@ -1,4 +1,4 @@
/ / Copyright 2017 Google Inc .
/ / Copyright 2019 Google LLC .
/ /
/ / Licensed under the Apache License , Version 2.0 ( the "License" ) ;
/ / you may not use this file except in compliance with the License.
@ -17,6 +17,9 @@ syntax = "proto3";
package google . iam.admin.v1 ;
import "google/api/annotations.proto" ;
import "google/api/client.proto" ;
import "google/api/field_behavior.proto" ;
import "google/api/resource.proto" ;
import "google/iam/v1/iam_policy.proto" ;
import "google/iam/v1/policy.proto" ;
import "google/protobuf/empty.proto" ;
@ -41,17 +44,20 @@ option java_package = "com.google.iam.admin.v1";
/ / ` unique_id ` .
/ /
/ / All other methods can identify accounts using the format
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
service IAM {
option ( google.api.default_host ) = "iam.googleapis.com" ;
option ( google.api.oauth_scopes ) = "https://www.googleapis.com/auth/cloud-platform" ;
/ / Lists [ ServiceAccounts ] [ google.iam.admin.v1.ServiceAccount ] for a project.
rpc ListServiceAccounts ( ListServiceAccountsRequest )
returns ( ListServiceAccountsResponse ) {
rpc ListServiceAccounts ( ListServiceAccountsRequest ) returns ( ListServiceAccountsResponse ) {
option ( google.api.http ) = {
get : "/v1/{name=projects/*}/serviceAccounts"
} ;
option ( google.api.method_signature ) = "name" ;
}
/ / Gets a [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] .
@ -59,23 +65,23 @@ service IAM {
option ( google.api.http ) = {
get : "/v1/{name=projects/*/serviceAccounts/*}"
} ;
option ( google.api.method_signature ) = "name" ;
}
/ / Creates a [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ]
/ / and returns it.
rpc CreateServiceAccount ( CreateServiceAccountRequest )
returns ( ServiceAccount ) {
rpc CreateServiceAccount ( CreateServiceAccountRequest ) returns ( ServiceAccount ) {
option ( google.api.http ) = {
post : "/v1/{name=projects/*}/serviceAccounts"
body : "*"
} ;
option ( google.api.method_signature ) = "name,account_id,service_account" ;
}
/ / Updates a [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] .
/ /
/ / Currently , only the following fields are updatable :
/ / ` display_name ` .
/ / The ` etag ` is mandatory.
/ / ` display_name ` and ` description ` .
rpc UpdateServiceAccount ( ServiceAccount ) returns ( ServiceAccount ) {
option ( google.api.http ) = {
put : "/v1/{name=projects/*/serviceAccounts/*}"
@ -84,46 +90,46 @@ service IAM {
}
/ / Deletes a [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] .
rpc DeleteServiceAccount ( DeleteServiceAccountRequest )
returns ( google.protobuf.Empty ) {
rpc DeleteServiceAccount ( DeleteServiceAccountRequest ) returns ( google.protobuf.Empty ) {
option ( google.api.http ) = {
delete : "/v1/{name=projects/*/serviceAccounts/*}"
} ;
option ( google.api.method_signature ) = "name" ;
}
/ / Lists [ ServiceAccountKeys ] [ google.iam.admin.v1.ServiceAccountKey ] .
rpc ListServiceAccountKeys ( ListServiceAccountKeysRequest )
returns ( ListServiceAccountKeysResponse ) {
rpc ListServiceAccountKeys ( ListServiceAccountKeysRequest ) returns ( ListServiceAccountKeysResponse ) {
option ( google.api.http ) = {
get : "/v1/{name=projects/*/serviceAccounts/*}/keys"
} ;
option ( google.api.method_signature ) = "name,key_types" ;
}
/ / Gets the [ ServiceAccountKey ] [ google.iam.admin.v1.ServiceAccountKey ]
/ / by key id.
rpc GetServiceAccountKey ( GetServiceAccountKeyRequest )
returns ( ServiceAccountKey ) {
rpc GetServiceAccountKey ( GetServiceAccountKeyRequest ) returns ( ServiceAccountKey ) {
option ( google.api.http ) = {
get : "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
} ;
option ( google.api.method_signature ) = "name,public_key_type" ;
}
/ / Creates a [ ServiceAccountKey ] [ google.iam.admin.v1.ServiceAccountKey ]
/ / and returns it.
rpc CreateServiceAccountKey ( CreateServiceAccountKeyRequest )
returns ( ServiceAccountKey ) {
rpc CreateServiceAccountKey ( CreateServiceAccountKeyRequest ) returns ( ServiceAccountKey ) {
option ( google.api.http ) = {
post : "/v1/{name=projects/*/serviceAccounts/*}/keys"
body : "*"
} ;
option ( google.api.method_signature ) = "name,private_key_type,key_algorithm" ;
}
/ / Deletes a [ ServiceAccountKey ] [ google.iam.admin.v1.ServiceAccountKey ] .
rpc DeleteServiceAccountKey ( DeleteServiceAccountKeyRequest )
returns ( google.protobuf.Empty ) {
rpc DeleteServiceAccountKey ( DeleteServiceAccountKeyRequest ) returns ( google.protobuf.Empty ) {
option ( google.api.http ) = {
delete : "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
} ;
option ( google.api.method_signature ) = "name" ;
}
/ / Signs a blob using a service account ' s system - managed private key.
@ -132,6 +138,7 @@ service IAM {
post : "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
body : "*"
} ;
option ( google.api.method_signature ) = "name,bytes_to_sign" ;
}
/ / Signs a JWT using a service account ' s system - managed private key.
@ -144,53 +151,86 @@ service IAM {
post : "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
body : "*"
} ;
option ( google.api.method_signature ) = "name,payload" ;
}
/ / Returns the IAM access control policy for a
/ / Returns the Cloud IAM access control policy for a
/ / [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] .
rpc GetIamPolicy ( google.iam.v1.GetIamPolicyRequest )
returns ( google.iam.v1.Policy ) {
/ /
/ / Note : Service accounts are both
/ / [ resources and
/ / identities ] ( / iam / docs / service - accounts # service_account_permissions ) . This
/ / method treats the service account as a resource. It returns the Cloud IAM
/ / policy that reflects what members have access to the service account .
/ /
/ / This method does not return what resources the service account has access
/ / to . To see if a service account has access to a resource , call the
/ / ` getIamPolicy ` method on the target resource. For example , to view grants
/ / for a project , call the
/ / [ projects.getIamPolicy ] ( / resource - manager / reference / rest / v1 / projects / getIamPolicy )
/ / method.
rpc GetIamPolicy ( google.iam.v1.GetIamPolicyRequest ) returns ( google.iam.v1.Policy ) {
option ( google.api.http ) = {
post : "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
body : ""
} ;
option ( google.api.method_signature ) = "resource" ;
}
/ / Sets the IAM access control policy for a
/ / Sets the Cloud IAM access control policy for a
/ / [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] .
rpc SetIamPolicy ( google.iam.v1.SetIamPolicyRequest )
returns ( google.iam.v1.Policy ) {
/ /
/ / Note : Service accounts are both
/ / [ resources and
/ / identities ] ( / iam / docs / service - accounts # service_account_permissions ) . This
/ / method treats the service account as a resource. Use it to grant members
/ / access to the service account , such as when they need to impersonate it.
/ /
/ / This method does not grant the service account access to other resources ,
/ / such as projects. To grant a service account access to resources , include
/ / the service account in the Cloud IAM policy for the desired resource , then
/ / call the appropriate ` setIamPolicy ` method on the target resource. For
/ / example , to grant a service account access to a project , call the
/ / [ projects.setIamPolicy ] ( / resource - manager / reference / rest / v1 / projects / setIamPolicy )
/ / method.
rpc SetIamPolicy ( google.iam.v1.SetIamPolicyRequest ) returns ( google.iam.v1.Policy ) {
option ( google.api.http ) = {
post : "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
body : "*"
} ;
option ( google.api.method_signature ) = "resource,policy" ;
}
/ / Tests the specified permissions against the IAM access control policy
/ / for a [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] .
rpc TestIamPermissions ( google.iam.v1.TestIamPermissionsRequest )
returns ( google.iam.v1.TestIamPermissionsResponse ) {
rpc TestIamPermissions ( google.iam.v1.TestIamPermissionsRequest ) returns ( google.iam.v1.TestIamPermissionsResponse ) {
option ( google.api.http ) = {
post : "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
body : "*"
} ;
option ( google.api.method_signature ) = "resource,permissions" ;
}
/ / Queries roles that can be granted on a particular resource.
/ / A role is grantable if it can be used as the role in a binding for a policy
/ / for that resource.
rpc QueryGrantableRoles ( QueryGrantableRolesRequest )
returns ( QueryGrantableRolesResponse ) {
rpc QueryGrantableRoles ( QueryGrantableRolesRequest ) returns ( QueryGrantableRolesResponse ) {
option ( google.api.http ) = {
post : "/v1/roles:queryGrantableRoles"
body : "*"
} ;
option ( google.api.method_signature ) = "full_resource_name" ;
}
/ / Lists the Roles defined on a resource.
rpc ListRoles ( ListRolesRequest ) returns ( ListRolesResponse ) {
option ( google.api.http ) = {
get : "/v1/roles"
additional_bindings {
get : "/v1/{parent=organizations/*}/roles"
}
additional_bindings {
get : "/v1/{parent=projects/*}/roles"
}
} ;
}
@ -198,6 +238,12 @@ service IAM {
rpc GetRole ( GetRoleRequest ) returns ( Role ) {
option ( google.api.http ) = {
get : "/v1/{name=roles/*}"
additional_bindings {
get : "/v1/{name=organizations/*/roles/*}"
}
additional_bindings {
get : "/v1/{name=projects/*/roles/*}"
}
} ;
}
@ -206,6 +252,10 @@ service IAM {
option ( google.api.http ) = {
post : "/v1/{parent=organizations/*}/roles"
body : "*"
additional_bindings {
post : "/v1/{parent=projects/*}/roles"
body : "*"
}
} ;
}
@ -214,6 +264,10 @@ service IAM {
option ( google.api.http ) = {
patch : "/v1/{name=organizations/*/roles/*}"
body : "role"
additional_bindings {
patch : "/v1/{name=projects/*/roles/*}"
body : "role"
}
} ;
}
@ -227,6 +281,9 @@ service IAM {
rpc DeleteRole ( DeleteRoleRequest ) returns ( Role ) {
option ( google.api.http ) = {
delete : "/v1/{name=organizations/*/roles/*}"
additional_bindings {
delete : "/v1/{name=projects/*/roles/*}"
}
} ;
}
@ -235,13 +292,16 @@ service IAM {
option ( google.api.http ) = {
post : "/v1/{name=organizations/*/roles/*}:undelete"
body : "*"
additional_bindings {
post : "/v1/{name=projects/*/roles/*}:undelete"
body : "*"
}
} ;
}
/ / Lists the permissions testable on a resource.
/ / A permission is testable if it can be tested for an identity on a resource.
rpc QueryTestablePermissions ( QueryTestablePermissionsRequest )
returns ( QueryTestablePermissionsResponse ) {
rpc QueryTestablePermissions ( QueryTestablePermissionsRequest ) returns ( QueryTestablePermissionsResponse ) {
option ( google.api.http ) = {
post : "/v1/permissions:queryTestablePermissions"
body : "*"
@ -257,25 +317,29 @@ service IAM {
/ / ` unique_id ` .
/ /
/ / If the account already exists , the account ' s resource name is returned
/ / in util : : Status ' s ResourceInfo.resource_name in the format of
/ / projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ACCOUNT_EMAIL } . The caller can
/ / use the name in other methods to access the account.
/ / in the format of projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } . The caller
/ / can use the name in other methods to access the account.
/ /
/ / All other methods can identify the service account using the format
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
message ServiceAccount {
option ( google.api.resource ) = {
type : "iam.googleapis.com/ServiceAccount"
pattern : "projects/{project}/serviceAccounts/{service_account}"
} ;
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ACCOUNT_EMAIL } ` .
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ /
/ / Requests using ` - ` as a wildcard for the project will infer the project
/ / from the ` account ` and the ` account ` value can be the ` email ` address or
/ / the ` unique_id ` of the service account .
/ / Requests using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the
/ / project from the ` account ` and the ` ACCOUNT ` value can be the ` email `
/ / address or the ` unique_id ` of the service account .
/ /
/ / In responses the resource name will always be in the format
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
string name = 1 ;
/ / @ OutputOnly The id of the project that owns the service account .
@ -287,11 +351,12 @@ message ServiceAccount {
/ / @ OutputOnly The email address of the service account .
string email = 5 ;
/ / Optional. A user - specified description of the service account . Must be
/ / fewer than 100 UTF - 8 bytes .
/ / Optional. A user - specified name for the service account .
/ / Must be less than or equal to 100 UTF - 8 bytes .
string display_name = 6 ;
/ / Used to perform a consistent read - modify - write.
/ / Optional. Note : ` etag ` is an inoperable legacy field that is only returned
/ / for backwards compatibility.
bytes etag = 7 ;
/ / @ OutputOnly. The OAuth2 client id for the service account .
@ -304,17 +369,22 @@ message ServiceAccount {
message CreateServiceAccountRequest {
/ / Required. The resource name of the project associated with the service
/ / accounts , such as ` projects / my - project - 123 ` .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "cloudresourcemanager.googleapis.com/Project"
}
] ;
/ / Required. The account id that is used to generate the service account
/ / email address and a stable unique id. It is unique within a project ,
/ / must be 6 - 30 characters long , and match the regular expression
/ / ` [ a - z ] ( [ - a - z0 - 9 ] * [ a - z0 - 9 ] ) ` to comply with RFC1035.
string account_id = 2 ;
string account_id = 2 [ ( google.api.field_behavior ) = REQUIRED ] ;
/ / The [ ServiceAccount ] [ google.iam.admin.v1.ServiceAccount ] resource to
/ / create. Currently , only the following values are user assignable :
/ / ` display_name ` .
/ / ` display_name ` and ` description ` .
ServiceAccount service_account = 3 ;
}
@ -322,7 +392,12 @@ message CreateServiceAccountRequest {
message ListServiceAccountsRequest {
/ / Required. The resource name of the project associated with the service
/ / accounts , such as ` projects / my - project - 123 ` .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "cloudresourcemanager.googleapis.com/Project"
}
] ;
/ / Optional limit on the number of service accounts to include in the
/ / response. Further accounts can subsequently be obtained by including the
@ -348,22 +423,32 @@ message ListServiceAccountsResponse {
/ / The service account get request.
message GetServiceAccountRequest {
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Required. The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/ServiceAccount"
}
] ;
}
/ / The service account delete request.
message DeleteServiceAccountRequest {
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Required. The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/ServiceAccount"
}
] ;
}
/ / The service account keys list request.
@ -382,13 +467,18 @@ message ListServiceAccountKeysRequest {
SYSTEM_MANAGED = 2 ;
}
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Required. The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ /
/ / Using ` - ` as a wildcard for the project , will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` , will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/ServiceAccount"
}
] ;
/ / Filters the types of keys the user wants to include in the list
/ / response. Duplicate key types are not allowed. If no key type
@ -404,13 +494,18 @@ message ListServiceAccountKeysResponse {
/ / The service account key get by id request.
message GetServiceAccountKeyRequest {
/ / The resource name of the service account key in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } / keys / { key } ` .
/ / Required. The resource name of the service account key in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } / keys / { key } ` .
/ /
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/Key"
}
] ;
/ / The output format of the public key requested.
/ / X509_PEM is the default output format.
@ -427,15 +522,22 @@ message GetServiceAccountKeyRequest {
/ / their service accounts . Users retain the private key of these key - pairs ,
/ / and Google retains ONLY the public key.
/ /
/ / System - managed key - pairs are managed automatically by Google , and rotated
/ / daily without user intervention. The private key never leaves Google ' s
/ / servers to maximize security.
/ / System - managed keys are automatically rotated by Google , and are used for
/ / signing for a maximum of two weeks. The rotation process is probabilistic ,
/ / and usage of the new key will gradually ramp up and down over the key ' s
/ / lifetime. We recommend caching the public key set for a service account for
/ / no more than 24 hours to ensure you have access to the latest keys.
/ /
/ / Public keys for all service accounts are also published at the OAuth2
/ / Service Account API.
message ServiceAccountKey {
option ( google.api.resource ) = {
type : "iam.googleapis.com/Key"
pattern : "projects/{project}/serviceAccounts/{service_account}/keys/{key}"
} ;
/ / The resource name of the service account key in the following format
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ACCOUNT_EMAIL } / keys / { key } ` .
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } / keys / { key } ` .
string name = 1 ;
/ / The output format for the private key.
@ -452,7 +554,7 @@ message ServiceAccountKey {
/ / The private key data. Only provided in ` CreateServiceAccountKey `
/ / responses. Make sure to keep the private key data secure because it
/ / allows for the assertion of the service account identity.
/ / When decoded , the private key data can be used to authenticate with
/ / When base64 decoded , the private key data can be used to authenticate with
/ / Google API client libraries and with
/ / < a href = "/sdk/gcloud/reference/auth/activate-service-account" > gcloud
/ / auth activate - service - account < / a > .
@ -465,20 +567,29 @@ message ServiceAccountKey {
google.protobuf.Timestamp valid_after_time = 4 ;
/ / The key can be used before this timestamp.
/ / For system - managed key pairs , this timestamp is the end time for the
/ / private key signing operation. The public key could still be used
/ / for verification for a few hours after this time.
google.protobuf.Timestamp valid_before_time = 5 ;
}
/ / The service account key create request.
message CreateServiceAccountKeyRequest {
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Required. The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
/ / The output format of the private key. ` GOOGLE_CREDENTIALS_FILE ` is the
/ / default output format.
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/ServiceAccount"
}
] ;
/ / The output format of the private key. The default value is
/ / ` TYPE_GOOGLE_CREDENTIALS_FILE ` , which is the Google Credentials File
/ / format.
ServiceAccountPrivateKeyType private_key_type = 2 ;
/ / Which type of key and algorithm to use for the key.
@ -489,25 +600,35 @@ message CreateServiceAccountKeyRequest {
/ / The service account key delete request.
message DeleteServiceAccountKeyRequest {
/ / The resource name of the service account key in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } / keys / { key } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Required. The resource name of the service account key in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } / keys / { key } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/Key"
}
] ;
}
/ / The service account sign blob request.
message SignBlobRequest {
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Required. The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
/ / The bytes to sign.
bytes bytes_to_sign = 2 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/ServiceAccount"
}
] ;
/ / Required. The bytes to sign.
bytes bytes_to_sign = 2 [ ( google.api.field_behavior ) = REQUIRED ] ;
}
/ / The service account sign blob response.
@ -521,15 +642,20 @@ message SignBlobResponse {
/ / The service account sign JWT request.
message SignJwtRequest {
/ / The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { SERVICE_ ACCOUNT_EMAIL } ` .
/ / Using ` - ` as a wildcard for the project will infer the project from
/ / the account. The ` account ` value can be the ` email ` address or the
/ / Required. The resource name of the service account in the following format :
/ / ` projects / { PROJECT_ID } / serviceAccounts / { ACCOUNT } ` .
/ / Using ` - ` as a wildcard for the ` PROJECT_ID ` will infer the project from
/ / the account. The ` ACCOUNT ` value can be the ` email ` address or the
/ / ` unique_id ` of the service account .
string name = 1 ;
/ / The JWT payload to sign , a JSON JWT Claim set.
string payload = 2 ;
string name = 1 [
( google.api.field_behavior ) = REQUIRED ,
( google.api.resource_reference ) = {
type : "iam.googleapis.com/ServiceAccount"
}
] ;
/ / Required. The JWT payload to sign , a JSON JWT Claim set.
string payload = 2 [ ( google.api.field_behavior ) = REQUIRED ] ;
}
/ / The service account sign JWT response.
@ -545,10 +671,12 @@ message SignJwtResponse {
message Role {
/ / A stage representing a role ' s lifecycle phase.
enum RoleLaunchStage {
/ / The user has indicated this role is currently in an alpha phase.
/ / The user has indicated this role is currently in an Alpha phase. If this
/ / launch stage is selected , the ` stage ` field will not be included when
/ / requesting the definition for a given role.
ALPHA = 0 ;
/ / The user has indicated this role is currently in a b etaphase.
/ / The user has indicated this role is currently in a B etaphase.
BETA = 1 ;
/ / The user has indicated this role is generally available.
@ -561,7 +689,7 @@ message Role {
/ / it is granted to in policies.
DISABLED = 5 ;
/ / The user has indicated this role is currently in an eap phase.
/ / The user has indicated this role is currently in an EAP phase.
EAP = 6 ;
}
@ -570,21 +698,23 @@ message Role {
/ / When Role is used in CreateRole , the role name must not be set.
/ /
/ / When Role is used in output and other input such as UpdateRole , the role
/ / name is the complete path , e.g. , roles / logging.viewer for curat edroles
/ / name is the complete path , e.g. , roles / logging.viewer for predefin edroles
/ / and organizations / { ORGANIZATION_ID } / roles / logging.viewer for custom roles.
string name = 1 ;
/ / Optional. A human - readable title for the role. Typically this
/ / Optional. A human - readable title for the role. Typically this
/ / is limited to 100 UTF - 8 bytes .
string title = 2 ;
/ / Optional. A human - readable description for the role.
/ / Optional. A human - readable description for the role.
string description = 3 ;
/ / The names of the permissions this role grants when bound in an IAM policy.
repeated string included_permissions = 7 ;
/ / The current launch stage of the role.
/ / The current launch stage of the role. If the ` ALPHA ` launch stage has been
/ / selected for a role , the ` stage ` field will not be included in the
/ / returned definition for the role.
RoleLaunchStage stage = 8 ;
/ / Used to perform a consistent read - modify - write.
@ -602,7 +732,7 @@ message QueryGrantableRolesRequest {
/ / The name follows the Google Cloud Platform resource format.
/ / For example , a Cloud Platform project with id ` my - project ` will be named
/ / ` / / cloudresourcemanager.googleapis.com / projects / my - project ` .
string full_resource_name = 1 ;
string full_resource_name = 1 [ ( google.api.field_behavior ) = REQUIRED ] ;
RoleView view = 2 ;
@ -626,11 +756,34 @@ message QueryGrantableRolesResponse {
/ / The request to get all roles defined under a resource.
message ListRolesRequest {
/ / The resource name of the parent resource in one of the following formats :
/ / ` ` ( empty string ) - - this refers to curated roles.
/ / ` organizations / { ORGANIZATION_ID } `
/ / ` projects / { PROJECT_ID } `
string parent = 1 ;
/ / The ` parent ` parameter ' s value depends on the target resource for the
/ / request , namely
/ / [ ` roles ` ] ( / iam / reference / rest / v1 / roles ) ,
/ / [ ` projects ` ] ( / iam / reference / rest / v1 / projects.roles ) , or
/ / [ ` organizations ` ] ( / iam / reference / rest / v1 / organizations.roles ) . Each
/ / resource type ' s ` parent ` value format is described below :
/ /
/ / * [ ` roles.list ( ) ` ] ( / iam / reference / rest / v1 / roles / list ) : An empty string .
/ / This method doesn ' t require a resource ; it simply returns all
/ / [ predefined roles ] ( / iam / docs / understanding - roles # predefined_roles ) in
/ / Cloud IAM. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / roles `
/ /
/ / * [ ` projects.roles.list ( ) ` ] ( / iam / reference / rest / v1 / projects.roles / list ) :
/ / ` projects / { PROJECT_ID } ` . This method lists all project - level
/ / [ custom roles ] ( / iam / docs / understanding - custom - roles ) .
/ / Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / projects / { PROJECT_ID } / roles `
/ /
/ / * [ ` organizations.roles.list ( ) ` ] ( / iam / reference / rest / v1 / organizations.roles / list ) :
/ / ` organizations / { ORGANIZATION_ID } ` . This method lists all
/ / organization - level [ custom roles ] ( / iam / docs / understanding - custom - roles ) .
/ / Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / organizations / { ORGANIZATION_ID } / roles `
/ /
/ / Note : Wildcard ( * ) values are invalid ; you must specify a complete project
/ / ID or organization ID.
string parent = 1 [ ( google.api.resource_reference ) . type = "*" ] ;
/ / Optional limit on the number of roles to include in the response.
int32 page_size = 2 ;
@ -638,7 +791,10 @@ message ListRolesRequest {
/ / Optional pagination token returned in an earlier ListRolesResponse.
string page_token = 3 ;
/ / Optional view for the returned Role objects.
/ / Optional view for the returned Role objects. When ` FULL ` is specified ,
/ / the ` includedPermissions ` field is returned , which includes a list of all
/ / permissions in the role. The default value is ` BASIC ` , which does not
/ / return the ` includedPermissions ` field.
RoleView view = 4 ;
/ / Include Roles that have been deleted.
@ -657,21 +813,61 @@ message ListRolesResponse {
/ / The request to get the definition of an existing role.
message GetRoleRequest {
/ / The resource name of the role in one of the following formats :
/ / ` roles / { ROLE_NAME } `
/ / ` organizations / { ORGANIZATION_ID } / roles / { ROLE_NAME } `
/ / ` projects / { PROJECT_ID } / roles / { ROLE_NAME } `
string name = 1 ;
/ / The ` name ` parameter ' s value depends on the target resource for the
/ / request , namely
/ / [ ` roles ` ] ( / iam / reference / rest / v1 / roles ) ,
/ / [ ` projects ` ] ( / iam / reference / rest / v1 / projects.roles ) , or
/ / [ ` organizations ` ] ( / iam / reference / rest / v1 / organizations.roles ) . Each
/ / resource type ' s ` name ` value format is described below :
/ /
/ / * [ ` roles.get ( ) ` ] ( / iam / reference / rest / v1 / roles / get ) : ` roles / { ROLE_NAME } ` .
/ / This method returns results from all
/ / [ predefined roles ] ( / iam / docs / understanding - roles # predefined_roles ) in
/ / Cloud IAM. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / roles / { ROLE_NAME } `
/ /
/ / * [ ` projects.roles.get ( ) ` ] ( / iam / reference / rest / v1 / projects.roles / get ) :
/ / ` projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } ` . This method returns only
/ / [ custom roles ] ( / iam / docs / understanding - custom - roles ) that have been
/ / created at the project level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / * [ ` organizations.roles.get ( ) ` ] ( / iam / reference / rest / v1 / organizations.roles / get ) :
/ / ` organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } ` . This method
/ / returns only [ custom roles ] ( / iam / docs / understanding - custom - roles ) that
/ / have been created at the organization level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / Note : Wildcard ( * ) values are invalid ; you must specify a complete project
/ / ID or organization ID.
string name = 1 [ ( google.api.resource_reference ) . type = "*" ] ;
}
/ / The request to create a new role.
message CreateRoleRequest {
/ / The resource name of the parent resource in one of the following formats :
/ / ` organizations / { ORGANIZATION_ID } `
/ / ` projects / { PROJECT_ID } `
string parent = 1 ;
/ / The ` parent ` parameter ' s value depends on the target resource for the
/ / request , namely
/ / [ ` projects ` ] ( / iam / reference / rest / v1 / projects.roles ) or
/ / [ ` organizations ` ] ( / iam / reference / rest / v1 / organizations.roles ) . Each
/ / resource type ' s ` parent ` value format is described below :
/ /
/ / * [ ` projects.roles.create ( ) ` ] ( / iam / reference / rest / v1 / projects.roles / create ) :
/ / ` projects / { PROJECT_ID } ` . This method creates project - level
/ / [ custom roles ] ( / iam / docs / understanding - custom - roles ) .
/ / Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / projects / { PROJECT_ID } / roles `
/ /
/ / * [ ` organizations.roles.create ( ) ` ] ( / iam / reference / rest / v1 / organizations.roles / create ) :
/ / ` organizations / { ORGANIZATION_ID } ` . This method creates organization - level
/ / [ custom roles ] ( / iam / docs / understanding - custom - roles ) . Example request
/ / URL :
/ / ` https : / / iam.googleapis.com / v1 / organizations / { ORGANIZATION_ID } / roles `
/ /
/ / Note : Wildcard ( * ) values are invalid ; you must specify a complete project
/ / ID or organization ID.
string parent = 1 [ ( google.api.resource_reference ) . type = "*" ] ;
/ / The role id to use for this role.
/ / The role ID to use for this role.
string role_id = 2 ;
/ / The Role resource to create.
@ -680,11 +876,27 @@ message CreateRoleRequest {
/ / The request to update a role.
message UpdateRoleRequest {
/ / The resource name of the role in one of the following formats :
/ / ` roles / { ROLE_NAME } `
/ / ` organizations / { ORGANIZATION_ID } / roles / { ROLE_NAME } `
/ / ` projects / { PROJECT_ID } / roles / { ROLE_NAME } `
string name = 1 ;
/ / The ` name ` parameter ' s value depends on the target resource for the
/ / request , namely
/ / [ ` projects ` ] ( / iam / reference / rest / v1 / projects.roles ) or
/ / [ ` organizations ` ] ( / iam / reference / rest / v1 / organizations.roles ) . Each
/ / resource type ' s ` name ` value format is described below :
/ /
/ / * [ ` projects.roles.patch ( ) ` ] ( / iam / reference / rest / v1 / projects.roles / patch ) :
/ / ` projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } ` . This method updates only
/ / [ custom roles ] ( / iam / docs / understanding - custom - roles ) that have been
/ / created at the project level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / * [ ` organizations.roles.patch ( ) ` ] ( / iam / reference / rest / v1 / organizations.roles / patch ) :
/ / ` organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } ` . This method
/ / updates only [ custom roles ] ( / iam / docs / understanding - custom - roles ) that
/ / have been created at the organization level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / Note : Wildcard ( * ) values are invalid ; you must specify a complete project
/ / ID or organization ID.
string name = 1 [ ( google.api.resource_reference ) . type = "*" ] ;
/ / The updated role.
Role role = 2 ;
@ -695,10 +907,27 @@ message UpdateRoleRequest {
/ / The request to delete an existing role.
message DeleteRoleRequest {
/ / The resource name of the role in one of the following formats :
/ / ` organizations / { ORGANIZATION_ID } / roles / { ROLE_NAME } `
/ / ` projects / { PROJECT_ID } / roles / { ROLE_NAME } `
string name = 1 ;
/ / The ` name ` parameter ' s value depends on the target resource for the
/ / request , namely
/ / [ ` projects ` ] ( / iam / reference / rest / v1 / projects.roles ) or
/ / [ ` organizations ` ] ( / iam / reference / rest / v1 / organizations.roles ) . Each
/ / resource type ' s ` name ` value format is described below :
/ /
/ / * [ ` projects.roles.delete ( ) ` ] ( / iam / reference / rest / v1 / projects.roles / delete ) :
/ / ` projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } ` . This method deletes only
/ / [ custom roles ] ( / iam / docs / understanding - custom - roles ) that have been
/ / created at the project level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / * [ ` organizations.roles.delete ( ) ` ] ( / iam / reference / rest / v1 / organizations.roles / delete ) :
/ / ` organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } ` . This method
/ / deletes only [ custom roles ] ( / iam / docs / understanding - custom - roles ) that
/ / have been created at the organization level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / Note : Wildcard ( * ) values are invalid ; you must specify a complete project
/ / ID or organization ID.
string name = 1 [ ( google.api.resource_reference ) . type = "*" ] ;
/ / Used to perform a consistent read - modify - write.
bytes etag = 2 ;
@ -706,10 +935,27 @@ message DeleteRoleRequest {
/ / The request to undelete an existing role.
message UndeleteRoleRequest {
/ / The resource name of the role in one of the following formats :
/ / ` organizations / { ORGANIZATION_ID } / roles / { ROLE_NAME } `
/ / ` projects / { PROJECT_ID } / roles / { ROLE_NAME } `
string name = 1 ;
/ / The ` name ` parameter ' s value depends on the target resource for the
/ / request , namely
/ / [ ` projects ` ] ( / iam / reference / rest / v1 / projects.roles ) or
/ / [ ` organizations ` ] ( / iam / reference / rest / v1 / organizations.roles ) . Each
/ / resource type ' s ` name ` value format is described below :
/ /
/ / * [ ` projects.roles.undelete ( ) ` ] ( / iam / reference / rest / v1 / projects.roles / undelete ) :
/ / ` projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } ` . This method undeletes
/ / only [ custom roles ] ( / iam / docs / understanding - custom - roles ) that have been
/ / created at the project level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / projects / { PROJECT_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / * [ ` organizations.roles.undelete ( ) ` ] ( / iam / reference / rest / v1 / organizations.roles / undelete ) :
/ / ` organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } ` . This method
/ / undeletes only [ custom roles ] ( / iam / docs / understanding - custom - roles ) that
/ / have been created at the organization level. Example request URL :
/ / ` https : / / iam.googleapis.com / v1 / organizations / { ORGANIZATION_ID } / roles / { CUSTOM_ROLE_ID } `
/ /
/ / Note : Wildcard ( * ) values are invalid ; you must specify a complete project
/ / ID or organization ID.
string name = 1 [ ( google.api.resource_reference ) . type = "*" ] ;
/ / Used to perform a consistent read - modify - write.
bytes etag = 2 ;
@ -751,6 +997,7 @@ message Permission {
string title = 2 ;
/ / A brief description of what this Permission is used for.
/ / This permission can ONLY be used in predefined roles.
string description = 3 ;
/ / This permission can ONLY be used in predefined roles.
Google APIs
5 years ago
committed by
Copybara-Service