class Google::Cloud::Kms::V1::IAMPolicy::Client

Client for the IAMPolicy service.

## API Overview

Manages Identity and Access Management (IAM) policies.

Any implementation of an API that offers access control features implements the google.iam.v1.IAMPolicy interface.

## Data model

Access control is applied when a principal (user or service account), takes some action on a resource exposed by a service. Resources, identified by URI-like names, are the unit of access control specification. Service implementations can choose the granularity of access control and the supported permissions for their resources. For example one database service may allow access control to be specified only at the Table level, whereas another might allow access control to also be specified at the Column level.

## Policy Structure

See google.iam.v1.Policy

This is intentionally not a CRUD style API because access control policies are created and deleted implicitly with the resources to which they are attached.

Attributes

iam_policy_stub[R]

@private

Public Class Methods

configure() { |configure| ... } click to toggle source

Configure the IAMPolicy Client class.

See {::Google::Cloud::Kms::V1::IAMPolicy::Client::Configuration} for a description of the configuration fields.

@example

# Modify the configuration for all IAMPolicy clients
::Google::Cloud::Kms::V1::IAMPolicy::Client.configure do |config|
  config.timeout = 10.0
end

@yield [config] Configure the Client client. @yieldparam config [Client::Configuration]

@return [Client::Configuration]

# File lib/google/cloud/kms/v1/iam_policy/client.rb, line 78
def self.configure
  @configure ||= begin
    namespace = ["Google", "Cloud", "Kms", "V1"]
    parent_config = while namespace.any?
                      parent_name = namespace.join "::"
                      parent_const = const_get parent_name
                      break parent_const.configure if parent_const.respond_to? :configure
                      namespace.pop
                    end
    default_config = Client::Configuration.new parent_config

    default_config
  end
  yield @configure if block_given?
  @configure
end
new() { |config| ... } click to toggle source

Create a new IAMPolicy client object.

@example

# Create a client using the default configuration
client = ::Google::Cloud::Kms::V1::IAMPolicy::Client.new

# Create a client using a custom configuration
client = ::Google::Cloud::Kms::V1::IAMPolicy::Client.new do |config|
  config.timeout = 10.0
end

@yield [config] Configure the IAMPolicy client. @yieldparam config [Client::Configuration]

# File lib/google/cloud/kms/v1/iam_policy/client.rb, line 131
def initialize
  # These require statements are intentionally placed here to initialize
  # the gRPC module only when it's required.
  # See https://github.com/googleapis/toolkit/issues/446
  require "gapic/grpc"
  require "google/iam/v1/iam_policy_services_pb"

  # Create the configuration object
  @config = Configuration.new Client.configure

  # Yield the configuration if needed
  yield @config if block_given?

  # Create credentials
  credentials = @config.credentials
  # Use self-signed JWT if the endpoint is unchanged from default,
  # but only if the default endpoint does not have a region prefix.
  enable_self_signed_jwt = @config.endpoint == Client.configure.endpoint &&
                           !@config.endpoint.split(".").first.include?("-")
  credentials ||= Credentials.default scope: @config.scope,
                                      enable_self_signed_jwt: enable_self_signed_jwt
  if credentials.is_a?(::String) || credentials.is_a?(::Hash)
    credentials = Credentials.new credentials, scope: @config.scope
  end
  @quota_project_id = @config.quota_project
  @quota_project_id ||= credentials.quota_project_id if credentials.respond_to? :quota_project_id

  @iam_policy_stub = ::Gapic::ServiceStub.new(
    ::Google::Iam::V1::IAMPolicy::Stub,
    credentials:  credentials,
    endpoint:     @config.endpoint,
    channel_args: @config.channel_args,
    interceptors: @config.interceptors
  )
end

Public Instance Methods

configure() { |config| ... } click to toggle source

Configure the IAMPolicy Client instance.

The configuration is set to the derived mode, meaning that values can be changed, but structural changes (adding new fields, etc.) are not allowed. Structural changes should be made on {Client.configure}.

See {::Google::Cloud::Kms::V1::IAMPolicy::Client::Configuration} for a description of the configuration fields.

@yield [config] Configure the Client client. @yieldparam config [Client::Configuration]

@return [Client::Configuration]

# File lib/google/cloud/kms/v1/iam_policy/client.rb, line 110
def configure
  yield @config if block_given?
  @config
end
get_iam_policy(request, options = nil) { |response, operation| ... } click to toggle source

Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.

@overload get_iam_policy(request, options = nil)

Pass arguments to `get_iam_policy` via a request object, either of type
{::Google::Iam::V1::GetIamPolicyRequest} or an equivalent Hash.

@param request [::Google::Iam::V1::GetIamPolicyRequest, ::Hash]
  A request object representing the call parameters. Required. To specify no
  parameters, or to keep all the default parameter values, pass an empty Hash.
@param options [::Gapic::CallOptions, ::Hash]
  Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

@overload get_iam_policy(resource: nil, options: nil)

Pass arguments to `get_iam_policy` via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).

@param resource [::String]
  REQUIRED: The resource for which the policy is being requested.
  See the operation documentation for the appropriate value for this field.
@param options [::Google::Iam::V1::GetPolicyOptions, ::Hash]
  OPTIONAL: A `GetPolicyOptions` object for specifying options to
  `GetIamPolicy`. This field is only used by Cloud IAM.

@yield [response, operation] Access the result along with the RPC operation @yieldparam response [::Google::Iam::V1::Policy] @yieldparam operation [::GRPC::ActiveCall::Operation]

@return [::Google::Iam::V1::Policy]

@raise [::Google::Cloud::Error] if the RPC is aborted.

# File lib/google/cloud/kms/v1/iam_policy/client.rb, line 279
def get_iam_policy request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Iam::V1::GetIamPolicyRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.get_iam_policy.metadata.to_h

  # Set x-goog-api-client and x-goog-user-project headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::Kms::V1::VERSION
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {
    "resource" => request.resource
  }
  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.get_iam_policy.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.get_iam_policy.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @iam_policy_stub.call_rpc :get_iam_policy, request, options: options do |response, operation|
    yield response, operation if block_given?
    return response
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end
set_iam_policy(request, options = nil) { |response, operation| ... } click to toggle source

Sets the access control policy on the specified resource. Replaces any existing policy.

@overload set_iam_policy(request, options = nil)

Pass arguments to `set_iam_policy` via a request object, either of type
{::Google::Iam::V1::SetIamPolicyRequest} or an equivalent Hash.

@param request [::Google::Iam::V1::SetIamPolicyRequest, ::Hash]
  A request object representing the call parameters. Required. To specify no
  parameters, or to keep all the default parameter values, pass an empty Hash.
@param options [::Gapic::CallOptions, ::Hash]
  Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

@overload set_iam_policy(resource: nil, policy: nil)

Pass arguments to `set_iam_policy` via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).

@param resource [::String]
  REQUIRED: The resource for which the policy is being specified.
  See the operation documentation for the appropriate value for this field.
@param policy [::Google::Iam::V1::Policy, ::Hash]
  REQUIRED: The complete policy to be applied to the `resource`. The size of
  the policy is limited to a few 10s of KB. An empty policy is a
  valid policy but certain Cloud Platform services (such as Projects)
  might reject them.

@yield [response, operation] Access the result along with the RPC operation @yieldparam response [::Google::Iam::V1::Policy] @yieldparam operation [::GRPC::ActiveCall::Operation]

@return [::Google::Iam::V1::Policy]

@raise [::Google::Cloud::Error] if the RPC is aborted.

# File lib/google/cloud/kms/v1/iam_policy/client.rb, line 205
def set_iam_policy request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Iam::V1::SetIamPolicyRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.set_iam_policy.metadata.to_h

  # Set x-goog-api-client and x-goog-user-project headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::Kms::V1::VERSION
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {
    "resource" => request.resource
  }
  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.set_iam_policy.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.set_iam_policy.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @iam_policy_stub.call_rpc :set_iam_policy, request, options: options do |response, operation|
    yield response, operation if block_given?
    return response
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end
test_iam_permissions(request, options = nil) { |response, operation| ... } click to toggle source

Returns permissions that a caller has on the specified resource. If the resource does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may “fail open” without warning.

@overload test_iam_permissions(request, options = nil)

Pass arguments to `test_iam_permissions` via a request object, either of type
{::Google::Iam::V1::TestIamPermissionsRequest} or an equivalent Hash.

@param request [::Google::Iam::V1::TestIamPermissionsRequest, ::Hash]
  A request object representing the call parameters. Required. To specify no
  parameters, or to keep all the default parameter values, pass an empty Hash.
@param options [::Gapic::CallOptions, ::Hash]
  Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

@overload test_iam_permissions(resource: nil, permissions: nil)

Pass arguments to `test_iam_permissions` via keyword arguments. Note that at
least one keyword argument is required. To specify no parameters, or to keep all
the default parameter values, pass an empty Hash as a request object (see above).

@param resource [::String]
  REQUIRED: The resource for which the policy detail is being requested.
  See the operation documentation for the appropriate value for this field.
@param permissions [::Array<::String>]
  The set of permissions to check for the `resource`. Permissions with
  wildcards (such as '*' or 'storage.*') are not allowed. For more
  information see
  [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

@yield [response, operation] Access the result along with the RPC operation @yieldparam response [::Google::Iam::V1::TestIamPermissionsResponse] @yieldparam operation [::GRPC::ActiveCall::Operation]

@return [::Google::Iam::V1::TestIamPermissionsResponse]

@raise [::Google::Cloud::Error] if the RPC is aborted.

# File lib/google/cloud/kms/v1/iam_policy/client.rb, line 359
def test_iam_permissions request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Iam::V1::TestIamPermissionsRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.test_iam_permissions.metadata.to_h

  # Set x-goog-api-client and x-goog-user-project headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::Kms::V1::VERSION
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {
    "resource" => request.resource
  }
  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.test_iam_permissions.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.test_iam_permissions.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @iam_policy_stub.call_rpc :test_iam_permissions, request, options: options do |response, operation|
    yield response, operation if block_given?
    return response
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end