From 65eaa0ef1983ed106f60eaefcd9a72fbc35d74a7 Mon Sep 17 00:00:00 2001 From: Ernest Landrito Date: Fri, 23 Sep 2016 10:45:27 -0700 Subject: [PATCH] Open sourcing iam admin api. (#151) * Open sourcing iam admin api. * Hand edits to the gapic yaml * Fixed name, src path, and updateServiceAccount method. * Package names and output paths fix. * Python package name, iam mixin dependency. --- gapic/api/artman_iam.yaml | 27 ++ google/iam/admin/v1/iam.proto | 468 +++++++++++++++++++++++++++++ google/iam/admin/v1/iam_gapic.yaml | 238 +++++++++++++++ google/iam/iam.yaml | 27 ++ 4 files changed, 760 insertions(+) create mode 100644 gapic/api/artman_iam.yaml create mode 100644 google/iam/admin/v1/iam.proto create mode 100644 google/iam/admin/v1/iam_gapic.yaml create mode 100644 google/iam/iam.yaml diff --git a/gapic/api/artman_iam.yaml b/gapic/api/artman_iam.yaml new file mode 100644 index 000000000..d39a0891d --- /dev/null +++ b/gapic/api/artman_iam.yaml @@ -0,0 +1,27 @@ +common: + api_name: google-iam-admin-v1 + proto_gen_pkg_deps: + - google-iam-v1 + import_proto_path: + - ${REPOROOT}/googleapis + src_proto_path: + - ${REPOROOT}/googleapis/google/iam/admin/v1 + service_yaml: + - ${REPOROOT}/googleapis/google/iam/iam.yaml + gapic_api_yaml: + - ${REPOROOT}/googleapis/google/iam/admin/v1/iam_gapic.yaml + output_dir: ${REPOROOT}/artman/output +java: + final_repo_dir: ${REPOROOT}/google-cloud-java/google-cloud-iam +python: + final_repo_dir: ${REPOROOT}/artman/output/gcloud-python-iam +go: + final_repo_dir: ${REPOROOT}/gapi-iam-go +csharp: + final_repo_dir: ${REPOROOT}/artman/output/gcloud-csharp-iam +php: + final_repo_dir: ${REPOROOT}/artman/output/gcloud-php-iam +ruby: + final_repo_dir: ${REPOROOT}/google-cloud-ruby/google-cloud-iam +nodejs: + final_repo_dir: ${REPOROOT}/google-cloud-node/packages/iam diff --git a/google/iam/admin/v1/iam.proto b/google/iam/admin/v1/iam.proto new file mode 100644 index 000000000..fd2a8e6e4 --- /dev/null +++ b/google/iam/admin/v1/iam.proto @@ -0,0 +1,468 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.iam.admin.v1; + +import "google/api/annotations.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option java_multiple_files = true; +option java_outer_classname = "IamProto"; +option java_package = "com.google.iam.admin.v1"; + + +// Creates and manages service account objects. +// +// Service account is an account that belongs to your project instead +// of to an individual end user. It is used to authenticate calls +// to a Google API. +// +// To create a service account, specify the `project_id` and `account_id` +// for the account. The `account_id` is unique within the project, and used +// to generate the service account email address and a stable +// `unique_id`. +// +// All other methods can identify accounts using the format +// `projects/{project}/serviceAccounts/{account}`. +// Using `-` as a wildcard for the project will infer the project from +// the account. The `account` value can be the `email` address or the +// `unique_id` of the service account. +service IAM { + // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project. + rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) { + option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" }; + } + + // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) { + option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" }; + } + + // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] + // and returns it. + rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) { + option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" }; + } + + // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + // + // Currently, only the following fields are updatable: + // `display_name` . + // The `etag` is mandatory. + rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { + option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" body: "*" }; + } + + // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" }; + } + + // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey]. + rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) { + option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" }; + } + + // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] + // by key id. + rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) { + option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; + } + + // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] + // and returns it. + rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) { + option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" }; + } + + // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. + rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; + } + + // Signs a blob using a service account's system-managed private key. + rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) { + option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" }; + } + + // Returns the IAM access control policy for a + // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" body: "" }; + } + + // Sets the IAM access control policy for a + // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" }; + } + + // Tests the specified permissions against the IAM access control policy + // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" }; + } + + // Queries roles that can be granted on a particular resource. + // A role is grantable if it can be used as the role in a binding for a policy + // for that resource. + rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) { + option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" }; + } +} + +// A service account in the Identity and Access Management API. +// +// To create a service account, specify the `project_id` and the `account_id` +// for the account. The `account_id` is unique within the project, and is used +// to generate the service account email address and a stable +// `unique_id`. +// +// If the account already exists, the account's resource name is returned +// in util::Status's ResourceInfo.resource_name in the format of +// projects/{project}/serviceAccounts/{email}. The caller can use the name in +// other methods to access the account. +// +// All other methods can identify the service account using the format +// `projects/{project}/serviceAccounts/{account}`. +// Using `-` as a wildcard for the project will infer the project from +// the account. The `account` value can be the `email` address or the +// `unique_id` of the service account. +message ServiceAccount { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // + // Requests using `-` as a wildcard for the project will infer the project + // from the `account` and the `account` value can be the `email` address or + // the `unique_id` of the service account. + // + // In responses the resource name will always be in the format + // `projects/{project}/serviceAccounts/{email}`. + string name = 1; + + // @OutputOnly The id of the project that owns the service account. + string project_id = 2; + + // @OutputOnly The unique and stable id of the service account. + string unique_id = 4; + + // @OutputOnly The email address of the service account. + string email = 5; + + // Optional. A user-specified description of the service account. Must be + // fewer than 100 UTF-8 bytes. + string display_name = 6; + + // Used to perform a consistent read-modify-write. + bytes etag = 7; + + // @OutputOnly. The OAuth2 client id for the service account. + // This is used in conjunction with the OAuth2 clientconfig API to make + // three legged OAuth2 (3LO) flows to access the data of Google users. + string oauth2_client_id = 9; +} + +// The service account create request. +message CreateServiceAccountRequest { + // Required. The resource name of the project associated with the service + // accounts, such as `projects/my-project-123`. + string name = 1; + + // Required. The account id that is used to generate the service account + // email address and a stable unique id. It is unique within a project, + // must be 6-30 characters long, and match the regular expression + // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. + string account_id = 2; + + // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create. + // Currently, only the following values are user assignable: + // `display_name` . + ServiceAccount service_account = 3; +} + +// The service account list request. +message ListServiceAccountsRequest { + // Required. The resource name of the project associated with the service + // accounts, such as `projects/my-project-123`. + string name = 1; + + // Optional limit on the number of service accounts to include in the + // response. Further accounts can subsequently be obtained by including the + // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] + // in a subsequent request. + int32 page_size = 2; + + // Optional pagination token returned in an earlier + // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]. + string page_token = 3; +} + +// The service account list response. +message ListServiceAccountsResponse { + // The list of matching service accounts. + repeated ServiceAccount accounts = 1; + + // To retrieve the next page of results, set + // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] + // to this value. + string next_page_token = 2; +} + +// The service account get request. +message GetServiceAccountRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; +} + +// The service account delete request. +message DeleteServiceAccountRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; +} + +// The service account keys list request. +message ListServiceAccountKeysRequest { + // `KeyType` filters to selectively retrieve certain varieties + // of keys. + enum KeyType { + // Unspecified key type. The presence of this in the + // message will immediately result in an error. + KEY_TYPE_UNSPECIFIED = 0; + + // User-managed keys (managed and rotated by the user). + USER_MANAGED = 1; + + // System-managed keys (managed and rotated by Google). + SYSTEM_MANAGED = 2; + } + + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // + // Using `-` as a wildcard for the project, will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // Filters the types of keys the user wants to include in the list + // response. Duplicate key types are not allowed. If no key type + // is provided, all keys are returned. + repeated KeyType key_types = 2; +} + +// The service account keys list response. +message ListServiceAccountKeysResponse { + // The public keys for the service account. + repeated ServiceAccountKey keys = 1; +} + +// The service account key get by id request. +message GetServiceAccountKeyRequest { + // The resource name of the service account key in the following format: + // `projects/{project}/serviceAccounts/{account}/keys/{key}`. + // + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // The output format of the public key requested. + // X509_PEM is the default output format. + ServiceAccountPublicKeyType public_key_type = 2; +} + +// Represents a service account key. +// +// A service account has two sets of key-pairs: user-managed, and +// system-managed. +// +// User-managed key-pairs can be created and deleted by users. Users are +// responsible for rotating these keys periodically to ensure security of +// their service accounts. Users retain the private key of these key-pairs, +// and Google retains ONLY the public key. +// +// System-managed key-pairs are managed automatically by Google, and rotated +// daily without user intervention. The private key never leaves Google's +// servers to maximize security. +// +// Public keys for all service accounts are also published at the OAuth2 +// Service Account API. +message ServiceAccountKey { + // The resource name of the service account key in the following format + // `projects/{project}/serviceAccounts/{account}/keys/{key}`. + string name = 1; + + // The output format for the private key. + // Only provided in `CreateServiceAccountKey` responses, not + // in `GetServiceAccountKey` or `ListServiceAccountKey` responses. + // + // Google never exposes system-managed private keys, and never retains + // user-managed private keys. + ServiceAccountPrivateKeyType private_key_type = 2; + + // Specifies the algorithm (and possibly key size) for the key. + ServiceAccountKeyAlgorithm key_algorithm = 8; + + // The private key data. Only provided in `CreateServiceAccountKey` + // responses. + bytes private_key_data = 3; + + // The public key data. Only provided in `GetServiceAccountKey` responses. + bytes public_key_data = 7; + + // The key can be used after this timestamp. + google.protobuf.Timestamp valid_after_time = 4; + + // The key can be used before this timestamp. + google.protobuf.Timestamp valid_before_time = 5; +} + +// The service account key create request. +message CreateServiceAccountKeyRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the + // default output format. + ServiceAccountPrivateKeyType private_key_type = 2; + + // Which type of key and algorithm to use for the key. + // The default is currently a 4K RSA key. However this may change in the + // future. + ServiceAccountKeyAlgorithm key_algorithm = 3; +} + +// The service account key delete request. +message DeleteServiceAccountKeyRequest { + // The resource name of the service account key in the following format: + // `projects/{project}/serviceAccounts/{account}/keys/{key}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; +} + +// The service account sign blob request. +message SignBlobRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // The bytes to sign. + bytes bytes_to_sign = 2; +} + +// The service account sign blob response. +message SignBlobResponse { + // The id of the key used to sign the blob. + string key_id = 1; + + // The signed blob. + bytes signature = 2; +} + +// A role in the Identity and Access Management API. +message Role { + // The name of the role. + // + // When Role is used in CreateRole, the role name must not be set. + // + // When Role is used in output and other input such as UpdateRole, the role + // name is the complete path, e.g., roles/logging.viewer for curated roles + // and organizations/{organization-id}/roles/logging.viewer for custom roles. + string name = 1; + + // Optional. A human-readable title for the role. Typically this + // is limited to 100 UTF-8 bytes. + string title = 2; + + // Optional. A human-readable description for the role. + string description = 3; +} + +// The grantable role query request. +message QueryGrantableRolesRequest { + // Required. The full resource name to query from the list of grantable roles. + // + // The name follows the Google Cloud Platform resource format. + // For example, a Cloud Platform project with id `my-project` will be named + // `//cloudresourcemanager.googleapis.com/projects/my-project`. + string full_resource_name = 1; +} + +// The grantable role query response. +message QueryGrantableRolesResponse { + // The list of matching roles. + repeated Role roles = 1; +} + +// Supported key algorithms. +enum ServiceAccountKeyAlgorithm { + // An unspecified key algorithm. + KEY_ALG_UNSPECIFIED = 0; + + // 1k RSA Key. + KEY_ALG_RSA_1024 = 1; + + // 2k RSA Key. + KEY_ALG_RSA_2048 = 2; +} + +// Supported private key output formats. +enum ServiceAccountPrivateKeyType { + // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`. + TYPE_UNSPECIFIED = 0; + + // PKCS12 format. + // The password for the PKCS12 file is `notasecret`. + // For more information, see https://tools.ietf.org/html/rfc7292. + TYPE_PKCS12_FILE = 1; + + // Google Credentials File format. + TYPE_GOOGLE_CREDENTIALS_FILE = 2; +} + +// Supported public key output formats. +enum ServiceAccountPublicKeyType { + // Unspecified. Returns nothing here. + TYPE_NONE = 0; + + // X509 PEM format. + TYPE_X509_PEM_FILE = 1; + + // Raw public key. + TYPE_RAW_PUBLIC_KEY = 2; +} diff --git a/google/iam/admin/v1/iam_gapic.yaml b/google/iam/admin/v1/iam_gapic.yaml new file mode 100644 index 000000000..0c559f987 --- /dev/null +++ b/google/iam/admin/v1/iam_gapic.yaml @@ -0,0 +1,238 @@ +type: com.google.api.codegen.ConfigProto +language_settings: + java: + package_name: com.google.cloud.iam.admin.spi.v1 + python: + package_name: google.cloud.gapic.iam_admin.v1 + go: + package_name: cloud.google.com/go/iam/admin/apiv1 + csharp: + package_name: Google.Iam.Admin.V1 + ruby: + package_name: Google::Cloud::Iam::Admin::V1 + php: + package_name: Google\Cloud\Iam\Admin\V1 + nodejs: + package_name: '@google-cloud/iam' +interfaces: +- name: google.iam.admin.v1.IAM + collections: + - name_pattern: projects/{project} + entity_name: project + - name_pattern: projects/{project}/serviceAccounts/{service_account} + entity_name: service_account + - name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key} + entity_name: key + retry_codes_def: + - name: idempotent + retry_codes: + - UNAVAILABLE + - DEADLINE_EXCEEDED + - name: non_idempotent + retry_codes: [] + retry_params_def: + - name: default + initial_retry_delay_millis: 100 + retry_delay_multiplier: 1.3 + max_retry_delay_millis: 60000 + initial_rpc_timeout_millis: 20000 + rpc_timeout_multiplier: 1 + max_rpc_timeout_millis: 20000 + total_timeout_millis: 600000 + methods: + - name: ListServiceAccounts + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: true + page_streaming: + request: + page_size_field: page_size + token_field: page_token + response: + token_field: next_page_token + resources_field: accounts + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: project + timeout_millis: 60000 + - name: GetServiceAccount + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: CreateServiceAccount + flattening: + groups: + - parameters: + - name + - account_id + - service_account + required_fields: + - name + - account_id + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: project + timeout_millis: 60000 + - name: UpdateServiceAccount + required_fields: + - etag + request_object_method: true + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: DeleteServiceAccount + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: ListServiceAccountKeys + flattening: + groups: + - parameters: + - name + - key_types + required_fields: + - name + request_object_method: true + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: GetServiceAccountKey + flattening: + groups: + - parameters: + - name + - public_key_type + required_fields: + - name + request_object_method: true + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: key + timeout_millis: 60000 + - name: CreateServiceAccountKey + flattening: + groups: + - parameters: + - name + - private_key_type + - key_algorithm + required_fields: + - name + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: DeleteServiceAccountKey + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: key + timeout_millis: 60000 + - name: SignBlob + flattening: + groups: + - parameters: + - name + - bytes_to_sign + required_fields: + - name + - bytes_to_sign + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 + - name: GetIamPolicy + flattening: + groups: + - parameters: + - resource + required_fields: + - resource + request_object_method: false + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: service_account + timeout_millis: 60000 + - name: SetIamPolicy + flattening: + groups: + - parameters: + - resource + - policy + required_fields: + - resource + - policy + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: service_account + timeout_millis: 60000 + - name: TestIamPermissions + flattening: + groups: + - parameters: + - resource + - permissions + required_fields: + - resource + - permissions + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: service_account + timeout_millis: 60000 + - name: QueryGrantableRoles + flattening: + groups: + - parameters: + - full_resource_name + required_fields: + - full_resource_name + request_object_method: false + retry_codes_name: non_idempotent + retry_params_name: default + timeout_millis: 60000 diff --git a/google/iam/iam.yaml b/google/iam/iam.yaml new file mode 100644 index 000000000..b9714e7b7 --- /dev/null +++ b/google/iam/iam.yaml @@ -0,0 +1,27 @@ +# The IAM API Definition. + +type: google.api.Service +config_version: 2 +name: iam.googleapis.com + +title: Google Identity and Access Management (IAM) API + +documentation: + summary: + Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls. + +apis: +- name: google.iam.admin.v1.IAM + +authentication: + rules: + - selector: '*' + oauth: + canonical_scopes: https://www.googleapis.com/auth/iam, + https://www.googleapis.com/auth/cloud-platform + +context: + rules: + - selector: '*' + requested: + - google.rpc.context.OriginContext