Controls access to cloud applications running on Google Cloud Platform.

Custom content configuration for access denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead.

Access related settings for IAP protected apps.

Configuration for IAP allowed domains. Lets you to restrict access to an app and allow access to only the domains that you list.

Wrapper over application specific settings for IAP.

Configuration for propagating attributes to applications protected by IAP.

Associates members, or principals, with a role.

OAuth brand data. NOTE: Only contains a portion of the data that describes a brand.

Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS call to bypass authentication and authorization.

Defines the root interface for all clients that generate credentials for calling Google APIs. All clients should implement this interface.

Configuration for RCToken generated for service mesh workloads protected by IAP. RCToken are IAP generated JWTs that can be verified at the application. The RCToken is primarily used for service mesh deployments, and can be scoped to a single mesh by configuring the audience field accordingly.

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

Allows customers to configure tenant_id for GCIP instance per-app.

Request message for GetIamPolicy method.

Encapsulates settings provided to GetIamPolicy.

The IAP configurable settings.

Contains the data that describes an Identity Aware Proxy owned client.

Response message for ListBrands.

Response message for ListIdentityAwareProxyClients.

The response from ListTunnelDestGroups.

Configuration for OAuth login&consent flow behavior as well as for OAuth Credentials.

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: ``` bindings: - members:

• user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the IAM documentation.

PolicyDelegationConfig allows google-internal teams to use IAP for apps hosted in a tenant project. Using these settings, the app can delegate permission check to happen against the linked customer project. This is only ever supposed to be used by google internal teams, hence the restriction on the proto.

An internal name for an IAM policy, based on the resource to which the policy applies. Not to be confused with a resource's external full resource name. For more information on this distinction, see go/iam-full-resource-names.

Additional options for iap#projectsBrandsIdentityAwareProxyClientsList.

Additional options for iap#projectsIap_tunnelLocationsDestGroupsCreate.

Additional options for iap#projectsIap_tunnelLocationsDestGroupsList.

Additional options for iap#projectsIap_tunnelLocationsDestGroupsPatch.

Configuration for IAP reauthentication policies.

The request sent to ResetIdentityAwareProxyClientSecret.

Request message for SetIamPolicy method.

Request message for TestIamPermissions method.

Response message for TestIamPermissions method.

A TunnelDestGroup.

Additional options for iap#v1UpdateIapSettings.

Additional options for iap#v1ValidateAttributeExpression.

API requires a return message, but currently all response strings will fit in the status and public message. In the future, this response can hold AST validation info.