I'm trying to test permissions with the TestIamPermissions API provided by GCP, my permissions are scoped by IAM conditions, but as I see in gcp documentation, this API gets resource and TestIamPermissionsRequest as parameters,
This is how I use it for now in my code without the IAM conditions
var response *cloudresourcemanager.TestIamPermissionsResponse
if err = apiRetryBackoff(func() error {
response, err = c.projectsService.TestIamPermissions(check.projectID, &cloudresourcemanager.TestIamPermissionsRequest{Permissions: check.requiredPermissions}).Do()
return err
}); err != nil {
return err
}
And these are the documetations from gcp package code
// TestIamPermissions: Returns permissions that a caller has on the
// specified Project. For additional information about `resource` (e.g.
// my-project-id) structure and identification, see Resource Names
// (https://cloud.google.com/apis/design/resource_names). There are no
// permissions required for making this API call.
//
// - resource: REQUIRED: The resource for which the policy detail is
// being requested. See the operation documentation for the
// appropriate value for this field.
func (r *ProjectsService) TestIamPermissions(resource string, testiampermissionsrequest *TestIamPermissionsRequest) *ProjectsTestIamPermissionsCall {
c := &ProjectsTestIamPermissionsCall{s: r.s, urlParams_: make(gensupport.URLParams)}
c.resource = resource
c.testiampermissionsrequest = testiampermissionsrequest
return c
}
// TestIamPermissionsRequest: Request message for `TestIamPermissions`
// method.
type TestIamPermissionsRequest struct {
// Permissions: The set of permissions to check for the `resource`.
// Permissions with wildcards (such as '*' or 'storage.*') are not
// allowed. For more information see IAM Overview
// (https://cloud.google.com/iam/docs/overview#permissions).
Permissions []string `json:"permissions,omitempty"`
// ForceSendFields is a list of field names (e.g. "Permissions") to
// unconditionally include in API requests. By default, fields with
// empty or default values are omitted from API requests. However, any
// non-pointer, non-interface field appearing in ForceSendFields will be
// sent to the server regardless of whether the field is empty or not.
// This may be used to include empty fields in Patch requests.
ForceSendFields []string `json:"-"`
// NullFields is a list of field names (e.g. "Permissions") to include
// in API requests with the JSON null value. By default, fields with
// empty values are omitted from API requests. However, any field with
// an empty value appearing in NullFields will be sent to the server as
// null. It is an error if a field in this list has a non-empty value.
// This may be used to include null fields in Patch requests.
NullFields []string `json:"-"`
}
I would be happy to get more explanation about how IAM gcp conditions can be tested ?
I tried to add the condition to the request with no success