Reference documentation and code samples for the Google Cloud Security Command Center V1 Client class Access.
Represents an access event.
Generated from protobuf message google.cloud.securitycenter.v1.Access
Methods
__construct
Constructor.
data
array
Optional. Data for populating the Message object.
↳ principal_email
string
Associated email, such as "foo@google.com". The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the principal_subject
field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see Caller identities in audit logs
.
↳ caller_ip
string
Caller's IP address, such as "1.1.1.1".
↳ caller_ip_geo
Google\Cloud\SecurityCenter\V1\Geolocation
The caller IP's geolocation, which identifies where the call came from.
↳ user_agent_family
string
What kind of user agent is associated, for example operating system shells, embedded or stand-alone applications, etc.
↳ service_name
string
This is the API service that the service account made a call to, e.g. "iam.googleapis.com"
↳ method_name
string
The method that the service account called, e.g. "SetIamPolicy".
↳ principal_subject
string
A string representing the principal_subject associated with the identity. As compared to principal_email
, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be principal://iam.googleapis.com/{identity pool name}/subjects/{subject}
except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format serviceAccount:{identity pool name}[{subject}]
↳ service_account_key_name
string
The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
↳ service_account_delegation_info
array< Google\Cloud\SecurityCenter\V1\ServiceAccountDelegationInfo
>
Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
↳ user_name
string
A string that represents the username of a user, user account, or other entity involved in the access event. What the entity is and what its role in the access event is depends on the finding that this field appears in. The entity is likely not an IAM principal, but could be a user that is logged into an operating system, if the finding is VM-related, or a user that is logged into some type of application that is involved in the access event.
getPrincipalEmail
Associated email, such as "foo@google.com".
The email address of the authenticated user (or service account on behalf
of third party principal) making the request. For third party identity
callers, the principal_subject
field is populated instead of this field.
For privacy reasons, the principal email address is sometimes redacted.
For more information, see Caller identities in audit
logs
.
string
setPrincipalEmail
Associated email, such as "foo@google.com".
The email address of the authenticated user (or service account on behalf
of third party principal) making the request. For third party identity
callers, the principal_subject
field is populated instead of this field.
For privacy reasons, the principal email address is sometimes redacted.
For more information, see Caller identities in audit
logs
.
var
string
$this
getCallerIp
Caller's IP address, such as "1.1.1.1".
string
setCallerIp
Caller's IP address, such as "1.1.1.1".
var
string
$this
getCallerIpGeo
The caller IP's geolocation, which identifies where the call came from.
hasCallerIpGeo
clearCallerIpGeo
setCallerIpGeo
The caller IP's geolocation, which identifies where the call came from.
$this
getUserAgentFamily
What kind of user agent is associated, for example operating system shells, embedded or stand-alone applications, etc.
string
setUserAgentFamily
What kind of user agent is associated, for example operating system shells, embedded or stand-alone applications, etc.
var
string
$this
getServiceName
This is the API service that the service account made a call to, e.g.
"iam.googleapis.com"
string
setServiceName
This is the API service that the service account made a call to, e.g.
"iam.googleapis.com"
var
string
$this
getMethodName
The method that the service account called, e.g. "SetIamPolicy".
string
setMethodName
The method that the service account called, e.g. "SetIamPolicy".
var
string
$this
getPrincipalSubject
A string representing the principal_subject associated with the identity.
As compared to principal_email
, supports principals that aren't
associated with email addresses, such as third party principals. For most
identities, the format will be principal://iam.googleapis.com/{identity
pool name}/subjects/{subject}
except for some GKE identities
(GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy
format serviceAccount:{identity pool name}[{subject}]
string
setPrincipalSubject
A string representing the principal_subject associated with the identity.
As compared to principal_email
, supports principals that aren't
associated with email addresses, such as third party principals. For most
identities, the format will be principal://iam.googleapis.com/{identity
pool name}/subjects/{subject}
except for some GKE identities
(GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy
format serviceAccount:{identity pool name}[{subject}]
var
string
$this
getServiceAccountKeyName
The name of the service account key used to create or exchange credentials for authenticating the service account making the request.
This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
string
setServiceAccountKeyName
The name of the service account key used to create or exchange credentials for authenticating the service account making the request.
This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
var
string
$this
getServiceAccountDelegationInfo
Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
setServiceAccountDelegationInfo
Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
$this
getUserName
A string that represents the username of a user, user account, or other entity involved in the access event. What the entity is and what its role in the access event is depends on the finding that this field appears in.
The entity is likely not an IAM principal, but could be a user that is logged into an operating system, if the finding is VM-related, or a user that is logged into some type of application that is involved in the access event.
string
setUserName
A string that represents the username of a user, user account, or other entity involved in the access event. What the entity is and what its role in the access event is depends on the finding that this field appears in.
The entity is likely not an IAM principal, but could be a user that is logged into an operating system, if the finding is VM-related, or a user that is logged into some type of application that is involved in the access event.
var
string
$this
