diff --git a/google/iam/admin/v1/BUILD.bazel b/google/iam/admin/v1/BUILD.bazel index 2fa8c6ae3..06781471f 100644 --- a/google/iam/admin/v1/BUILD.bazel +++ b/google/iam/admin/v1/BUILD.bazel @@ -16,6 +16,9 @@ proto_library( ], deps = [ "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", "//google/iam/v1:iam_policy_proto", "//google/iam/v1:policy_proto", "@com_google_protobuf//:empty_proto", @@ -60,7 +63,7 @@ java_gapic_library( src = ":admin_proto_with_info", gapic_yaml = "iam_gapic.yaml", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", test_deps = [ ":admin_java_grpc", "//google/iam/v1:iam_java_grpc", @@ -118,7 +121,7 @@ go_gapic_library( gapic_yaml = "iam_gapic.yaml", importpath = "cloud.google.com/go/iam/admin/apiv1", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", deps = [ ":admin_go_proto", "//google/iam/v1:iam_go_proto", @@ -160,6 +163,9 @@ moved_proto_library( srcs = [":admin_proto"], deps = [ "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", "//google/iam/v1:iam_policy_proto", "//google/iam/v1:policy_proto", "@com_google_protobuf//:empty_proto", @@ -185,7 +191,7 @@ py_gapic_library( src = ":admin_proto_with_info", gapic_yaml = "iam_gapic.yaml", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", deps = [ ":admin_py_grpc", ":admin_py_proto", @@ -229,7 +235,7 @@ php_gapic_library( src = ":admin_proto_with_info", gapic_yaml = "iam_gapic.yaml", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", deps = [ ":admin_php_grpc", ":admin_php_proto", @@ -260,7 +266,7 @@ nodejs_gapic_library( src = ":admin_proto_with_info", gapic_yaml = "iam_gapic.yaml", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", deps = [], ) @@ -299,7 +305,7 @@ ruby_gapic_library( src = ":admin_proto_with_info", gapic_yaml = "iam_gapic.yaml", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", deps = [ ":admin_ruby_grpc", ":admin_ruby_proto", @@ -343,7 +349,7 @@ csharp_gapic_library( src = ":admin_proto_with_info", gapic_yaml = "iam_gapic.yaml", package = "google.iam.admin.v1", - service_yaml = "//google/iam:iam.yaml", + service_yaml = "iam.yaml", deps = [ ":admin_csharp_grpc", ":admin_csharp_proto", diff --git a/google/iam/admin/v1/iam.proto b/google/iam/admin/v1/iam.proto index 174e79bd4..804162a41 100644 --- a/google/iam/admin/v1/iam.proto +++ b/google/iam/admin/v1/iam.proto @@ -1,4 +1,4 @@ -// Copyright 2017 Google Inc. +// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -17,6 +17,9 @@ syntax = "proto3"; package google.iam.admin.v1; import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; import "google/iam/v1/iam_policy.proto"; import "google/iam/v1/policy.proto"; import "google/protobuf/empty.proto"; @@ -41,17 +44,20 @@ option java_package = "com.google.iam.admin.v1"; // `unique_id`. // // All other methods can identify accounts using the format -// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. -// Using `-` as a wildcard for the project will infer the project from -// the account. The `account` value can be the `email` address or the +// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. +// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from +// the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. service IAM { + option (google.api.default_host) = "iam.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project. - rpc ListServiceAccounts(ListServiceAccountsRequest) - returns (ListServiceAccountsResponse) { + rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) { option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" }; + option (google.api.method_signature) = "name"; } // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. @@ -59,23 +65,23 @@ service IAM { option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" }; + option (google.api.method_signature) = "name"; } // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] // and returns it. - rpc CreateServiceAccount(CreateServiceAccountRequest) - returns (ServiceAccount) { + rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) { option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" }; + option (google.api.method_signature) = "name,account_id,service_account"; } // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // // Currently, only the following fields are updatable: - // `display_name` . - // The `etag` is mandatory. + // `display_name` and `description`. rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" @@ -84,46 +90,46 @@ service IAM { } // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. - rpc DeleteServiceAccount(DeleteServiceAccountRequest) - returns (google.protobuf.Empty) { + rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" }; + option (google.api.method_signature) = "name"; } // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey]. - rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) - returns (ListServiceAccountKeysResponse) { + rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) { option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" }; + option (google.api.method_signature) = "name,key_types"; } // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] // by key id. - rpc GetServiceAccountKey(GetServiceAccountKeyRequest) - returns (ServiceAccountKey) { + rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) { option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; + option (google.api.method_signature) = "name,public_key_type"; } // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] // and returns it. - rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) - returns (ServiceAccountKey) { + rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) { option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" }; + option (google.api.method_signature) = "name,private_key_type,key_algorithm"; } // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. - rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) - returns (google.protobuf.Empty) { + rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; + option (google.api.method_signature) = "name"; } // Signs a blob using a service account's system-managed private key. @@ -132,6 +138,7 @@ service IAM { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" }; + option (google.api.method_signature) = "name,bytes_to_sign"; } // Signs a JWT using a service account's system-managed private key. @@ -144,53 +151,86 @@ service IAM { post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt" body: "*" }; + option (google.api.method_signature) = "name,payload"; } - // Returns the IAM access control policy for a + // Returns the Cloud IAM access control policy for a // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. - rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) - returns (google.iam.v1.Policy) { + // + // Note: Service accounts are both + // [resources and + // identities](/iam/docs/service-accounts#service_account_permissions). This + // method treats the service account as a resource. It returns the Cloud IAM + // policy that reflects what members have access to the service account. + // + // This method does not return what resources the service account has access + // to. To see if a service account has access to a resource, call the + // `getIamPolicy` method on the target resource. For example, to view grants + // for a project, call the + // [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy) + // method. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" - body: "" }; + option (google.api.method_signature) = "resource"; } - // Sets the IAM access control policy for a + // Sets the Cloud IAM access control policy for a // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. - rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) - returns (google.iam.v1.Policy) { + // + // Note: Service accounts are both + // [resources and + // identities](/iam/docs/service-accounts#service_account_permissions). This + // method treats the service account as a resource. Use it to grant members + // access to the service account, such as when they need to impersonate it. + // + // This method does not grant the service account access to other resources, + // such as projects. To grant a service account access to resources, include + // the service account in the Cloud IAM policy for the desired resource, then + // call the appropriate `setIamPolicy` method on the target resource. For + // example, to grant a service account access to a project, call the + // [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy) + // method. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" }; + option (google.api.method_signature) = "resource,policy"; } // Tests the specified permissions against the IAM access control policy // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. - rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) - returns (google.iam.v1.TestIamPermissionsResponse) { + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" }; + option (google.api.method_signature) = "resource,permissions"; } // Queries roles that can be granted on a particular resource. // A role is grantable if it can be used as the role in a binding for a policy // for that resource. - rpc QueryGrantableRoles(QueryGrantableRolesRequest) - returns (QueryGrantableRolesResponse) { + rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) { option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" }; + option (google.api.method_signature) = "full_resource_name"; } // Lists the Roles defined on a resource. rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) { option (google.api.http) = { get: "/v1/roles" + additional_bindings { + get: "/v1/{parent=organizations/*}/roles" + } + additional_bindings { + get: "/v1/{parent=projects/*}/roles" + } }; } @@ -198,6 +238,12 @@ service IAM { rpc GetRole(GetRoleRequest) returns (Role) { option (google.api.http) = { get: "/v1/{name=roles/*}" + additional_bindings { + get: "/v1/{name=organizations/*/roles/*}" + } + additional_bindings { + get: "/v1/{name=projects/*/roles/*}" + } }; } @@ -206,6 +252,10 @@ service IAM { option (google.api.http) = { post: "/v1/{parent=organizations/*}/roles" body: "*" + additional_bindings { + post: "/v1/{parent=projects/*}/roles" + body: "*" + } }; } @@ -214,6 +264,10 @@ service IAM { option (google.api.http) = { patch: "/v1/{name=organizations/*/roles/*}" body: "role" + additional_bindings { + patch: "/v1/{name=projects/*/roles/*}" + body: "role" + } }; } @@ -227,6 +281,9 @@ service IAM { rpc DeleteRole(DeleteRoleRequest) returns (Role) { option (google.api.http) = { delete: "/v1/{name=organizations/*/roles/*}" + additional_bindings { + delete: "/v1/{name=projects/*/roles/*}" + } }; } @@ -235,13 +292,16 @@ service IAM { option (google.api.http) = { post: "/v1/{name=organizations/*/roles/*}:undelete" body: "*" + additional_bindings { + post: "/v1/{name=projects/*/roles/*}:undelete" + body: "*" + } }; } // Lists the permissions testable on a resource. // A permission is testable if it can be tested for an identity on a resource. - rpc QueryTestablePermissions(QueryTestablePermissionsRequest) - returns (QueryTestablePermissionsResponse) { + rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) { option (google.api.http) = { post: "/v1/permissions:queryTestablePermissions" body: "*" @@ -257,25 +317,29 @@ service IAM { // `unique_id`. // // If the account already exists, the account's resource name is returned -// in util::Status's ResourceInfo.resource_name in the format of -// projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can -// use the name in other methods to access the account. +// in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller +// can use the name in other methods to access the account. // // All other methods can identify the service account using the format -// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. -// Using `-` as a wildcard for the project will infer the project from -// the account. The `account` value can be the `email` address or the +// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. +// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from +// the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. message ServiceAccount { + option (google.api.resource) = { + type: "iam.googleapis.com/ServiceAccount" + pattern: "projects/{project}/serviceAccounts/{service_account}" + }; + // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // - // Requests using `-` as a wildcard for the project will infer the project - // from the `account` and the `account` value can be the `email` address or - // the `unique_id` of the service account. + // Requests using `-` as a wildcard for the `PROJECT_ID` will infer the + // project from the `account` and the `ACCOUNT` value can be the `email` + // address or the `unique_id` of the service account. // // In responses the resource name will always be in the format - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. string name = 1; // @OutputOnly The id of the project that owns the service account. @@ -287,11 +351,12 @@ message ServiceAccount { // @OutputOnly The email address of the service account. string email = 5; - // Optional. A user-specified description of the service account. Must be - // fewer than 100 UTF-8 bytes. + // Optional. A user-specified name for the service account. + // Must be less than or equal to 100 UTF-8 bytes. string display_name = 6; - // Used to perform a consistent read-modify-write. + // Optional. Note: `etag` is an inoperable legacy field that is only returned + // for backwards compatibility. bytes etag = 7; // @OutputOnly. The OAuth2 client id for the service account. @@ -304,17 +369,22 @@ message ServiceAccount { message CreateServiceAccountRequest { // Required. The resource name of the project associated with the service // accounts, such as `projects/my-project-123`. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Project" + } + ]; // Required. The account id that is used to generate the service account // email address and a stable unique id. It is unique within a project, // must be 6-30 characters long, and match the regular expression // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. - string account_id = 2; + string account_id = 2 [(google.api.field_behavior) = REQUIRED]; // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to // create. Currently, only the following values are user assignable: - // `display_name` . + // `display_name` and `description`. ServiceAccount service_account = 3; } @@ -322,7 +392,12 @@ message CreateServiceAccountRequest { message ListServiceAccountsRequest { // Required. The resource name of the project associated with the service // accounts, such as `projects/my-project-123`. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Project" + } + ]; // Optional limit on the number of service accounts to include in the // response. Further accounts can subsequently be obtained by including the @@ -348,22 +423,32 @@ message ListServiceAccountsResponse { // The service account get request. message GetServiceAccountRequest { - // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Required. The resource name of the service account in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; } // The service account delete request. message DeleteServiceAccountRequest { - // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Required. The resource name of the service account in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; } // The service account keys list request. @@ -382,13 +467,18 @@ message ListServiceAccountKeysRequest { SYSTEM_MANAGED = 2; } - // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. + // Required. The resource name of the service account in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // - // Using `-` as a wildcard for the project, will infer the project from - // the account. The `account` value can be the `email` address or the + // Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; // Filters the types of keys the user wants to include in the list // response. Duplicate key types are not allowed. If no key type @@ -404,13 +494,18 @@ message ListServiceAccountKeysResponse { // The service account key get by id request. message GetServiceAccountKeyRequest { - // The resource name of the service account key in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. + // Required. The resource name of the service account key in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. // - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/Key" + } + ]; // The output format of the public key requested. // X509_PEM is the default output format. @@ -427,15 +522,22 @@ message GetServiceAccountKeyRequest { // their service accounts. Users retain the private key of these key-pairs, // and Google retains ONLY the public key. // -// System-managed key-pairs are managed automatically by Google, and rotated -// daily without user intervention. The private key never leaves Google's -// servers to maximize security. +// System-managed keys are automatically rotated by Google, and are used for +// signing for a maximum of two weeks. The rotation process is probabilistic, +// and usage of the new key will gradually ramp up and down over the key's +// lifetime. We recommend caching the public key set for a service account for +// no more than 24 hours to ensure you have access to the latest keys. // // Public keys for all service accounts are also published at the OAuth2 // Service Account API. message ServiceAccountKey { + option (google.api.resource) = { + type: "iam.googleapis.com/Key" + pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}" + }; + // The resource name of the service account key in the following format - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. string name = 1; // The output format for the private key. @@ -452,7 +554,7 @@ message ServiceAccountKey { // The private key data. Only provided in `CreateServiceAccountKey` // responses. Make sure to keep the private key data secure because it // allows for the assertion of the service account identity. - // When decoded, the private key data can be used to authenticate with + // When base64 decoded, the private key data can be used to authenticate with // Google API client libraries and with // gcloud // auth activate-service-account. @@ -465,20 +567,29 @@ message ServiceAccountKey { google.protobuf.Timestamp valid_after_time = 4; // The key can be used before this timestamp. + // For system-managed key pairs, this timestamp is the end time for the + // private key signing operation. The public key could still be used + // for verification for a few hours after this time. google.protobuf.Timestamp valid_before_time = 5; } // The service account key create request. message CreateServiceAccountKeyRequest { - // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Required. The resource name of the service account in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; - - // The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the - // default output format. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; + + // The output format of the private key. The default value is + // `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File + // format. ServiceAccountPrivateKeyType private_key_type = 2; // Which type of key and algorithm to use for the key. @@ -489,25 +600,35 @@ message CreateServiceAccountKeyRequest { // The service account key delete request. message DeleteServiceAccountKeyRequest { - // The resource name of the service account key in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Required. The resource name of the service account key in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/Key" + } + ]; } // The service account sign blob request. message SignBlobRequest { - // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Required. The resource name of the service account in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; - - // The bytes to sign. - bytes bytes_to_sign = 2; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; + + // Required. The bytes to sign. + bytes bytes_to_sign = 2 [(google.api.field_behavior) = REQUIRED]; } // The service account sign blob response. @@ -521,15 +642,20 @@ message SignBlobResponse { // The service account sign JWT request. message SignJwtRequest { - // The resource name of the service account in the following format: - // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. The `account` value can be the `email` address or the + // Required. The resource name of the service account in the following format: + // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. + // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from + // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. - string name = 1; - - // The JWT payload to sign, a JSON JWT Claim set. - string payload = 2; + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; + + // Required. The JWT payload to sign, a JSON JWT Claim set. + string payload = 2 [(google.api.field_behavior) = REQUIRED]; } // The service account sign JWT response. @@ -545,10 +671,12 @@ message SignJwtResponse { message Role { // A stage representing a role's lifecycle phase. enum RoleLaunchStage { - // The user has indicated this role is currently in an alpha phase. + // The user has indicated this role is currently in an Alpha phase. If this + // launch stage is selected, the `stage` field will not be included when + // requesting the definition for a given role. ALPHA = 0; - // The user has indicated this role is currently in a beta phase. + // The user has indicated this role is currently in a Beta phase. BETA = 1; // The user has indicated this role is generally available. @@ -561,7 +689,7 @@ message Role { // it is granted to in policies. DISABLED = 5; - // The user has indicated this role is currently in an eap phase. + // The user has indicated this role is currently in an EAP phase. EAP = 6; } @@ -570,21 +698,23 @@ message Role { // When Role is used in CreateRole, the role name must not be set. // // When Role is used in output and other input such as UpdateRole, the role - // name is the complete path, e.g., roles/logging.viewer for curated roles + // name is the complete path, e.g., roles/logging.viewer for predefined roles // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles. string name = 1; - // Optional. A human-readable title for the role. Typically this + // Optional. A human-readable title for the role. Typically this // is limited to 100 UTF-8 bytes. string title = 2; - // Optional. A human-readable description for the role. + // Optional. A human-readable description for the role. string description = 3; // The names of the permissions this role grants when bound in an IAM policy. repeated string included_permissions = 7; - // The current launch stage of the role. + // The current launch stage of the role. If the `ALPHA` launch stage has been + // selected for a role, the `stage` field will not be included in the + // returned definition for the role. RoleLaunchStage stage = 8; // Used to perform a consistent read-modify-write. @@ -602,7 +732,7 @@ message QueryGrantableRolesRequest { // The name follows the Google Cloud Platform resource format. // For example, a Cloud Platform project with id `my-project` will be named // `//cloudresourcemanager.googleapis.com/projects/my-project`. - string full_resource_name = 1; + string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; RoleView view = 2; @@ -626,11 +756,34 @@ message QueryGrantableRolesResponse { // The request to get all roles defined under a resource. message ListRolesRequest { - // The resource name of the parent resource in one of the following formats: - // `` (empty string) -- this refers to curated roles. - // `organizations/{ORGANIZATION_ID}` - // `projects/{PROJECT_ID}` - string parent = 1; + // The `parent` parameter's value depends on the target resource for the + // request, namely + // [`roles`](/iam/reference/rest/v1/roles), + // [`projects`](/iam/reference/rest/v1/projects.roles), or + // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each + // resource type's `parent` value format is described below: + // + // * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string. + // This method doesn't require a resource; it simply returns all + // [predefined roles](/iam/docs/understanding-roles#predefined_roles) in + // Cloud IAM. Example request URL: + // `https://iam.googleapis.com/v1/roles` + // + // * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list): + // `projects/{PROJECT_ID}`. This method lists all project-level + // [custom roles](/iam/docs/understanding-custom-roles). + // Example request URL: + // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` + // + // * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list): + // `organizations/{ORGANIZATION_ID}`. This method lists all + // organization-level [custom roles](/iam/docs/understanding-custom-roles). + // Example request URL: + // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` + // + // Note: Wildcard (*) values are invalid; you must specify a complete project + // ID or organization ID. + string parent = 1 [(google.api.resource_reference).type = "*"]; // Optional limit on the number of roles to include in the response. int32 page_size = 2; @@ -638,7 +791,10 @@ message ListRolesRequest { // Optional pagination token returned in an earlier ListRolesResponse. string page_token = 3; - // Optional view for the returned Role objects. + // Optional view for the returned Role objects. When `FULL` is specified, + // the `includedPermissions` field is returned, which includes a list of all + // permissions in the role. The default value is `BASIC`, which does not + // return the `includedPermissions` field. RoleView view = 4; // Include Roles that have been deleted. @@ -657,21 +813,61 @@ message ListRolesResponse { // The request to get the definition of an existing role. message GetRoleRequest { - // The resource name of the role in one of the following formats: - // `roles/{ROLE_NAME}` - // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` - // `projects/{PROJECT_ID}/roles/{ROLE_NAME}` - string name = 1; + // The `name` parameter's value depends on the target resource for the + // request, namely + // [`roles`](/iam/reference/rest/v1/roles), + // [`projects`](/iam/reference/rest/v1/projects.roles), or + // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each + // resource type's `name` value format is described below: + // + // * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`. + // This method returns results from all + // [predefined roles](/iam/docs/understanding-roles#predefined_roles) in + // Cloud IAM. Example request URL: + // `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` + // + // * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get): + // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only + // [custom roles](/iam/docs/understanding-custom-roles) that have been + // created at the project level. Example request URL: + // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` + // + // * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get): + // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method + // returns only [custom roles](/iam/docs/understanding-custom-roles) that + // have been created at the organization level. Example request URL: + // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` + // + // Note: Wildcard (*) values are invalid; you must specify a complete project + // ID or organization ID. + string name = 1 [(google.api.resource_reference).type = "*"]; } // The request to create a new role. message CreateRoleRequest { - // The resource name of the parent resource in one of the following formats: - // `organizations/{ORGANIZATION_ID}` - // `projects/{PROJECT_ID}` - string parent = 1; + // The `parent` parameter's value depends on the target resource for the + // request, namely + // [`projects`](/iam/reference/rest/v1/projects.roles) or + // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each + // resource type's `parent` value format is described below: + // + // * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create): + // `projects/{PROJECT_ID}`. This method creates project-level + // [custom roles](/iam/docs/understanding-custom-roles). + // Example request URL: + // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` + // + // * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create): + // `organizations/{ORGANIZATION_ID}`. This method creates organization-level + // [custom roles](/iam/docs/understanding-custom-roles). Example request + // URL: + // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` + // + // Note: Wildcard (*) values are invalid; you must specify a complete project + // ID or organization ID. + string parent = 1 [(google.api.resource_reference).type = "*"]; - // The role id to use for this role. + // The role ID to use for this role. string role_id = 2; // The Role resource to create. @@ -680,11 +876,27 @@ message CreateRoleRequest { // The request to update a role. message UpdateRoleRequest { - // The resource name of the role in one of the following formats: - // `roles/{ROLE_NAME}` - // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` - // `projects/{PROJECT_ID}/roles/{ROLE_NAME}` - string name = 1; + // The `name` parameter's value depends on the target resource for the + // request, namely + // [`projects`](/iam/reference/rest/v1/projects.roles) or + // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each + // resource type's `name` value format is described below: + // + // * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch): + // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only + // [custom roles](/iam/docs/understanding-custom-roles) that have been + // created at the project level. Example request URL: + // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` + // + // * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch): + // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method + // updates only [custom roles](/iam/docs/understanding-custom-roles) that + // have been created at the organization level. Example request URL: + // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` + // + // Note: Wildcard (*) values are invalid; you must specify a complete project + // ID or organization ID. + string name = 1 [(google.api.resource_reference).type = "*"]; // The updated role. Role role = 2; @@ -695,10 +907,27 @@ message UpdateRoleRequest { // The request to delete an existing role. message DeleteRoleRequest { - // The resource name of the role in one of the following formats: - // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` - // `projects/{PROJECT_ID}/roles/{ROLE_NAME}` - string name = 1; + // The `name` parameter's value depends on the target resource for the + // request, namely + // [`projects`](/iam/reference/rest/v1/projects.roles) or + // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each + // resource type's `name` value format is described below: + // + // * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete): + // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only + // [custom roles](/iam/docs/understanding-custom-roles) that have been + // created at the project level. Example request URL: + // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` + // + // * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete): + // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method + // deletes only [custom roles](/iam/docs/understanding-custom-roles) that + // have been created at the organization level. Example request URL: + // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` + // + // Note: Wildcard (*) values are invalid; you must specify a complete project + // ID or organization ID. + string name = 1 [(google.api.resource_reference).type = "*"]; // Used to perform a consistent read-modify-write. bytes etag = 2; @@ -706,10 +935,27 @@ message DeleteRoleRequest { // The request to undelete an existing role. message UndeleteRoleRequest { - // The resource name of the role in one of the following formats: - // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` - // `projects/{PROJECT_ID}/roles/{ROLE_NAME}` - string name = 1; + // The `name` parameter's value depends on the target resource for the + // request, namely + // [`projects`](/iam/reference/rest/v1/projects.roles) or + // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each + // resource type's `name` value format is described below: + // + // * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete): + // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes + // only [custom roles](/iam/docs/understanding-custom-roles) that have been + // created at the project level. Example request URL: + // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` + // + // * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete): + // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method + // undeletes only [custom roles](/iam/docs/understanding-custom-roles) that + // have been created at the organization level. Example request URL: + // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` + // + // Note: Wildcard (*) values are invalid; you must specify a complete project + // ID or organization ID. + string name = 1 [(google.api.resource_reference).type = "*"]; // Used to perform a consistent read-modify-write. bytes etag = 2; @@ -751,6 +997,7 @@ message Permission { string title = 2; // A brief description of what this Permission is used for. + // This permission can ONLY be used in predefined roles. string description = 3; // This permission can ONLY be used in predefined roles. diff --git a/google/iam/admin/v1/iam.yaml b/google/iam/admin/v1/iam.yaml new file mode 100644 index 000000000..df0851e3f --- /dev/null +++ b/google/iam/admin/v1/iam.yaml @@ -0,0 +1,20 @@ +type: google.api.Service +config_version: 2 +name: iam.googleapis.com +title: Identity and Access Management (IAM) API + +apis: +- name: google.iam.admin.v1.IAM + +documentation: + summary: |- + Manages identity and access control for Google Cloud Platform resources, + including the creation of service accounts, which you can use to + authenticate to Google and make API calls. + +authentication: + rules: + - selector: 'google.iam.admin.v1.IAM.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/google/iam/admin/v1/iam_gapic.legacy.yaml b/google/iam/admin/v1/iam_gapic.legacy.yaml new file mode 100644 index 000000000..4c568c2f9 --- /dev/null +++ b/google/iam/admin/v1/iam_gapic.legacy.yaml @@ -0,0 +1,249 @@ +type: com.google.api.codegen.ConfigProto +config_schema_version: 1.0.0 +language_settings: + java: + package_name: com.google.cloud.iam.admin.v1 + python: + package_name: google.cloud.iam_admin_v1.gapic + go: + package_name: cloud.google.com/go/iam/admin/apiv1 + csharp: + package_name: Google.Iam.Admin.V1 + ruby: + package_name: Google::Cloud::Iam::Admin::V1 + php: + package_name: Google\Cloud\Iam\Admin\V1 + nodejs: + package_name: iam.v1 + domain_layer_location: google-cloud +interfaces: +- name: google.iam.admin.v1.IAM + collections: + - name_pattern: projects/{project} + entity_name: project + language_overrides: + - language: csharp + common_resource_name: Google.Api.Gax.ResourceNames.ProjectName + - name_pattern: projects/{project}/serviceAccounts/{service_account} + entity_name: service_account + - name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key} + entity_name: key + retry_codes_def: + - name: idempotent + retry_codes: + - UNAVAILABLE + - DEADLINE_EXCEEDED + - name: non_idempotent + retry_codes: [] + retry_params_def: + - name: default + initial_retry_delay_millis: 100 + retry_delay_multiplier: 1.3 + max_retry_delay_millis: 60000 + initial_rpc_timeout_millis: 20000 + rpc_timeout_multiplier: 1 + max_rpc_timeout_millis: 20000 + total_timeout_millis: 600000 + methods: + - name: ListServiceAccounts + flattening: + groups: + - parameters: + - name + required_fields: + - name + page_streaming: + request: + page_size_field: page_size + token_field: page_token + response: + token_field: next_page_token + resources_field: accounts + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: project + timeout_millis: 60000 + - name: GetServiceAccount + flattening: + groups: + - parameters: + - name + required_fields: + - name + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: CreateServiceAccount + flattening: + groups: + - parameters: + - name + - account_id + - service_account + required_fields: + - name + - account_id + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: project + timeout_millis: 60000 + - name: UpdateServiceAccount + required_fields: + - etag + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: DeleteServiceAccount + flattening: + groups: + - parameters: + - name + required_fields: + - name + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: ListServiceAccountKeys + flattening: + groups: + - parameters: + - name + - key_types + required_fields: + - name + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: GetServiceAccountKey + flattening: + groups: + - parameters: + - name + - public_key_type + required_fields: + - name + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: key + timeout_millis: 60000 + - name: CreateServiceAccountKey + flattening: + groups: + - parameters: + - name + - private_key_type + - key_algorithm + required_fields: + - name + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: DeleteServiceAccountKey + flattening: + groups: + - parameters: + - name + required_fields: + - name + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: key + timeout_millis: 60000 + - name: SignBlob + flattening: + groups: + - parameters: + - name + - bytes_to_sign + required_fields: + - name + - bytes_to_sign + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: GetIamPolicy + flattening: + groups: + - parameters: + - resource + required_fields: + - resource + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: service_account + timeout_millis: 60000 + surface_treatments: + - include_languages: + - go + visibility: PRIVATE + - name: SetIamPolicy + flattening: + groups: + - parameters: + - resource + - policy + required_fields: + - resource + - policy + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: service_account + timeout_millis: 60000 + surface_treatments: + - include_languages: + - go + visibility: PRIVATE + - name: TestIamPermissions + flattening: + groups: + - parameters: + - resource + - permissions + required_fields: + - resource + - permissions + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: service_account + timeout_millis: 60000 + - name: QueryGrantableRoles + flattening: + groups: + - parameters: + - full_resource_name + required_fields: + - full_resource_name + retry_codes_name: non_idempotent + retry_params_name: default + timeout_millis: 60000 + - name: SignJwt + flattening: + groups: + - parameters: + - name + - payload + required_fields: + - name + - payload + retry_codes_name: non_idempotent + retry_params_name: default + timeout_millis: 60000 diff --git a/google/iam/admin/v1/iam_gapic.yaml b/google/iam/admin/v1/iam_gapic.yaml index cf122127a..5f63acb7b 100644 --- a/google/iam/admin/v1/iam_gapic.yaml +++ b/google/iam/admin/v1/iam_gapic.yaml @@ -1,5 +1,5 @@ type: com.google.api.codegen.ConfigProto -config_schema_version: 1.0.0 +config_schema_version: 2.0.0 language_settings: java: package_name: com.google.cloud.iam.admin.v1 @@ -16,234 +16,3 @@ language_settings: nodejs: package_name: iam.v1 domain_layer_location: google-cloud -interfaces: -- name: google.iam.admin.v1.IAM - collections: - - name_pattern: projects/{project} - entity_name: project - language_overrides: - - language: csharp - common_resource_name: Google.Api.Gax.ResourceNames.ProjectName - - name_pattern: projects/{project}/serviceAccounts/{service_account} - entity_name: service_account - - name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key} - entity_name: key - retry_codes_def: - - name: idempotent - retry_codes: - - UNAVAILABLE - - DEADLINE_EXCEEDED - - name: non_idempotent - retry_codes: [] - retry_params_def: - - name: default - initial_retry_delay_millis: 100 - retry_delay_multiplier: 1.3 - max_retry_delay_millis: 60000 - initial_rpc_timeout_millis: 20000 - rpc_timeout_multiplier: 1 - max_rpc_timeout_millis: 20000 - total_timeout_millis: 600000 - methods: - - name: ListServiceAccounts - flattening: - groups: - - parameters: - - name - required_fields: - - name - page_streaming: - request: - page_size_field: page_size - token_field: page_token - response: - token_field: next_page_token - resources_field: accounts - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: project - timeout_millis: 60000 - - name: GetServiceAccount - flattening: - groups: - - parameters: - - name - required_fields: - - name - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: service_account - timeout_millis: 60000 - - name: CreateServiceAccount - flattening: - groups: - - parameters: - - name - - account_id - - service_account - required_fields: - - name - - account_id - retry_codes_name: non_idempotent - retry_params_name: default - field_name_patterns: - name: project - timeout_millis: 60000 - - name: UpdateServiceAccount - required_fields: - - etag - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: service_account - timeout_millis: 60000 - - name: DeleteServiceAccount - flattening: - groups: - - parameters: - - name - required_fields: - - name - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: service_account - timeout_millis: 60000 - - name: ListServiceAccountKeys - flattening: - groups: - - parameters: - - name - - key_types - required_fields: - - name - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: service_account - timeout_millis: 60000 - - name: GetServiceAccountKey - flattening: - groups: - - parameters: - - name - - public_key_type - required_fields: - - name - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: key - timeout_millis: 60000 - - name: CreateServiceAccountKey - flattening: - groups: - - parameters: - - name - - private_key_type - - key_algorithm - required_fields: - - name - retry_codes_name: non_idempotent - retry_params_name: default - field_name_patterns: - name: service_account - timeout_millis: 60000 - - name: DeleteServiceAccountKey - flattening: - groups: - - parameters: - - name - required_fields: - - name - retry_codes_name: idempotent - retry_params_name: default - field_name_patterns: - name: key - timeout_millis: 60000 - - name: SignBlob - flattening: - groups: - - parameters: - - name - - bytes_to_sign - required_fields: - - name - - bytes_to_sign - retry_codes_name: non_idempotent - retry_params_name: default - field_name_patterns: - name: service_account - timeout_millis: 60000 - - name: GetIamPolicy - flattening: - groups: - - parameters: - - resource - required_fields: - - resource - retry_codes_name: non_idempotent - retry_params_name: default - field_name_patterns: - resource: service_account - timeout_millis: 60000 - surface_treatments: - - include_languages: - - go - visibility: PRIVATE - - name: SetIamPolicy - flattening: - groups: - - parameters: - - resource - - policy - required_fields: - - resource - - policy - retry_codes_name: non_idempotent - retry_params_name: default - field_name_patterns: - resource: service_account - timeout_millis: 60000 - surface_treatments: - - include_languages: - - go - visibility: PRIVATE - - name: TestIamPermissions - flattening: - groups: - - parameters: - - resource - - permissions - required_fields: - - resource - - permissions - retry_codes_name: non_idempotent - retry_params_name: default - field_name_patterns: - resource: service_account - timeout_millis: 60000 - - name: QueryGrantableRoles - flattening: - groups: - - parameters: - - full_resource_name - required_fields: - - full_resource_name - retry_codes_name: non_idempotent - retry_params_name: default - timeout_millis: 60000 - - name: SignJwt - flattening: - groups: - - parameters: - - name - - payload - required_fields: - - name - - payload - retry_codes_name: non_idempotent - retry_params_name: default - timeout_millis: 60000 diff --git a/google/iam/artman_iam_admin.yaml b/google/iam/artman_iam_admin.yaml index a973d6c6a..fea9d9d06 100644 --- a/google/iam/artman_iam_admin.yaml +++ b/google/iam/artman_iam_admin.yaml @@ -2,8 +2,9 @@ common: api_name: iam-admin api_version: v1 organization_name: google - service_yaml: iam.yaml + service_yaml: admin/v1/iam.yaml gapic_yaml: admin/v1/iam_gapic.yaml + proto_package: google.iam.admin.v1 src_proto_paths: - admin/v1 proto_deps: diff --git a/google/iam/iam.yaml b/google/iam/iam.yaml deleted file mode 100644 index ccff586b8..000000000 --- a/google/iam/iam.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# The IAM API Definition. - -type: google.api.Service -config_version: 2 -name: iam.googleapis.com - -title: Google Identity and Access Management (IAM) API - -documentation: - summary: - Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls. - -apis: -- name: google.iam.admin.v1.IAM - -authentication: - rules: - - selector: '*' - oauth: - canonical_scopes: https://www.googleapis.com/auth/iam, - https://www.googleapis.com/auth/cloud-platform