Chiebot-Mirror
/
googleapis
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Open sourcing iam admin api. (#151)

Browse Source 
* Open sourcing iam admin api.

* Hand edits to the gapic yaml

* Fixed name, src path, and updateServiceAccount method.

* Package names and output paths fix.

* Python package name, iam mixin dependency.
pull/175/head
Ernest Landrito 9 years ago committed by GitHub
parent b57a5367ca
commit 65eaa0ef19
4 changed files with 760 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 27
      gapic/api/artman_iam.yaml
  2. 468
      google/iam/admin/v1/iam.proto
  3. 238
      google/iam/admin/v1/iam_gapic.yaml
  4. 27
      google/iam/iam.yaml

27
gapic/api/artman_iam.yaml
Unescape View File

@ -0,0 +1,27 @@
common:
api_name: google-iam-admin-v1
proto_gen_pkg_deps:
- google-iam-v1
import_proto_path:
- ${REPOROOT}/googleapis
src_proto_path:
- ${REPOROOT}/googleapis/google/iam/admin/v1
service_yaml:
- ${REPOROOT}/googleapis/google/iam/iam.yaml
gapic_api_yaml:
- ${REPOROOT}/googleapis/google/iam/admin/v1/iam_gapic.yaml
output_dir: ${REPOROOT}/artman/output
java:
final_repo_dir: ${REPOROOT}/google-cloud-java/google-cloud-iam
python:
final_repo_dir: ${REPOROOT}/artman/output/gcloud-python-iam
go:
final_repo_dir: ${REPOROOT}/gapi-iam-go
csharp:
final_repo_dir: ${REPOROOT}/artman/output/gcloud-csharp-iam
php:
final_repo_dir: ${REPOROOT}/artman/output/gcloud-php-iam
ruby:
final_repo_dir: ${REPOROOT}/google-cloud-ruby/google-cloud-iam
nodejs:
final_repo_dir: ${REPOROOT}/google-cloud-node/packages/iam

468
google/iam/admin/v1/iam.proto
Unescape View File

@ -0,0 +1,468 @@
// Copyright 2016 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.iam.admin.v1;
import "google/api/annotations.proto";
import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/policy.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";
option cc_enable_arenas = true;
option java_multiple_files = true;
option java_outer_classname = "IamProto";
option java_package = "com.google.iam.admin.v1";
// Creates and manages service account objects.
//
// Service account is an account that belongs to your project instead
// of to an individual end user. It is used to authenticate calls
// to a Google API.
//
// To create a service account, specify the `project_id` and `account_id`
// for the account. The `account_id` is unique within the project, and used
// to generate the service account email address and a stable
// `unique_id`.
//
// All other methods can identify accounts using the format
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
service IAM {
// Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" };
}
// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" };
}
// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
// and returns it.
rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" };
}
// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
//
// Currently, only the following fields are updatable:
// `display_name` .
// The `etag` is mandatory.
rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" body: "*" };
}
// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" };
}
// Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" };
}
// Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
// by key id.
rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" };
}
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
// and returns it.
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" };
}
// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" };
}
// Signs a blob using a service account's system-managed private key.
rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" };
}
// Returns the IAM access control policy for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" body: "" };
}
// Sets the IAM access control policy for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" };
}
// Tests the specified permissions against the IAM access control policy
// for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" };
}
// Queries roles that can be granted on a particular resource.
// A role is grantable if it can be used as the role in a binding for a policy
// for that resource.
rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" };
}
}
// A service account in the Identity and Access Management API.
//
// To create a service account, specify the `project_id` and the `account_id`
// for the account. The `account_id` is unique within the project, and is used
// to generate the service account email address and a stable
// `unique_id`.
//
// If the account already exists, the account's resource name is returned
// in util::Status's ResourceInfo.resource_name in the format of
// projects/{project}/serviceAccounts/{email}. The caller can use the name in
// other methods to access the account.
//
// All other methods can identify the service account using the format
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
message ServiceAccount {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
//
// Requests using `-` as a wildcard for the project will infer the project
// from the `account` and the `account` value can be the `email` address or
// the `unique_id` of the service account.
//
// In responses the resource name will always be in the format
// `projects/{project}/serviceAccounts/{email}`.
string name = 1;
// @OutputOnly The id of the project that owns the service account.
string project_id = 2;
// @OutputOnly The unique and stable id of the service account.
string unique_id = 4;
// @OutputOnly The email address of the service account.
string email = 5;
// Optional. A user-specified description of the service account. Must be
// fewer than 100 UTF-8 bytes.
string display_name = 6;
// Used to perform a consistent read-modify-write.
bytes etag = 7;
// @OutputOnly. The OAuth2 client id for the service account.
// This is used in conjunction with the OAuth2 clientconfig API to make
// three legged OAuth2 (3LO) flows to access the data of Google users.
string oauth2_client_id = 9;
}
// The service account create request.
message CreateServiceAccountRequest {
// Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`.
string name = 1;
// Required. The account id that is used to generate the service account
// email address and a stable unique id. It is unique within a project,
// must be 6-30 characters long, and match the regular expression
// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
string account_id = 2;
// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create.
// Currently, only the following values are user assignable:
// `display_name` .
ServiceAccount service_account = 3;
}
// The service account list request.
message ListServiceAccountsRequest {
// Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`.
string name = 1;
// Optional limit on the number of service accounts to include in the
// response. Further accounts can subsequently be obtained by including the
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
// in a subsequent request.
int32 page_size = 2;
// Optional pagination token returned in an earlier
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
string page_token = 3;
}
// The service account list response.
message ListServiceAccountsResponse {
// The list of matching service accounts.
repeated ServiceAccount accounts = 1;
// To retrieve the next page of results, set
// [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
// to this value.
string next_page_token = 2;
}
// The service account get request.
message GetServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account delete request.
message DeleteServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account keys list request.
message ListServiceAccountKeysRequest {
// `KeyType` filters to selectively retrieve certain varieties
// of keys.
enum KeyType {
// Unspecified key type. The presence of this in the
// message will immediately result in an error.
KEY_TYPE_UNSPECIFIED = 0;
// User-managed keys (managed and rotated by the user).
USER_MANAGED = 1;
// System-managed keys (managed and rotated by Google).
SYSTEM_MANAGED = 2;
}
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
//
// Using `-` as a wildcard for the project, will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// Filters the types of keys the user wants to include in the list
// response. Duplicate key types are not allowed. If no key type
// is provided, all keys are returned.
repeated KeyType key_types = 2;
}
// The service account keys list response.
message ListServiceAccountKeysResponse {
// The public keys for the service account.
repeated ServiceAccountKey keys = 1;
}
// The service account key get by id request.
message GetServiceAccountKeyRequest {
// The resource name of the service account key in the following format:
// `projects/{project}/serviceAccounts/{account}/keys/{key}`.
//
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// The output format of the public key requested.
// X509_PEM is the default output format.
ServiceAccountPublicKeyType public_key_type = 2;
}
// Represents a service account key.
//
// A service account has two sets of key-pairs: user-managed, and
// system-managed.
//
// User-managed key-pairs can be created and deleted by users. Users are
// responsible for rotating these keys periodically to ensure security of
// their service accounts. Users retain the private key of these key-pairs,
// and Google retains ONLY the public key.
//
// System-managed key-pairs are managed automatically by Google, and rotated
// daily without user intervention. The private key never leaves Google's
// servers to maximize security.
//
// Public keys for all service accounts are also published at the OAuth2
// Service Account API.
message ServiceAccountKey {
// The resource name of the service account key in the following format
// `projects/{project}/serviceAccounts/{account}/keys/{key}`.
string name = 1;
// The output format for the private key.
// Only provided in `CreateServiceAccountKey` responses, not
// in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
//
// Google never exposes system-managed private keys, and never retains
// user-managed private keys.
ServiceAccountPrivateKeyType private_key_type = 2;
// Specifies the algorithm (and possibly key size) for the key.
ServiceAccountKeyAlgorithm key_algorithm = 8;
// The private key data. Only provided in `CreateServiceAccountKey`
// responses.
bytes private_key_data = 3;
// The public key data. Only provided in `GetServiceAccountKey` responses.
bytes public_key_data = 7;
// The key can be used after this timestamp.
google.protobuf.Timestamp valid_after_time = 4;
// The key can be used before this timestamp.
google.protobuf.Timestamp valid_before_time = 5;
}
// The service account key create request.
message CreateServiceAccountKeyRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the
// default output format.
ServiceAccountPrivateKeyType private_key_type = 2;
// Which type of key and algorithm to use for the key.
// The default is currently a 4K RSA key. However this may change in the
// future.
ServiceAccountKeyAlgorithm key_algorithm = 3;
}
// The service account key delete request.
message DeleteServiceAccountKeyRequest {
// The resource name of the service account key in the following format:
// `projects/{project}/serviceAccounts/{account}/keys/{key}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account sign blob request.
message SignBlobRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// The bytes to sign.
bytes bytes_to_sign = 2;
}
// The service account sign blob response.
message SignBlobResponse {
// The id of the key used to sign the blob.
string key_id = 1;
// The signed blob.
bytes signature = 2;
}
// A role in the Identity and Access Management API.
message Role {
// The name of the role.
//
// When Role is used in CreateRole, the role name must not be set.
//
// When Role is used in output and other input such as UpdateRole, the role
// name is the complete path, e.g., roles/logging.viewer for curated roles
// and organizations/{organization-id}/roles/logging.viewer for custom roles.
string name = 1;
// Optional. A human-readable title for the role. Typically this
// is limited to 100 UTF-8 bytes.
string title = 2;
// Optional. A human-readable description for the role.
string description = 3;
}
// The grantable role query request.
message QueryGrantableRolesRequest {
// Required. The full resource name to query from the list of grantable roles.
//
// The name follows the Google Cloud Platform resource format.
// For example, a Cloud Platform project with id `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
string full_resource_name = 1;
}
// The grantable role query response.
message QueryGrantableRolesResponse {
// The list of matching roles.
repeated Role roles = 1;
}
// Supported key algorithms.
enum ServiceAccountKeyAlgorithm {
// An unspecified key algorithm.
KEY_ALG_UNSPECIFIED = 0;
// 1k RSA Key.
KEY_ALG_RSA_1024 = 1;
// 2k RSA Key.
KEY_ALG_RSA_2048 = 2;
}
// Supported private key output formats.
enum ServiceAccountPrivateKeyType {
// Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
TYPE_UNSPECIFIED = 0;
// PKCS12 format.
// The password for the PKCS12 file is `notasecret`.
// For more information, see https://tools.ietf.org/html/rfc7292.
TYPE_PKCS12_FILE = 1;
// Google Credentials File format.
TYPE_GOOGLE_CREDENTIALS_FILE = 2;
}
// Supported public key output formats.
enum ServiceAccountPublicKeyType {
// Unspecified. Returns nothing here.
TYPE_NONE = 0;
// X509 PEM format.
TYPE_X509_PEM_FILE = 1;
// Raw public key.
TYPE_RAW_PUBLIC_KEY = 2;
}

238
google/iam/admin/v1/iam_gapic.yaml
Unescape View File

@ -0,0 +1,238 @@
type: com.google.api.codegen.ConfigProto
language_settings:
java:
package_name: com.google.cloud.iam.admin.spi.v1
python:
package_name: google.cloud.gapic.iam_admin.v1
go:
package_name: cloud.google.com/go/iam/admin/apiv1
csharp:
package_name: Google.Iam.Admin.V1
ruby:
package_name: Google::Cloud::Iam::Admin::V1
php:
package_name: Google\Cloud\Iam\Admin\V1
nodejs:
package_name: '@google-cloud/iam'
interfaces:
- name: google.iam.admin.v1.IAM
collections:
- name_pattern: projects/{project}
entity_name: project
- name_pattern: projects/{project}/serviceAccounts/{service_account}
entity_name: service_account
- name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key}
entity_name: key
retry_codes_def:
- name: idempotent
retry_codes:
- UNAVAILABLE
- DEADLINE_EXCEEDED
- name: non_idempotent
retry_codes: []
retry_params_def:
- name: default
initial_retry_delay_millis: 100
retry_delay_multiplier: 1.3
max_retry_delay_millis: 60000
initial_rpc_timeout_millis: 20000
rpc_timeout_multiplier: 1
max_rpc_timeout_millis: 20000
total_timeout_millis: 600000
methods:
- name: ListServiceAccounts
flattening:
groups:
- parameters:
- name
required_fields:
- name
request_object_method: true
page_streaming:
request:
page_size_field: page_size
token_field: page_token
response:
token_field: next_page_token
resources_field: accounts
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: project
timeout_millis: 60000
- name: GetServiceAccount
flattening:
groups:
- parameters:
- name
required_fields:
- name
request_object_method: false
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: CreateServiceAccount
flattening:
groups:
- parameters:
- name
- account_id
- service_account
required_fields:
- name
- account_id
request_object_method: true
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: project
timeout_millis: 60000
- name: UpdateServiceAccount
required_fields:
- etag
request_object_method: true
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: DeleteServiceAccount
flattening:
groups:
- parameters:
- name
required_fields:
- name
request_object_method: false
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: ListServiceAccountKeys
flattening:
groups:
- parameters:
- name
- key_types
required_fields:
- name
request_object_method: true
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: GetServiceAccountKey
flattening:
groups:
- parameters:
- name
- public_key_type
required_fields:
- name
request_object_method: true
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: key
timeout_millis: 60000
- name: CreateServiceAccountKey
flattening:
groups:
- parameters:
- name
- private_key_type
- key_algorithm
required_fields:
- name
request_object_method: true
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: DeleteServiceAccountKey
flattening:
groups:
- parameters:
- name
required_fields:
- name
request_object_method: false
retry_codes_name: idempotent
retry_params_name: default
field_name_patterns:
name: key
timeout_millis: 60000
- name: SignBlob
flattening:
groups:
- parameters:
- name
- bytes_to_sign
required_fields:
- name
- bytes_to_sign
request_object_method: true
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
name: service_account
timeout_millis: 60000
- name: GetIamPolicy
flattening:
groups:
- parameters:
- resource
required_fields:
- resource
request_object_method: false
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
- name: SetIamPolicy
flattening:
groups:
- parameters:
- resource
- policy
required_fields:
- resource
- policy
request_object_method: true
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
- name: TestIamPermissions
flattening:
groups:
- parameters:
- resource
- permissions
required_fields:
- resource
- permissions
request_object_method: true
retry_codes_name: non_idempotent
retry_params_name: default
field_name_patterns:
resource: service_account
timeout_millis: 60000
- name: QueryGrantableRoles
flattening:
groups:
- parameters:
- full_resource_name
required_fields:
- full_resource_name
request_object_method: false
retry_codes_name: non_idempotent
retry_params_name: default
timeout_millis: 60000

27
google/iam/iam.yaml
Unescape View File

@ -0,0 +1,27 @@
# The IAM API Definition.
type: google.api.Service
config_version: 2
name: iam.googleapis.com
title: Google Identity and Access Management (IAM) API
documentation:
summary:
Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
apis:
- name: google.iam.admin.v1.IAM
authentication:
rules:
- selector: '*'
oauth:
canonical_scopes: https://www.googleapis.com/auth/iam,
https://www.googleapis.com/auth/cloud-platform
context:
rules:
- selector: '*'
requested:
- google.rpc.context.OriginContext
Write Preview
Loading…
Cancel
Save