googleapis · sofisl · Jul 21, 2023 · Jul 18, 2023 · Jul 18, 2023
@@ -2,7 +2,7 @@
 [//]: # "To regenerate it, use `python -m synthtool`."
 <img src="https://avatars2.githubusercontent.com/u/2810941?v=3&s=96" alt="Google Cloud Platform logo" title="Google Cloud Platform" align="right" height="96" width="96"/>
 
-# [IAM Policy Troubleshooter API: Node.js Client](https://github.com/googleapis/google-cloud-node)
+# [IAM Policy Troubleshooter API: Node.js Client](https://github.com/googleapis/google-cloud-node/tree/main/packages/google-cloud-policytroubleshooter)
 
 [![release level](https://img.shields.io/badge/release%20level-stable-brightgreen.svg?style=flat)](https://cloud.google.com/terms/launch-stages)
 [![npm version](https://img.shields.io/npm/v/@google-cloud/policy-troubleshooter.svg)](https://www.npmjs.org/package/@google-cloud/policy-troubleshooter)
@@ -86,13 +86,12 @@ troubelshootPolicy();
 
 ## Samples
 
-Samples are in the [`samples/`](https://github.com/googleapis/google-cloud-node/tree/main/samples) directory. Each sample's `README.md` has instructions for running its sample.
+Samples are in the [`samples/`](https://github.com/googleapis/google-cloud-node/tree/main/packages/google-cloud-policytroubleshooter/samples) directory. Each sample's `README.md` has instructions for running its sample.
 
 | Sample                      | Source Code                       | Try it |
 | --------------------------- | --------------------------------- | ------ |
-| Iam_checker.troubleshoot_iam_policy | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-policytroubleshooter/samples/generated/v1/iam_checker.troubleshoot_iam_policy.js) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/google-cloud-node&page=editor&open_in_editor=packages/google-cloud-policytroubleshooter/samples/generated/v1/iam_checker.troubleshoot_iam_policy.js,samples/README.md) |
-| Quickstart | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-policytroubleshooter/samples/quickstart.js) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/google-cloud-node&page=editor&open_in_editor=packages/google-cloud-policytroubleshooter/samples/quickstart.js,samples/README.md) |
-| Quickstart | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-policytroubleshooter/samples/test/quickstart.js) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/google-cloud-node&page=editor&open_in_editor=packages/google-cloud-policytroubleshooter/samples/test/quickstart.js,samples/README.md) |
+| Iam_checker.troubleshoot_iam_policy | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-policytroubleshooter/samples/generated/v1/iam_checker.troubleshoot_iam_policy.js) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/google-cloud-node&page=editor&open_in_editor=packages/google-cloud-policytroubleshooter/samples/generated/v1/iam_checker.troubleshoot_iam_policy.js,packages/google-cloud-policytroubleshooter/samples/README.md) |
+| Quickstart | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-policytroubleshooter/samples/quickstart.js) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/google-cloud-node&page=editor&open_in_editor=packages/google-cloud-policytroubleshooter/samples/quickstart.js,packages/google-cloud-policytroubleshooter/samples/README.md) |
 
 
 

@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,15 +11,16 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
 package google.cloud.policytroubleshooter.v1;
 
 import public "google/cloud/policytroubleshooter/v1/explanations.proto";
+
 import "google/api/annotations.proto";
 import "google/api/client.proto";
+import "google/rpc/status.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.PolicyTroubleshooter.V1";
@@ -35,34 +36,39 @@ option ruby_package = "Google::Cloud::PolicyTroubleshooter::V1";
 // This service helps you troubleshoot access issues for Google Cloud resources.
 service IamChecker {
   option (google.api.default_host) = "policytroubleshooter.googleapis.com";
-  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform";
 
-  // Checks whether a member has a specific permission for a specific resource,
-  // and explains why the member does or does not have that permission.
-  rpc TroubleshootIamPolicy(TroubleshootIamPolicyRequest) returns (TroubleshootIamPolicyResponse) {
+  // Checks whether a principal has a specific permission for a specific
+  // resource, and explains why the principal does or does not have that
+  // permission.
+  rpc TroubleshootIamPolicy(TroubleshootIamPolicyRequest)
+      returns (TroubleshootIamPolicyResponse) {
     option (google.api.http) = {
       post: "/v1/iam:troubleshoot"
       body: "*"
     };
   }
 }
 
-// Request for [TroubleshootIamPolicy][google.cloud.policytroubleshooter.v1.IamChecker.TroubleshootIamPolicy].
+// Request for
+// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.v1.IamChecker.TroubleshootIamPolicy].
 message TroubleshootIamPolicyRequest {
-  // The information to use for checking whether a member has a permission for a
-  // resource.
+  // The information to use for checking whether a principal has a permission
+  // for a resource.
   AccessTuple access_tuple = 1;
 }
 
-// Response for [TroubleshootIamPolicy][google.cloud.policytroubleshooter.v1.IamChecker.TroubleshootIamPolicy].
+// Response for
+// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.v1.IamChecker.TroubleshootIamPolicy].
 message TroubleshootIamPolicyResponse {
-  // Indicates whether the member has the specified permission for the specified
-  // resource, based on evaluating all of the applicable IAM policies.
+  // Indicates whether the principal has the specified permission for the
+  // specified resource, based on evaluating all of the applicable IAM policies.
   AccessState access = 1;
 
-  // List of IAM policies that were evaluated to check the member's permissions,
-  // with annotations to indicate how each policy contributed to the final
-  // result.
+  // List of IAM policies that were evaluated to check the principal's
+  // permissions, with annotations to indicate how each policy contributed to
+  // the final result.
   //
   // The list of policies can include the policy for the resource itself. It can
   // also include policies that are inherited from higher levels of the resource
@@ -71,4 +77,7 @@ message TroubleshootIamPolicyResponse {
   // To learn more about the resource hierarchy, see
   // https://cloud.google.com/iam/help/resource-hierarchy.
   repeated ExplainedPolicy explained_policies = 2;
+
+  // The general errors contained in the troubleshooting response.
+  repeated google.rpc.Status errors = 3;
 }
@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,7 +11,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
@@ -26,15 +25,15 @@ option go_package = "cloud.google.com/go/policytroubleshooter/apiv1/policytroubl
 option php_namespace = "Google\\Cloud\\PolicyTroubleshooter\\V1";
 option ruby_package = "Google::Cloud::PolicyTroubleshooter::V1";
 
-// Information about the member, resource, and permission to check.
+// Information about the principal, resource, and permission to check.
 message AccessTuple {
-  // Required. The member, or principal, whose access you want to check, in the form of
-  // the email address that represents that member. For example,
+  // Required. The principal whose access you want to check, in the form of
+  // the email address that represents that principal. For example,
   // `alice@example.com` or
   // `my-service-account@my-project.iam.gserviceaccount.com`.
   //
-  // The member must be a Google Account or a service account. Other types of
-  // members are not supported.
+  // The principal must be a Google Account or a service account. Other types of
+  // principals are not supported.
   string principal = 1 [(google.api.field_behavior) = REQUIRED];
 
   // Required. The full resource name that identifies the resource. For example,
@@ -44,7 +43,8 @@ message AccessTuple {
   // https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
   string full_resource_name = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. The IAM permission to check for the specified member and resource.
+  // Required. The IAM permission to check for the specified principal and
+  // resource.
   //
   // For a complete list of IAM permissions, see
   // https://cloud.google.com/iam/help/permissions/reference.
@@ -58,12 +58,12 @@ message AccessTuple {
 // to the access check.
 message ExplainedPolicy {
   // Indicates whether _this policy_ provides the specified permission to the
-  // specified member for the specified resource.
+  // specified principal for the specified resource.
   //
-  // This field does _not_ indicate whether the member actually has the
+  // This field does _not_ indicate whether the principal actually has the
   // permission for the resource. There might be another policy that overrides
-  // this policy. To determine whether the member actually has the permission,
-  // use the `access` field in the
+  // this policy. To determine whether the principal actually has the
+  // permission, use the `access` field in the
   // [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
   AccessState access = 1;
 
@@ -83,8 +83,8 @@ message ExplainedPolicy {
   // is empty.
   google.iam.v1.Policy policy = 3;
 
-  // Details about how each binding in the policy affects the member's ability,
-  // or inability, to use the permission for the resource.
+  // Details about how each binding in the policy affects the principal's
+  // ability, or inability, to use the permission for the resource.
   //
   // If the sender of the request does not have access to the policy, this field
   // is omitted.
@@ -98,22 +98,12 @@ message ExplainedPolicy {
   HeuristicRelevance relevance = 5;
 }
 
-// Details about how a binding in a policy affects a member's ability to use a
-// permission.
+// Details about how a binding in a policy affects a principal's ability to use
+// a permission.
 message BindingExplanation {
-  // Details about whether the binding includes the member.
-  message AnnotatedMembership {
-    // Indicates whether the binding includes the member.
-    Membership membership = 1;
-
-    // The relevance of the member's status to the overall determination for the
-    // binding.
-    HeuristicRelevance relevance = 2;
-  }
-
   // Whether a role includes a specific permission.
   enum RolePermission {
-    // Reserved for future use.
+    // Default value. This value is unused.
     ROLE_PERMISSION_UNSPECIFIED = 0;
 
     // The permission is included in the role.
@@ -126,37 +116,48 @@ message BindingExplanation {
     ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3;
   }
 
-  // Whether the binding includes the member.
+  // Whether the binding includes the principal.
   enum Membership {
-    // Reserved for future use.
+    // Default value. This value is unused.
     MEMBERSHIP_UNSPECIFIED = 0;
 
-    // The binding includes the member. The member can be included directly
-    // or indirectly. For example:
+    // The binding includes the principal. The principal can be included
+    // directly or indirectly. For example:
     //
-    // * A member is included directly if that member is listed in the binding.
-    // * A member is included indirectly if that member is in a Google group or
-    //   G Suite domain that is listed in the binding.
+    // * A principal is included directly if that principal is listed in the
+    //   binding.
+    // * A principal is included indirectly if that principal is in a Google
+    //   group or Google Workspace domain that is listed in the binding.
     MEMBERSHIP_INCLUDED = 1;
 
-    // The binding does not include the member.
+    // The binding does not include the principal.
     MEMBERSHIP_NOT_INCLUDED = 2;
 
     // The sender of the request is not allowed to access the binding.
     MEMBERSHIP_UNKNOWN_INFO_DENIED = 3;
 
-    // The member is an unsupported type. Only Google Accounts and service
+    // The principal is an unsupported type. Only Google Accounts and service
     // accounts are supported.
     MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4;
   }
 
-  // Required. Indicates whether _this binding_ provides the specified permission to the
-  // specified member for the specified resource.
+  // Details about whether the binding includes the principal.
+  message AnnotatedMembership {
+    // Indicates whether the binding includes the principal.
+    Membership membership = 1;
+
+    // The relevance of the principal's status to the overall determination for
+    // the binding.
+    HeuristicRelevance relevance = 2;
+  }
+
+  // Required. Indicates whether _this binding_ provides the specified
+  // permission to the specified principal for the specified resource.
   //
-  // This field does _not_ indicate whether the member actually has the
+  // This field does _not_ indicate whether the principal actually has the
   // permission for the resource. There might be another binding that overrides
-  // this binding. To determine whether the member actually has the permission,
-  // use the `access` field in the
+  // this binding. To determine whether the principal actually has the
+  // permission, use the `access` field in the
   // [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
   AccessState access = 1 [(google.api.field_behavior) = REQUIRED];
 
@@ -175,24 +176,24 @@ message BindingExplanation {
   // to the overall determination for the entire policy.
   HeuristicRelevance role_permission_relevance = 4;
 
-  // Indicates whether each member in the binding includes the member specified
-  // in the request, either directly or indirectly. Each key identifies a member
-  // in the binding, and each value indicates whether the member in the binding
-  // includes the member in the request.
+  // Indicates whether each principal in the binding includes the principal
+  // specified in the request, either directly or indirectly. Each key
+  // identifies a principal in the binding, and each value indicates whether the
+  // principal in the binding includes the principal in the request.
   //
-  // For example, suppose that a binding includes the following members:
+  // For example, suppose that a binding includes the following principals:
   //
   // * `user:alice@example.com`
   // * `group:product-eng@example.com`
   //
   // You want to troubleshoot access for `user:bob@example.com`. This user is a
-  // member of the group `group:product-eng@example.com`.
+  // principal of the group `group:product-eng@example.com`.
   //
-  // For the first member in the binding, the key is `user:alice@example.com`,
-  // and the `membership` field in the value is set to
+  // For the first principal in the binding, the key is
+  // `user:alice@example.com`, and the `membership` field in the value is set to
   // `MEMBERSHIP_NOT_INCLUDED`.
   //
-  // For the second member in the binding, the key is
+  // For the second principal in the binding, the key is
   // `group:product-eng@example.com`, and the `membership` field in the value is
   // set to `MEMBERSHIP_INCLUDED`.
   map<string, AnnotatedMembership> memberships = 5;
@@ -201,38 +202,39 @@ message BindingExplanation {
   // policy.
   HeuristicRelevance relevance = 6;
 
-  // A condition expression that prevents access unless the expression evaluates
-  // to `true`.
+  // A condition expression that prevents this binding from granting access
+  // unless the expression evaluates to `true`.
   //
   // To learn about IAM Conditions, see
-  // http://cloud.google.com/iam/help/conditions/overview.
+  // https://cloud.google.com/iam/help/conditions/overview.
   google.type.Expr condition = 7;
 }
 
-// Whether a member has a permission for a resource.
+// Whether a principal has a permission for a resource.
 enum AccessState {
-  // Reserved for future use.
+  // Default value. This value is unused.
   ACCESS_STATE_UNSPECIFIED = 0;
 
-  // The member has the permission.
+  // The principal has the permission.
   GRANTED = 1;
 
-  // The member does not have the permission.
+  // The principal does not have the permission.
   NOT_GRANTED = 2;
 
-  // The member has the permission only if a condition expression evaluates to
-  // `true`.
+  // The principal has the permission only if a condition expression evaluates
+  // to `true`.
   UNKNOWN_CONDITIONAL = 3;
 
   // The sender of the request does not have access to all of the policies that
   // Policy Troubleshooter needs to evaluate.
   UNKNOWN_INFO_DENIED = 4;
 }
 
-// The extent to which a single data point contributes to an overall
+// The extent to which a single data point, such as the existence of a binding
+// or whether a binding includes a specific principal, contributes to an overall
 // determination.
 enum HeuristicRelevance {
-  // Reserved for future use.
+  // Default value. This value is unused.
   HEURISTIC_RELEVANCE_UNSPECIFIED = 0;
 
   // The data point has a limited effect on the result. Changing the data point