Method: services.check

Checks whether an operation on a service should be allowed to proceed based on the configuration of the service and related policies. It must be called before the operation is executed.

If feasible, the client should cache the check results and reuse them for 60 seconds. In case of any server errors, the client should rely on the cached results for much longer time to avoid outage. WARNING: There is general 60s delay for the configuration and policy propagation, therefore callers MUST NOT depend on the services.check method having the latest policy information.

NOTE: the CheckRequest has the size limit of 1MB.

This method requires the servicemanagement.services.check permission on the specified service. For more information, see Cloud IAM.

HTTP request

POST https://servicecontrol.googleapis.com/v1/services/{serviceName}:check

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
serviceName

string

The service name as specified in its service configuration. For example, "pubsub.googleapis.com".

See google.api.Service for the definition of a service name.

Authorization requires the following IAM permission on the specified resource serviceName:

  • servicemanagement.services.check

Request body

The request body contains data with the following structure:

JSON representation
{ "operation": { object (Operation) }, "serviceConfigId": string }
Fields
operation

object (Operation)

The operation to be checked.

serviceConfigId

string

Specifies which version of service configuration should be used to process the request.

If unspecified or no matching version can be found, the latest one will be used.

Response body

If successful, the response body contains data with the following structure:

Response message for the services.check method.

JSON representation
{ "operationId": string, "checkErrors": [ { object (CheckError) } ], "serviceConfigId": string, "serviceRolloutId": string, "checkInfo": { object (CheckInfo) } }
Fields
operationId

string

The same operationId value used in the CheckRequest. Used for logging and diagnostics purposes.

checkErrors[]

object (CheckError)

Indicate the decision of the check.

If no check errors are present, the service should process the operation. Otherwise the service should use the list of errors to determine the appropriate action.

serviceConfigId

string

The actual config id used to process the request.

serviceRolloutId

string

The current service rollout id used to process the request.

checkInfo

object (CheckInfo)

Feedback data returned from the server during processing a services.check request.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/servicecontrol
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CheckError

Defines the errors to be returned in google.api.servicecontrol.v1.CheckResponse.check_errors.

JSON representation
{ "code": enum (Code), "subject": string, "detail": string, "status": { object (Status) } }
Fields
code

enum (Code)

The error code.

subject

string

Subject to whom this error applies. See the specific code enum for more details on this field. For example:

  • "project:"
  • "folder:"
  • "organization:"
detail

string

Free-form text providing details on the error cause of the error.

status

object (Status)

Contains public information about the check error. If available, status.code will be non zero and client can propagate it out as public error.

Code

Error codes for services.check responses.

Enums
ERROR_CODE_UNSPECIFIED This is never used in CheckResponse.
NOT_FOUND The consumer's project id, network container, or resource container was not found. Same as google.rpc.Code.NOT_FOUND.
PERMISSION_DENIED The consumer doesn't have access to the specified resource. Same as google.rpc.Code.PERMISSION_DENIED.
RESOURCE_EXHAUSTED Quota check failed. Same as google.rpc.Code.RESOURCE_EXHAUSTED.
SERVICE_NOT_ACTIVATED The consumer hasn't activated the service.
BILLING_DISABLED The consumer cannot access the service because billing is disabled.
PROJECT_DELETED The consumer's project has been marked as deleted (soft deletion).
PROJECT_INVALID The consumer's project number or id does not represent a valid project.
CONSUMER_INVALID The input consumer info does not represent a valid consumer folder or organization.
IP_ADDRESS_BLOCKED The IP address of the consumer is invalid for the specific consumer project.
REFERER_BLOCKED The referer address of the consumer request is invalid for the specific consumer project.
CLIENT_APP_BLOCKED The client application of the consumer request is invalid for the specific consumer project.
API_TARGET_BLOCKED The API targeted by this request is invalid for the specified consumer project.
API_KEY_INVALID The consumer's API key is invalid.
API_KEY_EXPIRED The consumer's API Key has expired.
API_KEY_NOT_FOUND The consumer's API Key was not found in config record.
INVALID_CREDENTIAL The credential in the request can not be verified.
NAMESPACE_LOOKUP_UNAVAILABLE The backend server for looking up project id/number is unavailable.
SERVICE_STATUS_UNAVAILABLE The backend server for checking service status is unavailable.
BILLING_STATUS_UNAVAILABLE The backend server for checking billing status is unavailable.
CLOUD_RESOURCE_MANAGER_BACKEND_UNAVAILABLE Cloud Resource Manager backend server is unavailable.

CheckInfo

Contains additional information about the check operation.

JSON representation
{ "unusedArguments": [ string ], "consumerInfo": { object (ConsumerInfo) } }
Fields
unusedArguments[]

string

A list of fields and label keys that are ignored by the server. The client doesn't need to send them for following requests to improve performance and allow better aggregation.

consumerInfo

object (ConsumerInfo)

Consumer info of this check.

ConsumerInfo

ConsumerInfo provides information about the consumer.

JSON representation
{ "projectNumber": string, "type": enum (ConsumerType), "consumerNumber": string }
Fields
projectNumber

string (int64 format)

The Google cloud project number, e.g. 1234567890. A value of 0 indicates no project number is found.

NOTE: This field is deprecated after Chemist support flexible consumer id. New code should not depend on this field anymore.

type

enum (ConsumerType)

The type of the consumer which should have been defined in Google Resource Manager.

consumerNumber

string (int64 format)

The consumer identity number, can be Google cloud project number, folder number or organization number e.g. 1234567890. A value of 0 indicates no consumer number is found.

ConsumerType

The type of the consumer as defined in Google Resource Manager.

Enums
CONSUMER_TYPE_UNSPECIFIED This is never used.
PROJECT The consumer is a Google Cloud Project.
FOLDER The consumer is a Google Cloud Folder.
ORGANIZATION The consumer is a Google Cloud Organization.
SERVICE_SPECIFIC Service-specific resource container which is defined by the service producer to offer their users the ability to manage service control functionalities at a finer level of granularity than the PROJECT.