IAM
iam.iamPolicies.lintPolicy
valid {
input.Body.condition.description == STRING
input.Body.condition.expression == STRING
input.Body.condition.location == STRING
input.Body.condition.title == STRING
input.Body.fullResourceName == STRING
input.ProviderMetadata.Region == STRING
}
iam.iamPolicies.queryAuditableServices
valid {
input.Body.fullResourceName == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.create
valid {
input.Body.accessRestrictions.allowedServices[_].domain == STRING
input.Body.accessRestrictions.disableProgrammaticSignin == BOOLEAN
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.name == STRING
input.Body.parent == STRING
input.Body.sessionDuration == STRING
input.ReqMap.location == STRING
input.Qs.workforcePoolId == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.getIamPolicy
valid {
input.Body.options.requestedPolicyVersion == INTEGER
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.list
valid {
input.ReqMap.location == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.parent == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.patch
valid {
input.Body.accessRestrictions.allowedServices[_].domain == STRING
input.Body.accessRestrictions.disableProgrammaticSignin == BOOLEAN
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.name == STRING
input.Body.parent == STRING
input.Body.sessionDuration == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.create
enum_GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientAttributesType := [ "ATTRIBUTES_TYPE_UNSPECIFIED", "AZURE_AD_GROUPS_MAIL", "AZURE_AD_GROUPS_ID" ]
enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior := [ "ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED", "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS", "ONLY_ID_TOKEN_CLAIMS" ]
enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigResponseType := [ "RESPONSE_TYPE_UNSPECIFIED", "CODE", "ID_TOKEN" ]
valid {
input.Body.attributeCondition == STRING
input.Body.attributeMapping.STRING == STRING
input.Body.description == STRING
input.Body.detailedAuditLogging == BOOLEAN
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.extraAttributesOauth2Client.attributesType == enum_GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientAttributesType[_]
input.Body.extraAttributesOauth2Client.clientId == STRING
input.Body.extraAttributesOauth2Client.clientSecret.value.plainText == STRING
input.Body.extraAttributesOauth2Client.issuerUri == STRING
input.Body.extraAttributesOauth2Client.queryParameters.filter == STRING
input.Body.name == STRING
input.Body.oidc.clientId == STRING
input.Body.oidc.clientSecret.value.plainText == STRING
input.Body.oidc.issuerUri == STRING
input.Body.oidc.jwksJson == STRING
input.Body.oidc.webSsoConfig.additionalScopes[_] == STRING
input.Body.oidc.webSsoConfig.assertionClaimsBehavior == enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior[_]
input.Body.oidc.webSsoConfig.responseType == enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigResponseType[_]
input.Body.saml.idpMetadataXml == STRING
input.ReqMap.parent == STRING
input.Qs.workforcePoolProviderId == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.keys.create
enum_KeyDataKeySpec := [ "KEY_SPEC_UNSPECIFIED", "RSA_2048", "RSA_3072", "RSA_4096" ]
enum_WorkforcePoolProviderKeyUse := [ "KEY_USE_UNSPECIFIED", "ENCRYPTION" ]
valid {
input.Body.keyData.keySpec == enum_KeyDataKeySpec[_]
input.Body.name == STRING
input.Body.use == enum_WorkforcePoolProviderKeyUse[_]
input.ReqMap.parent == STRING
input.Qs.workforcePoolProviderKeyId == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.keys.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.keys.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.keys.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.keys.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.keys.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.patch
enum_GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientAttributesType := [ "ATTRIBUTES_TYPE_UNSPECIFIED", "AZURE_AD_GROUPS_MAIL", "AZURE_AD_GROUPS_ID" ]
enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior := [ "ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED", "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS", "ONLY_ID_TOKEN_CLAIMS" ]
enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigResponseType := [ "RESPONSE_TYPE_UNSPECIFIED", "CODE", "ID_TOKEN" ]
valid {
input.Body.attributeCondition == STRING
input.Body.attributeMapping.STRING == STRING
input.Body.description == STRING
input.Body.detailedAuditLogging == BOOLEAN
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.extraAttributesOauth2Client.attributesType == enum_GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientAttributesType[_]
input.Body.extraAttributesOauth2Client.clientId == STRING
input.Body.extraAttributesOauth2Client.clientSecret.value.plainText == STRING
input.Body.extraAttributesOauth2Client.issuerUri == STRING
input.Body.extraAttributesOauth2Client.queryParameters.filter == STRING
input.Body.name == STRING
input.Body.oidc.clientId == STRING
input.Body.oidc.clientSecret.value.plainText == STRING
input.Body.oidc.issuerUri == STRING
input.Body.oidc.jwksJson == STRING
input.Body.oidc.webSsoConfig.additionalScopes[_] == STRING
input.Body.oidc.webSsoConfig.assertionClaimsBehavior == enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior[_]
input.Body.oidc.webSsoConfig.responseType == enum_GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigResponseType[_]
input.Body.saml.idpMetadataXml == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.providers.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.setIamPolicy
enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]
valid {
input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
input.Body.policy.auditConfigs[_].service == STRING
input.Body.policy.bindings[_].condition.description == STRING
input.Body.policy.bindings[_].condition.expression == STRING
input.Body.policy.bindings[_].condition.location == STRING
input.Body.policy.bindings[_].condition.title == STRING
input.Body.policy.bindings[_].members[_] == STRING
input.Body.policy.bindings[_].role == STRING
input.Body.policy.etag == STRING
input.Body.policy.version == INTEGER
input.Body.updateMask == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.subjects.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.subjects.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.subjects.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.testIamPermissions
valid {
input.Body.permissions[_] == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.locations.workforcePools.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.organizations.roles.create
enum_RoleStage := [ "ALPHA", "BETA", "GA", "DEPRECATED", "DISABLED", "EAP" ]
valid {
input.Body.role.deleted == BOOLEAN
input.Body.role.description == STRING
input.Body.role.etag == STRING
input.Body.role.includedPermissions[_] == STRING
input.Body.role.name == STRING
input.Body.role.stage == enum_RoleStage[_]
input.Body.role.title == STRING
input.Body.roleId == STRING
input.ReqMap.parent == STRING
input.ProviderMetadata.Region == STRING
}
iam.organizations.roles.delete
valid {
input.ReqMap.name == STRING
input.Qs.etag == STRING
input.ProviderMetadata.Region == STRING
}
iam.organizations.roles.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.organizations.roles.list
enum_ViewParameter := [ "BASIC", "FULL" ]
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.Qs.view == enum_ViewParameter[_]
input.ProviderMetadata.Region == STRING
}
iam.organizations.roles.patch
enum_RoleStage := [ "ALPHA", "BETA", "GA", "DEPRECATED", "DISABLED", "EAP" ]
valid {
input.Body.deleted == BOOLEAN
input.Body.description == STRING
input.Body.etag == STRING
input.Body.includedPermissions[_] == STRING
input.Body.name == STRING
input.Body.stage == enum_RoleStage[_]
input.Body.title == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.organizations.roles.undelete
valid {
input.Body.etag == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.permissions.queryTestablePermissions
valid {
input.Body.fullResourceName == STRING
input.Body.pageSize == INTEGER
input.Body.pageToken == STRING
input.ProviderMetadata.Region == STRING
}
iam.policies.createPolicy
valid {
input.Body.annotations.STRING == STRING
input.Body.displayName == STRING
input.Body.etag == STRING
input.Body.name == STRING
input.Body.rules[_].denyRule.denialCondition.description == STRING
input.Body.rules[_].denyRule.denialCondition.expression == STRING
input.Body.rules[_].denyRule.denialCondition.location == STRING
input.Body.rules[_].denyRule.denialCondition.title == STRING
input.Body.rules[_].denyRule.deniedPermissions[_] == STRING
input.Body.rules[_].denyRule.deniedPrincipals[_] == STRING
input.Body.rules[_].denyRule.exceptionPermissions[_] == STRING
input.Body.rules[_].denyRule.exceptionPrincipals[_] == STRING
input.Body.rules[_].description == STRING
input.Body.uid == STRING
input.ReqMap.parent == STRING
input.Qs.policyId == STRING
input.ProviderMetadata.Region == STRING
}
iam.policies.delete
valid {
input.ReqMap.name == STRING
input.Qs.etag == STRING
input.ProviderMetadata.Region == STRING
}
iam.policies.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.policies.listPolicies
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.ProviderMetadata.Region == STRING
}
iam.policies.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.policies.update
valid {
input.Body.annotations.STRING == STRING
input.Body.displayName == STRING
input.Body.etag == STRING
input.Body.name == STRING
input.Body.rules[_].denyRule.denialCondition.description == STRING
input.Body.rules[_].denyRule.denialCondition.expression == STRING
input.Body.rules[_].denyRule.denialCondition.location == STRING
input.Body.rules[_].denyRule.denialCondition.title == STRING
input.Body.rules[_].denyRule.deniedPermissions[_] == STRING
input.Body.rules[_].denyRule.deniedPrincipals[_] == STRING
input.Body.rules[_].denyRule.exceptionPermissions[_] == STRING
input.Body.rules[_].denyRule.exceptionPrincipals[_] == STRING
input.Body.rules[_].description == STRING
input.Body.uid == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.create
enum_OauthClientAllowedGrantTypes := [ "GRANT_TYPE_UNSPECIFIED", "AUTHORIZATION_CODE_GRANT", "REFRESH_TOKEN_GRANT" ]
enum_OauthClientClientType := [ "CLIENT_TYPE_UNSPECIFIED", "PUBLIC_CLIENT", "CONFIDENTIAL_CLIENT" ]
valid {
input.Body.allowedGrantTypes[_] == enum_OauthClientAllowedGrantTypes[_]
input.Body.allowedRedirectUris[_] == STRING
input.Body.allowedScopes[_] == STRING
input.Body.clientType == enum_OauthClientClientType[_]
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.name == STRING
input.ReqMap.parent == STRING
input.Qs.oauthClientId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.credentials.create
valid {
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.name == STRING
input.ReqMap.parent == STRING
input.Qs.oauthClientCredentialId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.credentials.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.credentials.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.credentials.list
valid {
input.ReqMap.parent == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.credentials.patch
valid {
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.name == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.patch
enum_OauthClientAllowedGrantTypes := [ "GRANT_TYPE_UNSPECIFIED", "AUTHORIZATION_CODE_GRANT", "REFRESH_TOKEN_GRANT" ]
enum_OauthClientClientType := [ "CLIENT_TYPE_UNSPECIFIED", "PUBLIC_CLIENT", "CONFIDENTIAL_CLIENT" ]
valid {
input.Body.allowedGrantTypes[_] == enum_OauthClientAllowedGrantTypes[_]
input.Body.allowedRedirectUris[_] == STRING
input.Body.allowedScopes[_] == STRING
input.Body.clientType == enum_OauthClientClientType[_]
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.name == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.oauthClients.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.create
enum_InlineCertificateIssuanceConfigKeyAlgorithm := [ "KEY_ALGORITHM_UNSPECIFIED", "RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384" ]
enum_WorkloadIdentityPoolMode := [ "MODE_UNSPECIFIED", "FEDERATION_ONLY", "TRUST_DOMAIN" ]
valid {
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.inlineCertificateIssuanceConfig.caPools.STRING == STRING
input.Body.inlineCertificateIssuanceConfig.keyAlgorithm == enum_InlineCertificateIssuanceConfigKeyAlgorithm[_]
input.Body.inlineCertificateIssuanceConfig.lifetime == STRING
input.Body.inlineCertificateIssuanceConfig.rotationWindowPercentage == INTEGER
input.Body.inlineTrustConfig.additionalTrustBundles.STRING.intermediateCas[_].pemCertificate == STRING
input.Body.inlineTrustConfig.additionalTrustBundles.STRING.trustAnchors[_].pemCertificate == STRING
input.Body.mode == enum_WorkloadIdentityPoolMode[_]
input.ReqMap.parent == STRING
input.Qs.workloadIdentityPoolId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.getIamPolicy
valid {
input.Body.options.requestedPolicyVersion == INTEGER
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.create
valid {
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.ReqMap.parent == STRING
input.Qs.workloadIdentityPoolNamespaceId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.addAttestationRule
valid {
input.Body.attestationRule.googleCloudResource == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.create
valid {
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.ReqMap.parent == STRING
input.Qs.workloadIdentityPoolManagedIdentityId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.listAttestationRules
valid {
input.ReqMap.resource == STRING
input.Qs.filter == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.patch
valid {
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.removeAttestationRule
valid {
input.Body.attestationRule.googleCloudResource == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.setAttestationRules
valid {
input.Body.attestationRules[_].googleCloudResource == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.patch
valid {
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.namespaces.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.patch
enum_InlineCertificateIssuanceConfigKeyAlgorithm := [ "KEY_ALGORITHM_UNSPECIFIED", "RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384" ]
enum_WorkloadIdentityPoolMode := [ "MODE_UNSPECIFIED", "FEDERATION_ONLY", "TRUST_DOMAIN" ]
valid {
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.inlineCertificateIssuanceConfig.caPools.STRING == STRING
input.Body.inlineCertificateIssuanceConfig.keyAlgorithm == enum_InlineCertificateIssuanceConfigKeyAlgorithm[_]
input.Body.inlineCertificateIssuanceConfig.lifetime == STRING
input.Body.inlineCertificateIssuanceConfig.rotationWindowPercentage == INTEGER
input.Body.inlineTrustConfig.additionalTrustBundles.STRING.intermediateCas[_].pemCertificate == STRING
input.Body.inlineTrustConfig.additionalTrustBundles.STRING.trustAnchors[_].pemCertificate == STRING
input.Body.mode == enum_WorkloadIdentityPoolMode[_]
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.create
valid {
input.Body.attributeCondition == STRING
input.Body.attributeMapping.STRING == STRING
input.Body.aws.accountId == STRING
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.oidc.allowedAudiences[_] == STRING
input.Body.oidc.issuerUri == STRING
input.Body.oidc.jwksJson == STRING
input.Body.saml.idpMetadataXml == STRING
input.Body.x509.trustStore.intermediateCas[_].pemCertificate == STRING
input.Body.x509.trustStore.trustAnchors[_].pemCertificate == STRING
input.ReqMap.parent == STRING
input.Qs.workloadIdentityPoolProviderId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.keys.create
enum_KeyDataKeySpec := [ "KEY_SPEC_UNSPECIFIED", "RSA_2048", "RSA_3072", "RSA_4096" ]
enum_WorkloadIdentityPoolProviderKeyUse := [ "KEY_USE_UNSPECIFIED", "ENCRYPTION" ]
valid {
input.Body.keyData.keySpec == enum_KeyDataKeySpec[_]
input.Body.use == enum_WorkloadIdentityPoolProviderKeyUse[_]
input.ReqMap.parent == STRING
input.Qs.workloadIdentityPoolProviderKeyId == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.keys.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.keys.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.keys.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.keys.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.keys.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.operations.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.patch
valid {
input.Body.attributeCondition == STRING
input.Body.attributeMapping.STRING == STRING
input.Body.aws.accountId == STRING
input.Body.description == STRING
input.Body.disabled == BOOLEAN
input.Body.displayName == STRING
input.Body.oidc.allowedAudiences[_] == STRING
input.Body.oidc.issuerUri == STRING
input.Body.oidc.jwksJson == STRING
input.Body.saml.idpMetadataXml == STRING
input.Body.x509.trustStore.intermediateCas[_].pemCertificate == STRING
input.Body.x509.trustStore.trustAnchors[_].pemCertificate == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.providers.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.setIamPolicy
enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]
valid {
input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
input.Body.policy.auditConfigs[_].service == STRING
input.Body.policy.bindings[_].condition.description == STRING
input.Body.policy.bindings[_].condition.expression == STRING
input.Body.policy.bindings[_].condition.location == STRING
input.Body.policy.bindings[_].condition.title == STRING
input.Body.policy.bindings[_].members[_] == STRING
input.Body.policy.bindings[_].role == STRING
input.Body.policy.etag == STRING
input.Body.policy.version == INTEGER
input.Body.updateMask == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.testIamPermissions
valid {
input.Body.permissions[_] == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.locations.workloadIdentityPools.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.roles.create
enum_RoleStage := [ "ALPHA", "BETA", "GA", "DEPRECATED", "DISABLED", "EAP" ]
valid {
input.Body.role.deleted == BOOLEAN
input.Body.role.description == STRING
input.Body.role.etag == STRING
input.Body.role.includedPermissions[_] == STRING
input.Body.role.name == STRING
input.Body.role.stage == enum_RoleStage[_]
input.Body.role.title == STRING
input.Body.roleId == STRING
input.ReqMap.parent == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.roles.delete
valid {
input.ReqMap.name == STRING
input.Qs.etag == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.roles.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.roles.list
enum_ViewParameter := [ "BASIC", "FULL" ]
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.showDeleted == BOOLEAN
input.Qs.view == enum_ViewParameter[_]
input.ProviderMetadata.Region == STRING
}
iam.projects.roles.patch
enum_RoleStage := [ "ALPHA", "BETA", "GA", "DEPRECATED", "DISABLED", "EAP" ]
valid {
input.Body.deleted == BOOLEAN
input.Body.description == STRING
input.Body.etag == STRING
input.Body.includedPermissions[_] == STRING
input.Body.name == STRING
input.Body.stage == enum_RoleStage[_]
input.Body.title == STRING
input.ReqMap.name == STRING
input.Qs.updateMask == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.roles.undelete
valid {
input.Body.etag == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.create
valid {
input.Body.accountId == STRING
input.Body.serviceAccount.description == STRING
input.Body.serviceAccount.displayName == STRING
input.Body.serviceAccount.etag == STRING
input.Body.serviceAccount.name == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.disable
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.enable
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.getIamPolicy
valid {
input.ReqMap.resource == STRING
input.Qs.options.requestedPolicyVersion == INTEGER
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.create
enum_CreateServiceAccountKeyRequestKeyAlgorithm := [ "KEY_ALG_UNSPECIFIED", "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048" ]
enum_CreateServiceAccountKeyRequestPrivateKeyType := [ "TYPE_UNSPECIFIED", "TYPE_PKCS12_FILE", "TYPE_GOOGLE_CREDENTIALS_FILE" ]
valid {
input.Body.keyAlgorithm == enum_CreateServiceAccountKeyRequestKeyAlgorithm[_]
input.Body.privateKeyType == enum_CreateServiceAccountKeyRequestPrivateKeyType[_]
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.disable
enum_DisableServiceAccountKeyRequestServiceAccountKeyDisableReason := [ "SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED", "SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED", "SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED", "SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED" ]
valid {
input.Body.extendedStatusMessage == STRING
input.Body.serviceAccountKeyDisableReason == enum_DisableServiceAccountKeyRequestServiceAccountKeyDisableReason[_]
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.enable
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.get
enum_PublicKeyTypeParameter := [ "TYPE_NONE", "TYPE_X509_PEM_FILE", "TYPE_RAW_PUBLIC_KEY" ]
valid {
input.ReqMap.name == STRING
input.Qs.publicKeyType == enum_PublicKeyTypeParameter[_]
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.list
enum_KeyTypesParameter := [ "KEY_TYPE_UNSPECIFIED", "USER_MANAGED", "SYSTEM_MANAGED" ]
valid {
input.ReqMap.name == STRING
input.Qs.keyTypes == enum_KeyTypesParameter[_]
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.keys.upload
valid {
input.Body.publicKeyData == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.list
valid {
input.ReqMap.name == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.patch
valid {
input.Body.serviceAccount.description == STRING
input.Body.serviceAccount.displayName == STRING
input.Body.serviceAccount.etag == STRING
input.Body.serviceAccount.name == STRING
input.Body.updateMask == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.setIamPolicy
enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]
valid {
input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
input.Body.policy.auditConfigs[_].service == STRING
input.Body.policy.bindings[_].condition.description == STRING
input.Body.policy.bindings[_].condition.expression == STRING
input.Body.policy.bindings[_].condition.location == STRING
input.Body.policy.bindings[_].condition.title == STRING
input.Body.policy.bindings[_].members[_] == STRING
input.Body.policy.bindings[_].role == STRING
input.Body.policy.etag == STRING
input.Body.policy.version == INTEGER
input.Body.updateMask == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.signBlob
valid {
input.Body.bytesToSign == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.signJwt
valid {
input.Body.payload == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.testIamPermissions
valid {
input.Body.permissions[_] == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.undelete
valid {
input.Body.STRING == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.projects.serviceAccounts.update
valid {
input.Body.description == STRING
input.Body.displayName == STRING
input.Body.etag == STRING
input.Body.name == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.roles.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
iam.roles.list
enum_ViewParameter := [ "BASIC", "FULL" ]
valid {
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.Qs.parent == STRING
input.Qs.showDeleted == BOOLEAN
input.Qs.view == enum_ViewParameter[_]
input.ProviderMetadata.Region == STRING
}
iam.roles.queryGrantableRoles
enum_QueryGrantableRolesRequestView := [ "BASIC", "FULL" ]
valid {
input.Body.fullResourceName == STRING
input.Body.pageSize == INTEGER
input.Body.pageToken == STRING
input.Body.view == enum_QueryGrantableRolesRequestView[_]
input.ProviderMetadata.Region == STRING
}
Updated 3 days ago