Private Preview. This feature is only available for approved services. This method provides admission control for services that are integrated with Service Infrastructure. It checks whether an operation should be allowed based on the service configuration and relevant policies. It must be called before the operation is executed. For more information, see Admission Control. NOTE: The admission control has an expected policy propagation delay of 60s. The caller must not depend on the most recent policy changes. NOTE: The admission control has a hard limit of 1 referenced resources per call. If an operation refers to more than 1 resources, the caller must call the Check method multiple times. This method requires the servicemanagement.services.check
permission on the specified service. For more information, see Service Control API Access Control.
Scopes
You will need authorization for at least one of the following scopes to make a valid call:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/servicecontrol
If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform.
You can set the scope for this method like this: servicecontrol2 --scope <scope> services check ...
Required Scalar Argument
- <service-name> (string)
- The service name as specified in its service configuration. For example,
"pubsub.googleapis.com"
. See google.api.Service for the definition of a service name.
- The service name as specified in its service configuration. For example,
Required Request Value
The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.
For example, a structure like this:
CheckRequest:
attributes:
api:
operation: string
protocol: string
service: string
version: string
destination:
ip: string
labels: { string: string }
port: string
principal: string
region-code: string
origin:
ip: string
labels: { string: string }
port: string
principal: string
region-code: string
request:
auth:
access-levels: [string]
audiences: [string]
presenter: string
principal: string
headers: { string: string }
host: string
id: string
method: string
path: string
protocol: string
query: string
reason: string
scheme: string
size: string
time: string
resource:
annotations: { string: string }
create-time: string
delete-time: string
display-name: string
etag: string
labels: { string: string }
location: string
name: string
service: string
type: string
uid: string
update-time: string
response:
backend-latency: string
code: string
headers: { string: string }
size: string
time: string
source:
ip: string
labels: { string: string }
port: string
principal: string
region-code: string
flags: string
service-config-id: string
can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.
-r .attributes.api operation=et
- The API operation name. For gRPC requests, it is the fully qualified API method name, such as "google.pubsub.v1.Publisher.Publish". For OpenAPI requests, it is the
operationId
, such as "getPet".
- The API operation name. For gRPC requests, it is the fully qualified API method name, such as "google.pubsub.v1.Publisher.Publish". For OpenAPI requests, it is the
protocol=magna
- The API protocol used for sending the request, such as "http", "https", "grpc", or "internal".
service=no
- The API service name. It is a logical identifier for a networked API, such as "pubsub.googleapis.com". The naming syntax depends on the API management system being used for handling the request.
-
version=ipsum
- The API version associated with the API operation above, such as "v1" or "v1alpha1".
-
..destination ip=voluptua.
- The IP address of the peer.
labels=key=at
- The labels associated with the peer.
- the value will be associated with the given
key
port=sanctus
- The network port of the peer.
principal=sed
- The identity of this peer. Similar to
Request.auth.principal
, but relative to the peer instead of the request. For example, the identity associated with a load balancer that forwarded the request.
- The identity of this peer. Similar to
-
region-code=amet.
- The CLDR country/region code associated with the above IP address. If the IP address is private, the
region_code
should reflect the physical location where this peer is running.
- The CLDR country/region code associated with the above IP address. If the IP address is private, the
-
..origin ip=takimata
- The IP address of the peer.
labels=key=amet.
- The labels associated with the peer.
- the value will be associated with the given
key
port=duo
- The network port of the peer.
principal=ipsum
- The identity of this peer. Similar to
Request.auth.principal
, but relative to the peer instead of the request. For example, the identity associated with a load balancer that forwarded the request.
- The identity of this peer. Similar to
-
region-code=gubergren
- The CLDR country/region code associated with the above IP address. If the IP address is private, the
region_code
should reflect the physical location where this peer is running.
- The CLDR country/region code associated with the above IP address. If the IP address is private, the
-
..request.auth access-levels=lorem
- A list of access level resource names that allow resources to be accessed by authenticated requester. It is part of Secure GCP processing for the incoming request. An access level string has the format: "//{api_service_name}/accessPolicies/{policy_id}/accessLevels/{short_name}" Example: "//accesscontextmanager.googleapis.com/accessPolicies/MY_POLICY_ID/accessLevels/MY_LEVEL"
- Each invocation of this argument appends the given value to the array.
audiences=gubergren
- The intended audience(s) for this authentication information. Reflects the audience (
aud
) claim within a JWT. The audience value(s) depends on theissuer
, but typically include one or more of the following pieces of information: * The services intended to receive the credential. For example, ["https://pubsub.googleapis.com/", "https://storage.googleapis.com/"]. * A set of service-based scopes. For example, ["https://www.googleapis.com/auth/cloud-platform"]. * The client id of an app, such as the Firebase project id for JWTs from Firebase Auth. Consult the documentation for the credential issuer to determine the information provided. - Each invocation of this argument appends the given value to the array.
- The intended audience(s) for this authentication information. Reflects the audience (
presenter=eos
- The authorized presenter of the credential. Reflects the optional Authorized Presenter (
azp
) claim within a JWT or the OAuth client id. For example, a Google Cloud Platform client id looks as follows: "123456789012.apps.googleusercontent.com".
- The authorized presenter of the credential. Reflects the optional Authorized Presenter (
-
principal=dolor
- The authenticated principal. Reflects the issuer (
iss
) and subject (sub
) claims within a JWT. The issuer and subject should be/
delimited, with/
percent-encoded within the subject fragment. For Google accounts, the principal format is: "https://accounts.google.com/{id}"
- The authenticated principal. Reflects the issuer (
-
.. headers=key=ea
- The HTTP request headers. If multiple headers share the same key, they must be merged according to the HTTP spec. All header keys must be lowercased, because HTTP header keys are case-insensitive.
- the value will be associated with the given
key
host=ipsum
- The HTTP request
Host
header value.
- The HTTP request
id=invidunt
- The unique ID for a request, which can be propagated to downstream systems. The ID should have low probability of collision within a single day for a specific service.
method=amet
- The HTTP request method, such as
GET
,POST
.
- The HTTP request method, such as
path=duo
- The HTTP URL path, excluding the query parameters.
protocol=ipsum
- The network protocol used with the request, such as "http/1.1", "spdy/3", "h2", "h2c", "webrtc", "tcp", "udp", "quic". See https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids for details.
query=sed
- The HTTP URL query in the format of
name1=value1&name2=value2
, as it appears in the first line of the HTTP request. No decoding is performed.
- The HTTP URL query in the format of
reason=ut
- A special parameter for request reason. It is used by security systems to associate auditing information with a request.
scheme=gubergren
- The HTTP URL scheme, such as
http
andhttps
.
- The HTTP URL scheme, such as
size=rebum.
- The HTTP request size in bytes. If unknown, it must be -1.
-
time=est
- The timestamp when the
destination
service receives the last byte of the request.
- The timestamp when the
-
..resource annotations=key=ipsum
- Annotations is an unstructured key-value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- the value will be associated with the given
key
create-time=ipsum
- Output only. The timestamp when the resource was created. This may be either the time creation was initiated or when it was completed.
delete-time=est
- Output only. The timestamp when the resource was deleted. If the resource is not deleted, this must be empty.
display-name=gubergren
- Mutable. The display name set by clients. Must be <= 63 characters.
etag=ea
- Output only. An opaque value that uniquely identifies a version or generation of a resource. It can be used to confirm that the client and server agree on the ordering of a resource being written.
labels=key=dolor
- The labels or tags on the resource, such as AWS resource tags and Kubernetes resource labels.
- the value will be associated with the given
key
location=lorem
- Immutable. The location of the resource. The location encoding is specific to the service provider, and new encoding may be introduced as the service evolves. For Google Cloud products, the encoding is what is used by Google Cloud APIs, such as
us-east1
,aws-us-east-1
, andazure-eastus2
. The semantics oflocation
is identical to thecloud.googleapis.com/location
label used by some Google Cloud APIs.
- Immutable. The location of the resource. The location encoding is specific to the service provider, and new encoding may be introduced as the service evolves. For Google Cloud products, the encoding is what is used by Google Cloud APIs, such as
name=eos
- The stable identifier (name) of a resource on the
service
. A resource can be logically identified as "//{resource.service}/{resource.name}". The differences between a resource name and a URI are: * Resource name is a logical identifier, independent of network protocol and API version. For example,//pubsub.googleapis.com/projects/123/topics/news-feed
. * URI often includes protocol and version information, so it can be used directly by applications. For example,https://pubsub.googleapis.com/v1/projects/123/topics/news-feed
. See https://cloud.google.com/apis/design/resource_names for details.
- The stable identifier (name) of a resource on the
service=labore
- The name of the service that this resource belongs to, such as
pubsub.googleapis.com
. The service may be different from the DNS hostname that actually serves the request.
- The name of the service that this resource belongs to, such as
type=sed
- The type of the resource. The syntax is platform-specific because different platforms define their resources differently. For Google APIs, the type format must be "{service}/{kind}", such as "pubsub.googleapis.com/Topic".
uid=duo
- The unique identifier of the resource. UID is unique in the time and space for this resource within the scope of the service. It is typically generated by the server on successful creation of a resource and must not be changed. UID is used to uniquely identify resources with resource name reuses. This should be a UUID4.
-
update-time=sed
- Output only. The timestamp when the resource was last updated. Any change to the resource made by users must refresh this value. Changes to a resource made by the service should refresh this value.
-
..response backend-latency=no
- The amount of time it takes the backend service to fully respond to a request. Measured from when the destination service starts to send the request to the backend until when the destination service receives the complete response from the backend.
code=stet
- The HTTP response status code, such as
200
and404
.
- The HTTP response status code, such as
headers=key=kasd
- The HTTP response headers. If multiple headers share the same key, they must be merged according to HTTP spec. All header keys must be lowercased, because HTTP header keys are case-insensitive.
- the value will be associated with the given
key
size=et
- The HTTP response size in bytes. If unknown, it must be -1.
-
time=sed
- The timestamp when the
destination
service sends the last byte of the response.
- The timestamp when the
-
..source ip=et
- The IP address of the peer.
labels=key=et
- The labels associated with the peer.
- the value will be associated with the given
key
port=vero
- The network port of the peer.
principal=erat
- The identity of this peer. Similar to
Request.auth.principal
, but relative to the peer instead of the request. For example, the identity associated with a load balancer that forwarded the request.
- The identity of this peer. Similar to
-
region-code=sed
- The CLDR country/region code associated with the above IP address. If the IP address is private, the
region_code
should reflect the physical location where this peer is running.
- The CLDR country/region code associated with the above IP address. If the IP address is private, the
-
... flags=duo
- Optional. Contains a comma-separated list of flags.
service-config-id=dolore
- Specifies the version of the service configuration that should be used to process the request. Must not be empty. Set this field to 'latest' to specify using the latest configuration.
About Cursors
The cursor position is key to comfortably set complex nested structures. The following rules apply:
- The cursor position is always set relative to the current one, unless the field name starts with the
.
character. Fields can be nested such as in-r f.s.o
. - The cursor position is set relative to the top-level structure if it starts with
.
, e.g.-r .s.s
- You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify
-r struct.sub_struct=bar
. - You can move the cursor one level up by using
..
. Each additional.
moves it up one additional level. E.g....
would go three levels up.
Optional Output Flags
The method's return value a JSON encoded structure, which will be written to standard output by default.
- -o out
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
-
to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
Optional General Properties
The following properties can configure any call, and are not specific to this method.
-
-p $-xgafv=string
- V1 error format.
-
-p access-token=string
- OAuth access token.
-
-p alt=string
- Data format for response.
-
-p callback=string
- JSONP
-
-p fields=string
- Selector specifying which fields to include in a partial response.
-
-p key=string
- API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
-
-p oauth-token=string
- OAuth 2.0 token for the current user.
-
-p pretty-print=boolean
- Returns response with indentations and line breaks.
-
-p quota-user=string
- Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
-
-p upload-type=string
- Legacy upload protocol for media (e.g. "media", "multipart").
-
-p upload-protocol=string
- Upload protocol for media (e.g. "raw", "multipart").