IAM Policies

class Policy:
    """
    Defines an Identity and Access Management (IAM) policy.
    
    Attributes:
        version (int): Policy format version (1 or 3)
        bindings (List[Binding]): Role bindings that bind members to roles
        audit_configs (List[AuditConfig]): Audit configurations for services
        etag (bytes): Entity tag for optimistic concurrency control
    """
    version: int
    bindings: List[Binding]
    audit_configs: List[AuditConfig]
    etag: bytes

class Binding:
    """
    Associates members with a role.
    
    Attributes:
        role (str): Role name (e.g., "roles/viewer", "roles/editor")
        members (List[str]): List of principals in format "user:email", "group:email", "serviceAccount:email"
        condition (google.type.Expr): Optional conditional expression for access
    """
    role: str
    members: List[str]
    condition: google.type.Expr

from google.iam.v1 import policy_pb2

# Create a binding for viewer role
binding = policy_pb2.Binding()
binding.role = "roles/viewer"
binding.members.extend([
    "user:alice@example.com",
    "group:admins@example.com",
    "serviceAccount:my-service@project.iam.gserviceaccount.com"
])

# Add to policy
policy = policy_pb2.Policy()
policy.bindings.append(binding)

class AuditConfig:
    """
    Specifies audit logging configurations for a service.
    
    Attributes:
        service (str): Service name (e.g., "storage.googleapis.com")
        audit_log_configs (List[AuditLogConfig]): Audit log configurations
    """
    service: str
    audit_log_configs: List[AuditLogConfig]

class AuditLogConfig:
    """
    Configuration for a specific audit log type.
    
    Attributes:
        log_type (LogType): Type of audit log to generate
        exempted_members (List[str]): Members exempt from this audit log
    """
    log_type: LogType
    exempted_members: List[str]

class LogType:
    """
    Types of audit logs that can be generated.
    """
    LOG_TYPE_UNSPECIFIED = 0
    ADMIN_READ = 1      # Admin activity logs
    DATA_WRITE = 2      # Data access write logs  
    DATA_READ = 3       # Data access read logs

class PolicyDelta:
    """
    Represents a set of changes to an IAM policy.
    
    Attributes:
        binding_deltas (List[BindingDelta]): Changes to role bindings
        audit_config_deltas (List[AuditConfigDelta]): Changes to audit configs
    """
    binding_deltas: List[BindingDelta]
    audit_config_deltas: List[AuditConfigDelta]

class BindingDelta:
    """
    Represents a change to a role binding.
    
    Attributes:
        action (Action): Whether to ADD or REMOVE the binding
        role (str): Role being modified
        member (str): Member being added or removed
        condition (google.type.Expr): Optional conditional logic
    """
    action: Action
    role: str
    member: str
    condition: google.type.Expr

class AuditConfigDelta:
    """
    Represents a change to audit configuration.
    
    Attributes:
        action (Action): Whether to ADD or REMOVE the configuration
        service (str): Service name
        exempted_member (str): Member to add or remove from exemption list
        log_type (str): Type of audit log being modified
    """
    action: Action
    service: str
    exempted_member: str
    log_type: str

class Action:
    """
    Actions that can be performed on policy elements.
    """
    ACTION_UNSPECIFIED = 0
    ADD = 1      # Add the element
    REMOVE = 2   # Remove the element

from google.iam.v1 import policy_pb2
from google.type import expr_pb2

# Create policy with multiple bindings
policy = policy_pb2.Policy()
policy.version = 3  # Required for conditional bindings

# Owner binding - unconditional
owner_binding = policy_pb2.Binding()
owner_binding.role = "roles/owner"
owner_binding.members.append("user:owner@example.com")
policy.bindings.append(owner_binding)

# Conditional viewer binding - only during business hours
viewer_binding = policy_pb2.Binding()
viewer_binding.role = "roles/viewer"
viewer_binding.members.extend([
    "user:alice@example.com",
    "user:bob@example.com"
])

# Add condition (business hours only)
condition = expr_pb2.Expr()
condition.title = "Business hours only"
condition.description = "Only allow access during business hours"
condition.expression = '''
    request.time.getHours() >= 9 && 
    request.time.getHours() <= 17 &&
    request.time.getDayOfWeek() >= 1 &&
    request.time.getDayOfWeek() <= 5
'''
viewer_binding.condition.CopyFrom(condition)
policy.bindings.append(viewer_binding)

# Add audit configuration
audit_config = policy_pb2.AuditConfig()
audit_config.service = "storage.googleapis.com"

# Admin read logs
admin_log_config = policy_pb2.AuditLogConfig()
admin_log_config.log_type = policy_pb2.AuditLogConfig.LogType.ADMIN_READ
audit_config.audit_log_configs.append(admin_log_config)

# Data write logs with exemptions
data_write_config = policy_pb2.AuditLogConfig()
data_write_config.log_type = policy_pb2.AuditLogConfig.LogType.DATA_WRITE
data_write_config.exempted_members.append("serviceAccount:backup@project.iam.gserviceaccount.com")
audit_config.audit_log_configs.append(data_write_config)

policy.audit_configs.append(audit_config)

from google.iam.v1 import policy_pb2

# Create policy delta to add a new member
delta = policy_pb2.PolicyDelta()

# Add binding delta
binding_delta = policy_pb2.BindingDelta()
binding_delta.action = policy_pb2.BindingDelta.Action.ADD
binding_delta.role = "roles/viewer"
binding_delta.member = "user:newuser@example.com"
delta.binding_deltas.append(binding_delta)

# Add audit config delta
audit_delta = policy_pb2.AuditConfigDelta()
audit_delta.action = policy_pb2.AuditConfigDelta.Action.ADD
audit_delta.service = "pubsub.googleapis.com"
audit_delta.log_type = "DATA_READ"
audit_delta.exempted_member = "serviceAccount:reader@project.iam.gserviceaccount.com"
delta.audit_config_deltas.append(audit_delta)