Migrate IAM Admin v1 to GAPIC v2.

Committer: @lukesneeringer
PiperOrigin-RevId: 289411084
pull/594/head
Google APIs 5 years ago committed by Copybara-Service
parent 1017173e9a
commit 0480cf40be
  1. 20
      google/iam/admin/v1/BUILD.bazel
  2. 531
      google/iam/admin/v1/iam.proto
  3. 20
      google/iam/admin/v1/iam.yaml
  4. 249
      google/iam/admin/v1/iam_gapic.legacy.yaml
  5. 233
      google/iam/admin/v1/iam_gapic.yaml
  6. 3
      google/iam/artman_iam_admin.yaml
  7. 21
      google/iam/iam.yaml

@ -16,6 +16,9 @@ proto_library(
], ],
deps = [ deps = [
"//google/api:annotations_proto", "//google/api:annotations_proto",
"//google/api:client_proto",
"//google/api:field_behavior_proto",
"//google/api:resource_proto",
"//google/iam/v1:iam_policy_proto", "//google/iam/v1:iam_policy_proto",
"//google/iam/v1:policy_proto", "//google/iam/v1:policy_proto",
"@com_google_protobuf//:empty_proto", "@com_google_protobuf//:empty_proto",
@ -60,7 +63,7 @@ java_gapic_library(
src = ":admin_proto_with_info", src = ":admin_proto_with_info",
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
test_deps = [ test_deps = [
":admin_java_grpc", ":admin_java_grpc",
"//google/iam/v1:iam_java_grpc", "//google/iam/v1:iam_java_grpc",
@ -118,7 +121,7 @@ go_gapic_library(
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
importpath = "cloud.google.com/go/iam/admin/apiv1", importpath = "cloud.google.com/go/iam/admin/apiv1",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
deps = [ deps = [
":admin_go_proto", ":admin_go_proto",
"//google/iam/v1:iam_go_proto", "//google/iam/v1:iam_go_proto",
@ -160,6 +163,9 @@ moved_proto_library(
srcs = [":admin_proto"], srcs = [":admin_proto"],
deps = [ deps = [
"//google/api:annotations_proto", "//google/api:annotations_proto",
"//google/api:client_proto",
"//google/api:field_behavior_proto",
"//google/api:resource_proto",
"//google/iam/v1:iam_policy_proto", "//google/iam/v1:iam_policy_proto",
"//google/iam/v1:policy_proto", "//google/iam/v1:policy_proto",
"@com_google_protobuf//:empty_proto", "@com_google_protobuf//:empty_proto",
@ -185,7 +191,7 @@ py_gapic_library(
src = ":admin_proto_with_info", src = ":admin_proto_with_info",
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
deps = [ deps = [
":admin_py_grpc", ":admin_py_grpc",
":admin_py_proto", ":admin_py_proto",
@ -229,7 +235,7 @@ php_gapic_library(
src = ":admin_proto_with_info", src = ":admin_proto_with_info",
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
deps = [ deps = [
":admin_php_grpc", ":admin_php_grpc",
":admin_php_proto", ":admin_php_proto",
@ -260,7 +266,7 @@ nodejs_gapic_library(
src = ":admin_proto_with_info", src = ":admin_proto_with_info",
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
deps = [], deps = [],
) )
@ -299,7 +305,7 @@ ruby_gapic_library(
src = ":admin_proto_with_info", src = ":admin_proto_with_info",
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
deps = [ deps = [
":admin_ruby_grpc", ":admin_ruby_grpc",
":admin_ruby_proto", ":admin_ruby_proto",
@ -343,7 +349,7 @@ csharp_gapic_library(
src = ":admin_proto_with_info", src = ":admin_proto_with_info",
gapic_yaml = "iam_gapic.yaml", gapic_yaml = "iam_gapic.yaml",
package = "google.iam.admin.v1", package = "google.iam.admin.v1",
service_yaml = "//google/iam:iam.yaml", service_yaml = "iam.yaml",
deps = [ deps = [
":admin_csharp_grpc", ":admin_csharp_grpc",
":admin_csharp_proto", ":admin_csharp_proto",

@ -1,4 +1,4 @@
// Copyright 2017 Google Inc. // Copyright 2019 Google LLC.
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.
@ -17,6 +17,9 @@ syntax = "proto3";
package google.iam.admin.v1; package google.iam.admin.v1;
import "google/api/annotations.proto"; import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/iam/v1/iam_policy.proto"; import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/policy.proto"; import "google/iam/v1/policy.proto";
import "google/protobuf/empty.proto"; import "google/protobuf/empty.proto";
@ -41,17 +44,20 @@ option java_package = "com.google.iam.admin.v1";
// `unique_id`. // `unique_id`.
// //
// All other methods can identify accounts using the format // All other methods can identify accounts using the format
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
service IAM { service IAM {
option (google.api.default_host) = "iam.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project. // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
rpc ListServiceAccounts(ListServiceAccountsRequest) rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
returns (ListServiceAccountsResponse) {
option (google.api.http) = { option (google.api.http) = {
get: "/v1/{name=projects/*}/serviceAccounts" get: "/v1/{name=projects/*}/serviceAccounts"
}; };
option (google.api.method_signature) = "name";
} }
// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
@ -59,23 +65,23 @@ service IAM {
option (google.api.http) = { option (google.api.http) = {
get: "/v1/{name=projects/*/serviceAccounts/*}" get: "/v1/{name=projects/*/serviceAccounts/*}"
}; };
option (google.api.method_signature) = "name";
} }
// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
// and returns it. // and returns it.
rpc CreateServiceAccount(CreateServiceAccountRequest) rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
returns (ServiceAccount) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{name=projects/*}/serviceAccounts" post: "/v1/{name=projects/*}/serviceAccounts"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "name,account_id,service_account";
} }
// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
// //
// Currently, only the following fields are updatable: // Currently, only the following fields are updatable:
// `display_name` . // `display_name` and `description`.
// The `etag` is mandatory.
rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
option (google.api.http) = { option (google.api.http) = {
put: "/v1/{name=projects/*/serviceAccounts/*}" put: "/v1/{name=projects/*/serviceAccounts/*}"
@ -84,46 +90,46 @@ service IAM {
} }
// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc DeleteServiceAccount(DeleteServiceAccountRequest) rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
returns (google.protobuf.Empty) {
option (google.api.http) = { option (google.api.http) = {
delete: "/v1/{name=projects/*/serviceAccounts/*}" delete: "/v1/{name=projects/*/serviceAccounts/*}"
}; };
option (google.api.method_signature) = "name";
} }
// Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey]. // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
returns (ListServiceAccountKeysResponse) {
option (google.api.http) = { option (google.api.http) = {
get: "/v1/{name=projects/*/serviceAccounts/*}/keys" get: "/v1/{name=projects/*/serviceAccounts/*}/keys"
}; };
option (google.api.method_signature) = "name,key_types";
} }
// Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
// by key id. // by key id.
rpc GetServiceAccountKey(GetServiceAccountKeyRequest) rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
returns (ServiceAccountKey) {
option (google.api.http) = { option (google.api.http) = {
get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
}; };
option (google.api.method_signature) = "name,public_key_type";
} }
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
// and returns it. // and returns it.
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
returns (ServiceAccountKey) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}/keys" post: "/v1/{name=projects/*/serviceAccounts/*}/keys"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "name,private_key_type,key_algorithm";
} }
// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
returns (google.protobuf.Empty) {
option (google.api.http) = { option (google.api.http) = {
delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
}; };
option (google.api.method_signature) = "name";
} }
// Signs a blob using a service account's system-managed private key. // Signs a blob using a service account's system-managed private key.
@ -132,6 +138,7 @@ service IAM {
post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "name,bytes_to_sign";
} }
// Signs a JWT using a service account's system-managed private key. // Signs a JWT using a service account's system-managed private key.
@ -144,53 +151,86 @@ service IAM {
post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt" post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "name,payload";
} }
// Returns the IAM access control policy for a // Returns the Cloud IAM access control policy for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) //
returns (google.iam.v1.Policy) { // Note: Service accounts are both
// [resources and
// identities](/iam/docs/service-accounts#service_account_permissions). This
// method treats the service account as a resource. It returns the Cloud IAM
// policy that reflects what members have access to the service account.
//
// This method does not return what resources the service account has access
// to. To see if a service account has access to a resource, call the
// `getIamPolicy` method on the target resource. For example, to view grants
// for a project, call the
// [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy)
// method.
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
body: ""
}; };
option (google.api.method_signature) = "resource";
} }
// Sets the IAM access control policy for a // Sets the Cloud IAM access control policy for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) //
returns (google.iam.v1.Policy) { // Note: Service accounts are both
// [resources and
// identities](/iam/docs/service-accounts#service_account_permissions). This
// method treats the service account as a resource. Use it to grant members
// access to the service account, such as when they need to impersonate it.
//
// This method does not grant the service account access to other resources,
// such as projects. To grant a service account access to resources, include
// the service account in the Cloud IAM policy for the desired resource, then
// call the appropriate `setIamPolicy` method on the target resource. For
// example, to grant a service account access to a project, call the
// [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy)
// method.
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "resource,policy";
} }
// Tests the specified permissions against the IAM access control policy // Tests the specified permissions against the IAM access control policy
// for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
returns (google.iam.v1.TestIamPermissionsResponse) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "resource,permissions";
} }
// Queries roles that can be granted on a particular resource. // Queries roles that can be granted on a particular resource.
// A role is grantable if it can be used as the role in a binding for a policy // A role is grantable if it can be used as the role in a binding for a policy
// for that resource. // for that resource.
rpc QueryGrantableRoles(QueryGrantableRolesRequest) rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
returns (QueryGrantableRolesResponse) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/roles:queryGrantableRoles" post: "/v1/roles:queryGrantableRoles"
body: "*" body: "*"
}; };
option (google.api.method_signature) = "full_resource_name";
} }
// Lists the Roles defined on a resource. // Lists the Roles defined on a resource.
rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) { rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
option (google.api.http) = { option (google.api.http) = {
get: "/v1/roles" get: "/v1/roles"
additional_bindings {
get: "/v1/{parent=organizations/*}/roles"
}
additional_bindings {
get: "/v1/{parent=projects/*}/roles"
}
}; };
} }
@ -198,6 +238,12 @@ service IAM {
rpc GetRole(GetRoleRequest) returns (Role) { rpc GetRole(GetRoleRequest) returns (Role) {
option (google.api.http) = { option (google.api.http) = {
get: "/v1/{name=roles/*}" get: "/v1/{name=roles/*}"
additional_bindings {
get: "/v1/{name=organizations/*/roles/*}"
}
additional_bindings {
get: "/v1/{name=projects/*/roles/*}"
}
}; };
} }
@ -206,6 +252,10 @@ service IAM {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{parent=organizations/*}/roles" post: "/v1/{parent=organizations/*}/roles"
body: "*" body: "*"
additional_bindings {
post: "/v1/{parent=projects/*}/roles"
body: "*"
}
}; };
} }
@ -214,6 +264,10 @@ service IAM {
option (google.api.http) = { option (google.api.http) = {
patch: "/v1/{name=organizations/*/roles/*}" patch: "/v1/{name=organizations/*/roles/*}"
body: "role" body: "role"
additional_bindings {
patch: "/v1/{name=projects/*/roles/*}"
body: "role"
}
}; };
} }
@ -227,6 +281,9 @@ service IAM {
rpc DeleteRole(DeleteRoleRequest) returns (Role) { rpc DeleteRole(DeleteRoleRequest) returns (Role) {
option (google.api.http) = { option (google.api.http) = {
delete: "/v1/{name=organizations/*/roles/*}" delete: "/v1/{name=organizations/*/roles/*}"
additional_bindings {
delete: "/v1/{name=projects/*/roles/*}"
}
}; };
} }
@ -235,13 +292,16 @@ service IAM {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/{name=organizations/*/roles/*}:undelete" post: "/v1/{name=organizations/*/roles/*}:undelete"
body: "*" body: "*"
additional_bindings {
post: "/v1/{name=projects/*/roles/*}:undelete"
body: "*"
}
}; };
} }
// Lists the permissions testable on a resource. // Lists the permissions testable on a resource.
// A permission is testable if it can be tested for an identity on a resource. // A permission is testable if it can be tested for an identity on a resource.
rpc QueryTestablePermissions(QueryTestablePermissionsRequest) rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) {
returns (QueryTestablePermissionsResponse) {
option (google.api.http) = { option (google.api.http) = {
post: "/v1/permissions:queryTestablePermissions" post: "/v1/permissions:queryTestablePermissions"
body: "*" body: "*"
@ -257,25 +317,29 @@ service IAM {
// `unique_id`. // `unique_id`.
// //
// If the account already exists, the account's resource name is returned // If the account already exists, the account's resource name is returned
// in util::Status's ResourceInfo.resource_name in the format of // in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
// projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can // can use the name in other methods to access the account.
// use the name in other methods to access the account.
// //
// All other methods can identify the service account using the format // All other methods can identify the service account using the format
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
message ServiceAccount { message ServiceAccount {
option (google.api.resource) = {
type: "iam.googleapis.com/ServiceAccount"
pattern: "projects/{project}/serviceAccounts/{service_account}"
};
// The resource name of the service account in the following format: // The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// //
// Requests using `-` as a wildcard for the project will infer the project // Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
// from the `account` and the `account` value can be the `email` address or // project from the `account` and the `ACCOUNT` value can be the `email`
// the `unique_id` of the service account. // address or the `unique_id` of the service account.
// //
// In responses the resource name will always be in the format // In responses the resource name will always be in the format
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
string name = 1; string name = 1;
// @OutputOnly The id of the project that owns the service account. // @OutputOnly The id of the project that owns the service account.
@ -287,11 +351,12 @@ message ServiceAccount {
// @OutputOnly The email address of the service account. // @OutputOnly The email address of the service account.
string email = 5; string email = 5;
// Optional. A user-specified description of the service account. Must be // Optional. A user-specified name for the service account.
// fewer than 100 UTF-8 bytes. // Must be less than or equal to 100 UTF-8 bytes.
string display_name = 6; string display_name = 6;
// Used to perform a consistent read-modify-write. // Optional. Note: `etag` is an inoperable legacy field that is only returned
// for backwards compatibility.
bytes etag = 7; bytes etag = 7;
// @OutputOnly. The OAuth2 client id for the service account. // @OutputOnly. The OAuth2 client id for the service account.
@ -304,17 +369,22 @@ message ServiceAccount {
message CreateServiceAccountRequest { message CreateServiceAccountRequest {
// Required. The resource name of the project associated with the service // Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`. // accounts, such as `projects/my-project-123`.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Required. The account id that is used to generate the service account // Required. The account id that is used to generate the service account
// email address and a stable unique id. It is unique within a project, // email address and a stable unique id. It is unique within a project,
// must be 6-30 characters long, and match the regular expression // must be 6-30 characters long, and match the regular expression
// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
string account_id = 2; string account_id = 2 [(google.api.field_behavior) = REQUIRED];
// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
// create. Currently, only the following values are user assignable: // create. Currently, only the following values are user assignable:
// `display_name` . // `display_name` and `description`.
ServiceAccount service_account = 3; ServiceAccount service_account = 3;
} }
@ -322,7 +392,12 @@ message CreateServiceAccountRequest {
message ListServiceAccountsRequest { message ListServiceAccountsRequest {
// Required. The resource name of the project associated with the service // Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`. // accounts, such as `projects/my-project-123`.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Optional limit on the number of service accounts to include in the // Optional limit on the number of service accounts to include in the
// response. Further accounts can subsequently be obtained by including the // response. Further accounts can subsequently be obtained by including the
@ -348,22 +423,32 @@ message ListServiceAccountsResponse {
// The service account get request. // The service account get request.
message GetServiceAccountRequest { message GetServiceAccountRequest {
// The resource name of the service account in the following format: // Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
} }
// The service account delete request. // The service account delete request.
message DeleteServiceAccountRequest { message DeleteServiceAccountRequest {
// The resource name of the service account in the following format: // Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
} }
// The service account keys list request. // The service account keys list request.
@ -382,13 +467,18 @@ message ListServiceAccountKeysRequest {
SYSTEM_MANAGED = 2; SYSTEM_MANAGED = 2;
} }
// The resource name of the service account in the following format: // Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// //
// Using `-` as a wildcard for the project, will infer the project from // Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
// Filters the types of keys the user wants to include in the list // Filters the types of keys the user wants to include in the list
// response. Duplicate key types are not allowed. If no key type // response. Duplicate key types are not allowed. If no key type
@ -404,13 +494,18 @@ message ListServiceAccountKeysResponse {
// The service account key get by id request. // The service account key get by id request.
message GetServiceAccountKeyRequest { message GetServiceAccountKeyRequest {
// The resource name of the service account key in the following format: // Required. The resource name of the service account key in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
// //
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/Key"
}
];
// The output format of the public key requested. // The output format of the public key requested.
// X509_PEM is the default output format. // X509_PEM is the default output format.
@ -427,15 +522,22 @@ message GetServiceAccountKeyRequest {
// their service accounts. Users retain the private key of these key-pairs, // their service accounts. Users retain the private key of these key-pairs,
// and Google retains ONLY the public key. // and Google retains ONLY the public key.
// //
// System-managed key-pairs are managed automatically by Google, and rotated // System-managed keys are automatically rotated by Google, and are used for
// daily without user intervention. The private key never leaves Google's // signing for a maximum of two weeks. The rotation process is probabilistic,
// servers to maximize security. // and usage of the new key will gradually ramp up and down over the key's
// lifetime. We recommend caching the public key set for a service account for
// no more than 24 hours to ensure you have access to the latest keys.
// //
// Public keys for all service accounts are also published at the OAuth2 // Public keys for all service accounts are also published at the OAuth2
// Service Account API. // Service Account API.
message ServiceAccountKey { message ServiceAccountKey {
option (google.api.resource) = {
type: "iam.googleapis.com/Key"
pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}"
};
// The resource name of the service account key in the following format // The resource name of the service account key in the following format
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
string name = 1; string name = 1;
// The output format for the private key. // The output format for the private key.
@ -452,7 +554,7 @@ message ServiceAccountKey {
// The private key data. Only provided in `CreateServiceAccountKey` // The private key data. Only provided in `CreateServiceAccountKey`
// responses. Make sure to keep the private key data secure because it // responses. Make sure to keep the private key data secure because it
// allows for the assertion of the service account identity. // allows for the assertion of the service account identity.
// When decoded, the private key data can be used to authenticate with // When base64 decoded, the private key data can be used to authenticate with
// Google API client libraries and with // Google API client libraries and with
// <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud // <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud
// auth activate-service-account</a>. // auth activate-service-account</a>.
@ -465,20 +567,29 @@ message ServiceAccountKey {
google.protobuf.Timestamp valid_after_time = 4; google.protobuf.Timestamp valid_after_time = 4;
// The key can be used before this timestamp. // The key can be used before this timestamp.
// For system-managed key pairs, this timestamp is the end time for the
// private key signing operation. The public key could still be used
// for verification for a few hours after this time.
google.protobuf.Timestamp valid_before_time = 5; google.protobuf.Timestamp valid_before_time = 5;
} }
// The service account key create request. // The service account key create request.
message CreateServiceAccountKeyRequest { message CreateServiceAccountKeyRequest {
// The resource name of the service account in the following format: // Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
// The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the (google.api.resource_reference) = {
// default output format. type: "iam.googleapis.com/ServiceAccount"
}
];
// The output format of the private key. The default value is
// `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
// format.
ServiceAccountPrivateKeyType private_key_type = 2; ServiceAccountPrivateKeyType private_key_type = 2;
// Which type of key and algorithm to use for the key. // Which type of key and algorithm to use for the key.
@ -489,25 +600,35 @@ message CreateServiceAccountKeyRequest {
// The service account key delete request. // The service account key delete request.
message DeleteServiceAccountKeyRequest { message DeleteServiceAccountKeyRequest {
// The resource name of the service account key in the following format: // Required. The resource name of the service account key in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/Key"
}
];
} }
// The service account sign blob request. // The service account sign blob request.
message SignBlobRequest { message SignBlobRequest {
// The resource name of the service account in the following format: // Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
// The bytes to sign. (google.api.resource_reference) = {
bytes bytes_to_sign = 2; type: "iam.googleapis.com/ServiceAccount"
}
];
// Required. The bytes to sign.
bytes bytes_to_sign = 2 [(google.api.field_behavior) = REQUIRED];
} }
// The service account sign blob response. // The service account sign blob response.
@ -521,15 +642,20 @@ message SignBlobResponse {
// The service account sign JWT request. // The service account sign JWT request.
message SignJwtRequest { message SignJwtRequest {
// The resource name of the service account in the following format: // Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the project will infer the project from // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `account` value can be the `email` address or the // the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account. // `unique_id` of the service account.
string name = 1; string name = 1 [
(google.api.field_behavior) = REQUIRED,
// The JWT payload to sign, a JSON JWT Claim set. (google.api.resource_reference) = {
string payload = 2; type: "iam.googleapis.com/ServiceAccount"
}
];
// Required. The JWT payload to sign, a JSON JWT Claim set.
string payload = 2 [(google.api.field_behavior) = REQUIRED];
} }
// The service account sign JWT response. // The service account sign JWT response.
@ -545,10 +671,12 @@ message SignJwtResponse {
message Role { message Role {
// A stage representing a role's lifecycle phase. // A stage representing a role's lifecycle phase.
enum RoleLaunchStage { enum RoleLaunchStage {
// The user has indicated this role is currently in an alpha phase. // The user has indicated this role is currently in an Alpha phase. If this
// launch stage is selected, the `stage` field will not be included when
// requesting the definition for a given role.
ALPHA = 0; ALPHA = 0;
// The user has indicated this role is currently in a beta phase. // The user has indicated this role is currently in a Beta phase.
BETA = 1; BETA = 1;
// The user has indicated this role is generally available. // The user has indicated this role is generally available.
@ -561,7 +689,7 @@ message Role {
// it is granted to in policies. // it is granted to in policies.
DISABLED = 5; DISABLED = 5;
// The user has indicated this role is currently in an eap phase. // The user has indicated this role is currently in an EAP phase.
EAP = 6; EAP = 6;
} }
@ -570,21 +698,23 @@ message Role {
// When Role is used in CreateRole, the role name must not be set. // When Role is used in CreateRole, the role name must not be set.
// //
// When Role is used in output and other input such as UpdateRole, the role // When Role is used in output and other input such as UpdateRole, the role
// name is the complete path, e.g., roles/logging.viewer for curated roles // name is the complete path, e.g., roles/logging.viewer for predefined roles
// and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles. // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
string name = 1; string name = 1;
// Optional. A human-readable title for the role. Typically this // Optional. A human-readable title for the role. Typically this
// is limited to 100 UTF-8 bytes. // is limited to 100 UTF-8 bytes.
string title = 2; string title = 2;
// Optional. A human-readable description for the role. // Optional. A human-readable description for the role.
string description = 3; string description = 3;
// The names of the permissions this role grants when bound in an IAM policy. // The names of the permissions this role grants when bound in an IAM policy.
repeated string included_permissions = 7; repeated string included_permissions = 7;
// The current launch stage of the role. // The current launch stage of the role. If the `ALPHA` launch stage has been
// selected for a role, the `stage` field will not be included in the
// returned definition for the role.
RoleLaunchStage stage = 8; RoleLaunchStage stage = 8;
// Used to perform a consistent read-modify-write. // Used to perform a consistent read-modify-write.
@ -602,7 +732,7 @@ message QueryGrantableRolesRequest {
// The name follows the Google Cloud Platform resource format. // The name follows the Google Cloud Platform resource format.
// For example, a Cloud Platform project with id `my-project` will be named // For example, a Cloud Platform project with id `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`. // `//cloudresourcemanager.googleapis.com/projects/my-project`.
string full_resource_name = 1; string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
RoleView view = 2; RoleView view = 2;
@ -626,11 +756,34 @@ message QueryGrantableRolesResponse {
// The request to get all roles defined under a resource. // The request to get all roles defined under a resource.
message ListRolesRequest { message ListRolesRequest {
// The resource name of the parent resource in one of the following formats: // The `parent` parameter's value depends on the target resource for the
// `` (empty string) -- this refers to curated roles. // request, namely
// `organizations/{ORGANIZATION_ID}` // [`roles`](/iam/reference/rest/v1/roles),
// `projects/{PROJECT_ID}` // [`projects`](/iam/reference/rest/v1/projects.roles), or
string parent = 1; // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `parent` value format is described below:
//
// * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string.
// This method doesn't require a resource; it simply returns all
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
// Cloud IAM. Example request URL:
// `https://iam.googleapis.com/v1/roles`
//
// * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list):
// `projects/{PROJECT_ID}`. This method lists all project-level
// [custom roles](/iam/docs/understanding-custom-roles).
// Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
//
// * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list):
// `organizations/{ORGANIZATION_ID}`. This method lists all
// organization-level [custom roles](/iam/docs/understanding-custom-roles).
// Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string parent = 1 [(google.api.resource_reference).type = "*"];
// Optional limit on the number of roles to include in the response. // Optional limit on the number of roles to include in the response.
int32 page_size = 2; int32 page_size = 2;
@ -638,7 +791,10 @@ message ListRolesRequest {
// Optional pagination token returned in an earlier ListRolesResponse. // Optional pagination token returned in an earlier ListRolesResponse.
string page_token = 3; string page_token = 3;
// Optional view for the returned Role objects. // Optional view for the returned Role objects. When `FULL` is specified,
// the `includedPermissions` field is returned, which includes a list of all
// permissions in the role. The default value is `BASIC`, which does not
// return the `includedPermissions` field.
RoleView view = 4; RoleView view = 4;
// Include Roles that have been deleted. // Include Roles that have been deleted.
@ -657,21 +813,61 @@ message ListRolesResponse {
// The request to get the definition of an existing role. // The request to get the definition of an existing role.
message GetRoleRequest { message GetRoleRequest {
// The resource name of the role in one of the following formats: // The `name` parameter's value depends on the target resource for the
// `roles/{ROLE_NAME}` // request, namely
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` // [`roles`](/iam/reference/rest/v1/roles),
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}` // [`projects`](/iam/reference/rest/v1/projects.roles), or
string name = 1; // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`.
// This method returns results from all
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
// Cloud IAM. Example request URL:
// `https://iam.googleapis.com/v1/roles/{ROLE_NAME}`
//
// * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only
// [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// returns only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
} }
// The request to create a new role. // The request to create a new role.
message CreateRoleRequest { message CreateRoleRequest {
// The resource name of the parent resource in one of the following formats: // The `parent` parameter's value depends on the target resource for the
// `organizations/{ORGANIZATION_ID}` // request, namely
// `projects/{PROJECT_ID}` // [`projects`](/iam/reference/rest/v1/projects.roles) or
string parent = 1; // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `parent` value format is described below:
//
// * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create):
// `projects/{PROJECT_ID}`. This method creates project-level
// [custom roles](/iam/docs/understanding-custom-roles).
// Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
//
// * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create):
// `organizations/{ORGANIZATION_ID}`. This method creates organization-level
// [custom roles](/iam/docs/understanding-custom-roles). Example request
// URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string parent = 1 [(google.api.resource_reference).type = "*"];
// The role id to use for this role. // The role ID to use for this role.
string role_id = 2; string role_id = 2;
// The Role resource to create. // The Role resource to create.
@ -680,11 +876,27 @@ message CreateRoleRequest {
// The request to update a role. // The request to update a role.
message UpdateRoleRequest { message UpdateRoleRequest {
// The resource name of the role in one of the following formats: // The `name` parameter's value depends on the target resource for the
// `roles/{ROLE_NAME}` // request, namely
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` // [`projects`](/iam/reference/rest/v1/projects.roles) or
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}` // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
string name = 1; // resource type's `name` value format is described below:
//
// * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
// [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// updates only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
// The updated role. // The updated role.
Role role = 2; Role role = 2;
@ -695,10 +907,27 @@ message UpdateRoleRequest {
// The request to delete an existing role. // The request to delete an existing role.
message DeleteRoleRequest { message DeleteRoleRequest {
// The resource name of the role in one of the following formats: // The `name` parameter's value depends on the target resource for the
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` // request, namely
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}` // [`projects`](/iam/reference/rest/v1/projects.roles) or
string name = 1; // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
// [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// deletes only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
// Used to perform a consistent read-modify-write. // Used to perform a consistent read-modify-write.
bytes etag = 2; bytes etag = 2;
@ -706,10 +935,27 @@ message DeleteRoleRequest {
// The request to undelete an existing role. // The request to undelete an existing role.
message UndeleteRoleRequest { message UndeleteRoleRequest {
// The resource name of the role in one of the following formats: // The `name` parameter's value depends on the target resource for the
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` // request, namely
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}` // [`projects`](/iam/reference/rest/v1/projects.roles) or
string name = 1; // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
// only [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// undeletes only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
// Used to perform a consistent read-modify-write. // Used to perform a consistent read-modify-write.
bytes etag = 2; bytes etag = 2;
@ -751,6 +997,7 @@ message Permission {
string title = 2; string title = 2;
// A brief description of what this Permission is used for. // A brief description of what this Permission is used for.
// This permission can ONLY be used in predefined roles.
string description = 3; string description = 3;
// This permission can ONLY be used in predefined roles. // This permission can ONLY be used in predefined roles.

@ -0,0 +1,20 @@
type: google.api.Service
config_version: 2
name: iam.googleapis.com
title: Identity and Access Management (IAM) API
apis:
- name: google.iam.admin.v1.IAM
documentation:
summary: |-
Manages identity and access control for Google Cloud Platform resources,
including the creation of service accounts, which you can use to
authenticate to Google and make API calls.
authentication:
rules:
- selector: 'google.iam.admin.v1.IAM.*'
oauth:
canonical_scopes: |-
https://www.googleapis.com/auth/cloud-platform

@ -0,0 +1,249 @@
type: com.google.api.codegen.ConfigProto
config_schema_version: 1.0.0
language_settings:
java:
package_name: com.google.cloud.iam.admin.v1
python:
package_name: google.cloud.iam_admin_v1.gapic
go:
package_name: cloud.google.com/go/iam/admin/apiv1
csharp:
package_name: Google.Iam.Admin.V1
ruby:
package_name: Google::Cloud::Iam::Admin::V1
php:
package_name: Google\Cloud\Iam\Admin\V1
nodejs:
package_name: iam.v1
domain_layer_location: google-cloud
interfaces:
- name: google.iam.admin.v1.IAM
collections:
- name_pattern: projects/{project}
entity_name: project
language_overrides:
- language: csharp
common_resource_name: Google.Api.Gax.ResourceNames.ProjectName
- name_pattern: projects/{project}/serviceAccounts/{service_account}
entity_name: service_account
- name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key}
entity_name: key
retry_codes_def:
- name: idempotent
retry_codes:
- UNAVAILABLE
- DEADLINE_EXCEEDED
- name: non_idempotent
retry_codes: []
retry_params_def:
- name: default
initial_retry_delay_millis: 100
retry_delay_multiplier: 1.3
max_retry_delay_millis: 60000
initial_rpc_timeout_millis: 20000
rpc_timeout_multiplier: 1
max_rpc_timeout_millis: 20000
total_timeout_millis: 600000
methods:
- name: ListServiceAccounts
flattening:
groups:
- parameters:
- name
required_fields:
- name
page_streaming:
request:
page_size_field: page_size
token_field: page_token
response:
token_field: next_page_token
resources_field: accounts
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: project
timeout_millis: 60000
- name: GetServiceAccount
flattening:
groups:
- parameters:
- name
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: CreateServiceAccount
flattening:
groups:
- parameters:
- name
- account_id
- service_account
required_fields:
- name
- account_id
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: project
timeout_millis: 60000
- name: UpdateServiceAccount
required_fields:
- etag
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: DeleteServiceAccount
flattening:
groups:
- parameters:
- name
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: ListServiceAccountKeys
flattening:
groups:
- parameters:
- name
- key_types
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: GetServiceAccountKey
flattening:
groups:
- parameters:
- name
- public_key_type
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: key
timeout_millis: 60000
- name: CreateServiceAccountKey
flattening:
groups:
- parameters:
- name
- private_key_type
- key_algorithm
required_fields:
- name
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: DeleteServiceAccountKey
flattening:
groups:
- parameters:
- name
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: key
timeout_millis: 60000
- name: SignBlob
flattening:
groups:
- parameters:
- name
- bytes_to_sign
required_fields:
- name
- bytes_to_sign
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: GetIamPolicy
flattening:
groups:
- parameters:
- resource
required_fields:
- resource
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
surface_treatments:
- include_languages:
- go
visibility: PRIVATE
- name: SetIamPolicy
flattening:
groups:
- parameters:
- resource
- policy
required_fields:
- resource
- policy
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
surface_treatments:
- include_languages:
- go
visibility: PRIVATE
- name: TestIamPermissions
flattening:
groups:
- parameters:
- resource
- permissions
required_fields:
- resource
- permissions
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
- name: QueryGrantableRoles
flattening:
groups:
- parameters:
- full_resource_name
required_fields:
- full_resource_name
retry_codes_name: non_idempotent
retry_params_name: default
timeout_millis: 60000
- name: SignJwt
flattening:
groups:
- parameters:
- name
- payload
required_fields:
- name
- payload
retry_codes_name: non_idempotent
retry_params_name: default
timeout_millis: 60000

@ -1,5 +1,5 @@
type: com.google.api.codegen.ConfigProto type: com.google.api.codegen.ConfigProto
config_schema_version: 1.0.0 config_schema_version: 2.0.0
language_settings: language_settings:
java: java:
package_name: com.google.cloud.iam.admin.v1 package_name: com.google.cloud.iam.admin.v1
@ -16,234 +16,3 @@ language_settings:
nodejs: nodejs:
package_name: iam.v1 package_name: iam.v1
domain_layer_location: google-cloud domain_layer_location: google-cloud
interfaces:
- name: google.iam.admin.v1.IAM
collections:
- name_pattern: projects/{project}
entity_name: project
language_overrides:
- language: csharp
common_resource_name: Google.Api.Gax.ResourceNames.ProjectName
- name_pattern: projects/{project}/serviceAccounts/{service_account}
entity_name: service_account
- name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key}
entity_name: key
retry_codes_def:
- name: idempotent
retry_codes:
- UNAVAILABLE
- DEADLINE_EXCEEDED
- name: non_idempotent
retry_codes: []
retry_params_def:
- name: default
initial_retry_delay_millis: 100
retry_delay_multiplier: 1.3
max_retry_delay_millis: 60000
initial_rpc_timeout_millis: 20000
rpc_timeout_multiplier: 1
max_rpc_timeout_millis: 20000
total_timeout_millis: 600000
methods:
- name: ListServiceAccounts
flattening:
groups:
- parameters:
- name
required_fields:
- name
page_streaming:
request:
page_size_field: page_size
token_field: page_token
response:
token_field: next_page_token
resources_field: accounts
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: project
timeout_millis: 60000
- name: GetServiceAccount
flattening:
groups:
- parameters:
- name
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: CreateServiceAccount
flattening:
groups:
- parameters:
- name
- account_id
- service_account
required_fields:
- name
- account_id
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: project
timeout_millis: 60000
- name: UpdateServiceAccount
required_fields:
- etag
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: DeleteServiceAccount
flattening:
groups:
- parameters:
- name
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: ListServiceAccountKeys
flattening:
groups:
- parameters:
- name
- key_types
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: GetServiceAccountKey
flattening:
groups:
- parameters:
- name
- public_key_type
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: key
timeout_millis: 60000
- name: CreateServiceAccountKey
flattening:
groups:
- parameters:
- name
- private_key_type
- key_algorithm
required_fields:
- name
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: DeleteServiceAccountKey
flattening:
groups:
- parameters:
- name
required_fields:
- name
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: key
timeout_millis: 60000
- name: SignBlob
flattening:
groups:
- parameters:
- name
- bytes_to_sign
required_fields:
- name
- bytes_to_sign
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: GetIamPolicy
flattening:
groups:
- parameters:
- resource
required_fields:
- resource
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
surface_treatments:
- include_languages:
- go
visibility: PRIVATE
- name: SetIamPolicy
flattening:
groups:
- parameters:
- resource
- policy
required_fields:
- resource
- policy
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
surface_treatments:
- include_languages:
- go
visibility: PRIVATE
- name: TestIamPermissions
flattening:
groups:
- parameters:
- resource
- permissions
required_fields:
- resource
- permissions
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
- name: QueryGrantableRoles
flattening:
groups:
- parameters:
- full_resource_name
required_fields:
- full_resource_name
retry_codes_name: non_idempotent
retry_params_name: default
timeout_millis: 60000
- name: SignJwt
flattening:
groups:
- parameters:
- name
- payload
required_fields:
- name
- payload
retry_codes_name: non_idempotent
retry_params_name: default
timeout_millis: 60000

@ -2,8 +2,9 @@ common:
api_name: iam-admin api_name: iam-admin
api_version: v1 api_version: v1
organization_name: google organization_name: google
service_yaml: iam.yaml service_yaml: admin/v1/iam.yaml
gapic_yaml: admin/v1/iam_gapic.yaml gapic_yaml: admin/v1/iam_gapic.yaml
proto_package: google.iam.admin.v1
src_proto_paths: src_proto_paths:
- admin/v1 - admin/v1
proto_deps: proto_deps:

@ -1,21 +0,0 @@
# The IAM API Definition.
type: google.api.Service
config_version: 2
name: iam.googleapis.com
title: Google Identity and Access Management (IAM) API
documentation:
summary:
Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
apis:
- name: google.iam.admin.v1.IAM
authentication:
rules:
- selector: '*'
oauth:
canonical_scopes: https://www.googleapis.com/auth/iam,
https://www.googleapis.com/auth/cloud-platform
Loading…
Cancel
Save