission. The server will validate the permissions against those for which Liens are supported. An empty list is meaningless and will be rejected. Example: ['resourcemanager.projects.delete']

ListAvailableOrgPolicyConstraintsRequest

The request sent to the ListAvailableOrgPolicyConstraints method on the project, folder, or organization.

Fields

Fields
`pageSize`	`integer (int32 format)` Size of the pages to be returned. This is currently unsupported and will be ignored. The server may at any point start using this field to limit page size.
`pageToken`	`string` Page token used to retrieve the next page. This is currently unsupported and will be ignored. The server may at any point start using this field.

pageSize

integer (int32 format)

Size of the pages to be returned. This is currently unsupported and will be ignored. The server may at any point start using this field to limit page size.

pageToken

string

Page token used to retrieve the next page. This is currently unsupported and will be ignored. The server may at any point start using this field.

ListAvailableOrgPolicyConstraintsResponse

The response returned from the ListAvailableOrgPolicyConstraints method. Returns all Constraints that could be set at this level of the hierarchy (contrast with the response from ListPolicies, which returns all policies which are set).

Fields

Fields
`constraints[]`	`object (Constraint)` The collection of constraints that are settable on the request resource.
`nextPageToken`	`string` Page token used to retrieve the next page. This is currently not used.

constraints[]

object (Constraint)

The collection of constraints that are settable on the request resource.

nextPageToken

string

Page token used to retrieve the next page. This is currently not used.

ListConstraint

A Constraint that allows or disallows a list of string values, which are configured by an Organization's policy administrator with a Policy.

Fields

Fields
`suggestedValue`	`string` Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Constraint`.
`supportsUnder`	`boolean` Indicates whether subtrees of Cloud Resource Manager resource hierarchy can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"under:folders/123"` would match any resource under the 'folders/123' folder.

suggestedValue

string

Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this Constraint.

supportsUnder

boolean

Indicates whether subtrees of Cloud Resource Manager resource hierarchy can be used in Policy.allowed_values and Policy.denied_values. For example, "under:folders/123" would match any resource under the 'folders/123' folder.

ListLiensResponse

The response message for Liens.ListLiens.

Fields

Fields
`liens[]`	`object (Lien)` A list of Liens.
`nextPageToken`	`string` Token to retrieve the next page of results, or empty if there are no more results in the list.

liens[]

object (Lien)

A list of Liens.

nextPageToken

string

Token to retrieve the next page of results, or empty if there are no more results in the list.

ListOrgPoliciesRequest

The request sent to the ListOrgPolicies method.

Fields

Fields
`pageSize`	`integer (int32 format)` Size of the pages to be returned. This is currently unsupported and will be ignored. The server may at any point start using this field to limit page size.
`pageToken`	`string` Page token used to retrieve the next page. This is currently unsupported and will be ignored. The server may at any point start using this field.

pageSize

integer (int32 format)

Size of the pages to be returned. This is currently unsupported and will be ignored. The server may at any point start using this field to limit page size.

pageToken

string

Page token used to retrieve the next page. This is currently unsupported and will be ignored. The server may at any point start using this field.

ListOrgPoliciesResponse

The response returned from the ListOrgPolicies method. It will be empty if no Policies are set on the resource.

Fields

Fields
`nextPageToken`	`string` Page token used to retrieve the next page. This is currently not used, but the server may at any point start supplying a valid token.
`policies[]`	`object (OrgPolicy)` The `Policies` that are set on the resource. It will be empty if no `Policies` are set.

nextPageToken

string

Page token used to retrieve the next page. This is currently not used, but the server may at any point start supplying a valid token.

policies[]

object (OrgPolicy)

The Policies that are set on the resource. It will be empty if no Policies are set.

ListPolicy

Used in policy_type to specify how list_policy behaves at this resource. ListPolicy can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations, Folders, Projects) that are allowed or denied by setting the allowed_values and denied_values fields. This is achieved by using the under: and optional is: prefixes. The under: prefix is used to denote resource subtree values. The is: prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/", e.g. "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/", e.g. "organizations/1234" The supports_under field of the associated Constraint defines whether ancestry prefixes can be used. You can set allowed_values and denied_values in the same Policy if all_values is ALL_VALUES_UNSPECIFIED. ALLOW or DENY are used to allow or deny all values. If all_values is set to either ALLOW or DENY, allowed_values and denied_values must be unset.

Fields
`allValues`	`enum` The policy all_values state.
Enum type. Can be one of the following:
`ALL_VALUES_UNSPECIFIED`	Indicates that allowed_values or denied_values must be set.
`ALLOW`	A policy with this set allows all values.
`DENY`	A policy with this set denies all values.

`allowedValues[]`	`string` List of values allowed at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
`deniedValues[]`	`string` List of values denied at this resource. Can only be set if `all_values` is set to `ALL_VALUES_UNSPECIFIED`.
`inheritFromParent`	`boolean` Determines the inheritance behavior for this `Policy`. By default, a `ListPolicy` set at a resource supersedes any `Policy` set anywhere up the resource hierarchy. However, if `inherit_from_parent` is set to `true`, then the values from the effective `Policy` of the parent resource are inherited, meaning the values set in this `Policy` are added to the values inherited up the hierarchy. Setting `Policy` hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set a `Policy` with `allowed_values` set that inherits a `Policy` with `denied_values` set. In this case, the values that are allowed must be in `allowed_values` and not present in `denied_values`. For example, suppose you have a `Constraint` `constraints/serviceuser.services`, which has a `constraint_type` of `list_constraint`, and with `constraint_default` set to `ALLOW`. Suppose that at the Organization level, a `Policy` is applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if a `Policy` is applied to a project below the Organization that has `inherit_from_parent` set to `false` and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings for `projects/bar` parented by `organizations/foo`: Example 1 (no inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has `inherit_from_parent` `false` and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. Example 3 (inheriting both allowed and denied values): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} `projects/bar` has a `Policy` with values: {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 5 (no policy inherits parent policy): `organizations/foo` has no `Policy` set. `projects/bar` has no `Policy` set. The accepted values at both levels are either all or none depending on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 (ListConstraint allowing all): `organizations/foo` has a `Policy` with values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are `E1`, E2`. Any value is accepted at`projects/bar`. Example 7 (ListConstraint allowing none):`organizations/foo`has a`Policy`with values: {allowed_values: "E1" allowed_values: "E2"}`projects/bar`has a`Policy`with: {all: DENY} The accepted values at`organizations/foo`are`E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a `Policy` with values: {allowed_values: "under:organizations/O1"} `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values at `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`.
`suggestedValue`	`string` Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this `Policy`. If `suggested_value` is not set, it will inherit the value specified higher in the hierarchy, unless `inherit_from_parent` is `false`.

ListProjectsResponse

A page of the response received from the ListProjects method. A paginated response where more pages are available has next_page_token set. This token can be used in a subsequent request to retrieve the next request page.

Fields

Fields
`nextPageToken`	`string` Pagination token. If the result set is too large to fit in a single response, this token is returned. It encodes the position of the current result cursor. Feeding this value into a new list request with the `page_token` parameter gives the next page of the results. When `next_page_token` is not filled in, there is no next page and the list returned is the last page in the result set. Pagination tokens have a limited lifetime.
`projects[]`	`object (Project)` The list of Projects that matched the list filter. This list can be paginated.

nextPageToken

string

Pagination token. If the result set is too large to fit in a single response, this token is returned. It encodes the position of the current result cursor. Feeding this value into a new list request with the page_token parameter gives the next page of the results. When next_page_token is not filled in, there is no next page and the list returned is the last page in the result set. Pagination tokens have a limited lifetime.

projects[]

object (Project)

The list of Projects that matched the list filter. This list can be paginated.

MoveFolderMetadata

Metadata pertaining to the folder move process.

Fields

Fields
`destinationParent`	`string` The resource name of the folder or organization to move the folder to.
`displayName`	`string` The display name of the folder.
`sourceParent`	`string` The resource name of the folder's parent.

destinationParent

string

The resource name of the folder or organization to move the folder to.

displayName

string

The display name of the folder.

sourceParent

string

The resource name of the folder's parent.

Operation

This resource represents a long-running operation that is the result of a network API call.

Fields
`done`	`boolean` If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
`error`	`object (Status)` The error result of the operation in case of failure or cancellation.
`metadata`	`map (key: string, value: any)` Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.
`name`	`string` The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`.
`response`	`map (key: string, value: any)` The normal response of the operation in case of success. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.

OrgPolicy

Defines a Cloud Organization Policy which is used to specify Constraints for configurations of Cloud Platform resources.

Fields
`booleanPolicy`	`object (BooleanPolicy)` For boolean `Constraints`, whether to enforce the `Constraint` or not.
`constraint`	`string` The name of the `Constraint` the `Policy` is configuring, for example, `constraints/serviceuser.services`. A list of available constraints is available. Immutable after creation.
`etag`	`string (bytes format)` An opaque tag indicating the current version of the `Policy`, used for concurrency control. When the `Policy` is returned from either a `GetPolicy` or a `ListOrgPolicy` request, this `etag` indicates the version of the current `Policy` to use when executing a read-modify-write loop. When the `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value that was returned from a `GetOrgPolicy` request as part of a read-modify-write loop for concurrency control. Not setting the `etag`in a `SetOrgPolicy` request will result in an unconditional write of the `Policy`.
`listPolicy`	`object (ListPolicy)` List of values either allowed or disallowed.
`restoreDefault`	`object (RestoreDefault)` Restores the default behavior of the constraint; independent of `Constraint` type.
`updateTime`	`string (Timestamp format)` The time stamp the `Policy` was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to `SetOrgPolicy` was made for that `Policy`. Any value set by the client will be ignored.
`version`	`integer (int32 format)` Version of the `Policy`. Default version is 0;

Organization

The root node in the resource hierarchy to which a particular entity's (e.g., company) resources belong.

Fields
`creationTime`	`string (Timestamp format)` Timestamp when the Organization was created. Assigned by the server.
`displayName`	`string` A human-readable string that refers to the Organization in the GCP Console UI. This string is set by the server and cannot be changed. The string will be set to the primary domain (for example, "google.com") of the G Suite customer that owns the organization.
`lifecycleState`	`enum` The organization's current lifecycle state. Assigned by the server.
Enum type. Can be one of the following:
`LIFECYCLE_STATE_UNSPECIFIED`	Unspecified state. This is only useful for distinguishing unset values.
`ACTIVE`	The normal and active state.
`DELETE_REQUESTED`	The organization has been marked for deletion by the user.

`name`	`string` Output only. The resource name of the organization. This is the organization's relative path in the API. Its format is "organizations/[organization_id]". For example, "organizations/1234".
`owner`	`object (OrganizationOwner)` The owner of this Organization. The owner should be specified on creation. Once set, it cannot be changed. This field is required.

OrganizationOwner

The entity that owns an Organization. The lifetime of the Organization and all of its descendants are bound to the OrganizationOwner. If the OrganizationOwner is deleted, the Organization and all its descendants will be deleted.

Fields

Fields
`directoryCustomerId`	`string` The G Suite customer id used in the Directory API.

directoryCustomerId

string

The G Suite customer id used in the Directory API.

Policy

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the IAM documentation.

Fields
`auditConfigs[]`	`object (AuditConfig)` Specifies cloud audit logging configuration for this policy.
`bindings[]`	`object (Binding)` Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`.
`etag`	`string (bytes format)` `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. Important: If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost.
`version`	`integer (int32 format)` Specifies the format of the policy. Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected. Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations: * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions Important: If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation.

Project

A Project is a high-level Google Cloud Platform entity. It is a container for ACLs, APIs, App Engine Apps, VMs, and other Google Cloud Platform resources.

Fields
`createTime`	`string (Timestamp format)` Creation time. Read-only.
`labels`	`map (key: string, value: string)` The labels associated with this Project. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: a-z{0,62}. Label values must be between 0 and 63 characters long and must conform to the regular expression [a-z0-9_-]{0,63}. A label value can be empty. No more than 256 labels can be associated with a given resource. Clients should store labels in a representation such as JSON that does not depend on specific characters being disallowed. Example: "environment" : "dev" Read-write.
`lifecycleState`	`enum` The Project lifecycle state. Read-only.
Enum type. Can be one of the following:
`LIFECYCLE_STATE_UNSPECIFIED`	Unspecified state. This is only used/useful for distinguishing unset values.
`ACTIVE`	The normal and active state.
`DELETE_REQUESTED`	The project has been marked for deletion by the user (by invoking DeleteProject) or by the system (Google Cloud Platform). This can generally be reversed by invoking UndeleteProject.
`DELETE_IN_PROGRESS`	This lifecycle state is no longer used and not returned by the API.

`name`	`string` The optional user-assigned display name of the Project. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, single-quote, double-quote, space, and exclamation point. Example: `My Project` Read-write.
`parent`	`object (ResourceId)` An optional reference to a parent Resource. Supported parent types include "organization" and "folder". Once set, the parent cannot be cleared. The `parent` can be set on creation or using the `UpdateProject` method; the end user must have the `resourcemanager.projects.create` permission on the parent.
`projectId`	`string` The unique, user-assigned ID of the Project. It must be 6 to 30 lowercase letters, digits, or hyphens. It must start with a letter. Trailing hyphens are prohibited. Example: `tokyo-rain-123` Read-only after creation.
`projectNumber`	`string (int64 format)` The number uniquely identifying the project. Example: `415104041262` Read-only.

ProjectCreationStatus

A status object which is used as the metadata field for the Operation returned by CreateProject. It provides insight for when significant phases of Project creation have completed.

Fields

Fields
`createTime`	`string (Timestamp format)` Creation time of the project creation workflow.
`gettable`	`boolean` True if the project can be retrieved using GetProject. No other operations on the project are guaranteed to work until the project creation is complete.
`ready`	`boolean` True if the project creation process is complete.

createTime

string (Timestamp format)

Creation time of the project creation workflow.

gettable

boolean

True if the project can be retrieved using GetProject. No other operations on the project are guaranteed to work until the project creation is complete.

ready

boolean

True if the project creation process is complete.

ResourceId

A container to reference an id for any resource type. A resource in Google Cloud Platform is a generic term for something you (a developer) may want to interact with through one of our API's. Some examples are an App Engine app, a Compute Engine instance, a Cloud SQL database, and so on.

Fields

Fields
`id`	`string` The type-specific id. This should correspond to the id used in the type-specific API's.
`type`	`string` The resource type this id is for. At present, the valid types are: "organization", "folder", and "project".

id

string

The type-specific id. This should correspond to the id used in the type-specific API's.

type

string

The resource type this id is for. At present, the valid types are: "organization", "folder", and "project".

SearchOrganizationsRequest

The request sent to the SearchOrganizations method.

Fields

Fields
`filter`	`string` An optional query string used to filter the Organizations to return in the response. Filter rules are case-insensitive. Organizations may be filtered by `owner.directoryCustomerId` or by `domain`, where the domain is a G Suite domain, for example: * Filter `owner.directorycustomerid:123456789` returns Organization resources with `owner.directory_customer_id` equal to `123456789`. * Filter `domain:google.com` returns Organization resources corresponding to the domain `google.com`. This field is optional.
`pageSize`	`integer (int32 format)` The maximum number of Organizations to return in the response. The server can return fewer organizations than requested. If unspecified, server picks an appropriate default.
`pageToken`	`string` A pagination token returned from a previous call to `SearchOrganizations` that indicates from where listing should continue. This field is optional.

filter

string

An optional query string used to filter the Organizations to return in the response. Filter rules are case-insensitive. Organizations may be filtered by owner.directoryCustomerId or by domain, where the domain is a G Suite domain, for example: * Filter owner.directorycustomerid:123456789 returns Organization resources with owner.directory_customer_id equal to 123456789. * Filter domain:google.com returns Organization resources corresponding to the domain google.com. This field is optional.

pageSize

integer (int32 format)

The maximum number of Organizations to return in the response. The server can return fewer organizations than requested. If unspecified, server picks an appropriate default.

pageToken

string

A pagination token returned from a previous call to SearchOrganizations that indicates from where listing should continue. This field is optional.

SearchOrganizationsResponse

The response returned from the SearchOrganizations method.

Fields

Fields
`nextPageToken`	`string` A pagination token to be used to retrieve the next page of results. If the result is too large to fit within the page size specified in the request, this field will be set with a token that can be used to fetch the next page of results. If this field is empty, it indicates that this response contains the last page of results.
`organizations[]`	`object (Organization)` The list of Organizations that matched the search query, possibly paginated.

nextPageToken

string

A pagination token to be used to retrieve the next page of results. If the result is too large to fit within the page size specified in the request, this field will be set with a token that can be used to fetch the next page of results. If this field is empty, it indicates that this response contains the last page of results.

organizations[]

object (Organization)

The list of Organizations that matched the search query, possibly paginated.

SetIamPolicyRequest

Request message for SetIamPolicy method.

Fields

Fields
`policy`	`object (Policy)` REQUIRED: The complete policy to be applied to the `resource`. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.
`updateMask`	`string (FieldMask format)` OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: `paths: "bindings, etag"`

policy

object (Policy)

REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.

updateMask

string (FieldMask format)

OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: paths: "bindings, etag"

SetOrgPolicyRequest

The request sent to the SetOrgPolicyRequest method.

Fields

Fields
`policy`	`object (OrgPolicy)` `Policy` to set on the resource.

policy

object (OrgPolicy)

Policy to set on the resource.

Status

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

Fields

Fields
`code`	`integer (int32 format)` The status code, which should be an enum value of google.rpc.Code.
`details[]`	`object` A list of messages that carry the error details. There is a common set of message types for APIs to use.
`message`	`string` A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

code

integer (int32 format)

The status code, which should be an enum value of google.rpc.Code.

details[]

object

A list of messages that carry the error details. There is a common set of message types for APIs to use.

message

string

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

TestIamPermissionsRequest

Request message for TestIamPermissions method.

Fields

Fields
`permissions[]`	`string` The set of permissions to check for the `resource`. Permissions with wildcards (such as '' or 'storage.') are not allowed. For more information see IAM Overview.

permissions[]

string

The set of permissions to check for the resource. Permissions with wildcards (such as '' or 'storage.') are not allowed. For more information see IAM Overview.

TestIamPermissionsResponse

Response message for TestIamPermissions method.

Fields

Fields
`permissions[]`	`string` A subset of `TestPermissionsRequest.permissions` that the caller is allowed.

permissions[]

string

A subset of TestPermissionsRequest.permissions that the caller is allowed.