Open sourcing iam admin api. (#151)

* Open sourcing iam admin api.

* Hand edits to the gapic yaml

* Fixed name, src path, and updateServiceAccount method.

* Package names and output paths fix.

* Python package name, iam mixin dependency.

gapic/api/artman_iam.yaml

@@ -0,0 +1,27 @@
+common:
+  api_name: google-iam-admin-v1
+  proto_gen_pkg_deps:
+    - google-iam-v1
+  import_proto_path:
+    - ${REPOROOT}/googleapis
+  src_proto_path:
+    - ${REPOROOT}/googleapis/google/iam/admin/v1
+  service_yaml:
+    - ${REPOROOT}/googleapis/google/iam/iam.yaml
+  gapic_api_yaml:
+    - ${REPOROOT}/googleapis/google/iam/admin/v1/iam_gapic.yaml
+  output_dir: ${REPOROOT}/artman/output
+java:
+  final_repo_dir: ${REPOROOT}/google-cloud-java/google-cloud-iam
+python:
+  final_repo_dir: ${REPOROOT}/artman/output/gcloud-python-iam
+go:
+  final_repo_dir: ${REPOROOT}/gapi-iam-go
+csharp:
+  final_repo_dir: ${REPOROOT}/artman/output/gcloud-csharp-iam
+php:
+  final_repo_dir: ${REPOROOT}/artman/output/gcloud-php-iam
+ruby:
+  final_repo_dir: ${REPOROOT}/google-cloud-ruby/google-cloud-iam
+nodejs:
+  final_repo_dir: ${REPOROOT}/google-cloud-node/packages/iam

google/iam/admin/v1/iam.proto

@@ -0,0 +1,468 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.admin.v1;
+
+import "google/api/annotations.proto";
+import "google/iam/v1/iam_policy.proto";
+import "google/iam/v1/policy.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option cc_enable_arenas = true;
+option java_multiple_files = true;
+option java_outer_classname = "IamProto";
+option java_package = "com.google.iam.admin.v1";
+
+
+// Creates and manages service account objects.
+//
+// Service account is an account that belongs to your project instead
+// of to an individual end user. It is used to authenticate calls
+// to a Google API.
+//
+// To create a service account, specify the `project_id` and `account_id`
+// for the account.  The `account_id` is unique within the project, and used
+// to generate the service account email address and a stable
+// `unique_id`.
+//
+// All other methods can identify accounts using the format
+// `projects/{project}/serviceAccounts/{account}`.
+// Using `-` as a wildcard for the project will infer the project from
+// the account. The `account` value can be the `email` address or the
+// `unique_id` of the service account.
+service IAM {
+  // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
+  rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
+    option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" };
+  }
+
+  // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
+    option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" };
+  }
+
+  // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
+  // and returns it.
+  rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
+    option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" };
+  }
+
+  // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  //
+  // Currently, only the following fields are updatable:
+  // `display_name` .
+  // The `etag` is mandatory.
+  rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
+    option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" body: "*" };
+  }
+
+  // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
+    option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" };
+  }
+
+  // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
+  rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
+    option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" };
+  }
+
+  // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
+  // by key id.
+  rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
+    option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" };
+  }
+
+  // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
+  // and returns it.
+  rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
+    option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" };
+  }
+
+  // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
+  rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
+    option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" };
+  }
+
+  // Signs a blob using a service account's system-managed private key.
+  rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
+    option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" };
+  }
+
+  // Returns the IAM access control policy for a
+  // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
+    option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" body: "" };
+  }
+
+  // Sets the IAM access control policy for a
+  // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
+    option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" };
+  }
+
+  // Tests the specified permissions against the IAM access control policy
+  // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
+    option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" };
+  }
+
+  // Queries roles that can be granted on a particular resource.
+  // A role is grantable if it can be used as the role in a binding for a policy
+  // for that resource.
+  rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
+    option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" };
+  }
+}
+
+// A service account in the Identity and Access Management API.
+//
+// To create a service account, specify the `project_id` and the `account_id`
+// for the account.  The `account_id` is unique within the project, and is used
+// to generate the service account email address and a stable
+// `unique_id`.
+//
+// If the account already exists, the account's resource name is returned
+// in util::Status's ResourceInfo.resource_name in the format of
+// projects/{project}/serviceAccounts/{email}. The caller can use the name in
+// other methods to access the account.
+//
+// All other methods can identify the service account using the format
+// `projects/{project}/serviceAccounts/{account}`.
+// Using `-` as a wildcard for the project will infer the project from
+// the account. The `account` value can be the `email` address or the
+// `unique_id` of the service account.
+message ServiceAccount {
+  // The resource name of the service account in the following format:
+  // `projects/{project}/serviceAccounts/{account}`.
+  //
+  // Requests using `-` as a wildcard for the project will infer the project
+  // from the `account` and the `account` value can be the `email` address or
+  // the `unique_id` of the service account.
+  //
+  // In responses the resource name will always be in the format
+  // `projects/{project}/serviceAccounts/{email}`.
+  string name = 1;
+
+  // @OutputOnly The id of the project that owns the service account.
+  string project_id = 2;
+
+  // @OutputOnly The unique and stable id of the service account.
+  string unique_id = 4;
+
+  // @OutputOnly The email address of the service account.
+  string email = 5;
+
+  // Optional. A user-specified description of the service account.  Must be
+  // fewer than 100 UTF-8 bytes.
+  string display_name = 6;
+
+  // Used to perform a consistent read-modify-write.
+  bytes etag = 7;
+
+  // @OutputOnly. The OAuth2 client id for the service account.
+  // This is used in conjunction with the OAuth2 clientconfig API to make
+  // three legged OAuth2 (3LO) flows to access the data of Google users.
+  string oauth2_client_id = 9;
+}
+
+// The service account create request.
+message CreateServiceAccountRequest {
+  // Required. The resource name of the project associated with the service
+  // accounts, such as `projects/my-project-123`.
+  string name = 1;
+
+  // Required. The account id that is used to generate the service account
+  // email address and a stable unique id. It is unique within a project,
+  // must be 6-30 characters long, and match the regular expression
+  // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
+  string account_id = 2;
+
+  // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create.
+  // Currently, only the following values are user assignable:
+  // `display_name` .
+  ServiceAccount service_account = 3;
+}
+
+// The service account list request.
+message ListServiceAccountsRequest {
+  // Required. The resource name of the project associated with the service
+  // accounts, such as `projects/my-project-123`.
+  string name = 1;
+
+  // Optional limit on the number of service accounts to include in the
+  // response. Further accounts can subsequently be obtained by including the
+  // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
+  // in a subsequent request.
+  int32 page_size = 2;
+
+  // Optional pagination token returned in an earlier
+  // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
+  string page_token = 3;
+}
+
+// The service account list response.
+message ListServiceAccountsResponse {
+  // The list of matching service accounts.
+  repeated ServiceAccount accounts = 1;
+
+  // To retrieve the next page of results, set
+  // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
+  // to this value.
+  string next_page_token = 2;
+}
+
+// The service account get request.
+message GetServiceAccountRequest {
+  // The resource name of the service account in the following format:
+  // `projects/{project}/serviceAccounts/{account}`.
+  // Using `-` as a wildcard for the project will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+}
+
+// The service account delete request.
+message DeleteServiceAccountRequest {
+  // The resource name of the service account in the following format:
+  // `projects/{project}/serviceAccounts/{account}`.
+  // Using `-` as a wildcard for the project will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+}
+
+// The service account keys list request.
+message ListServiceAccountKeysRequest {
+  // `KeyType` filters to selectively retrieve certain varieties
+  // of keys.
+  enum KeyType {
+    // Unspecified key type. The presence of this in the
+    // message will immediately result in an error.
+    KEY_TYPE_UNSPECIFIED = 0;
+
+    // User-managed keys (managed and rotated by the user).
+    USER_MANAGED = 1;
+
+    // System-managed keys (managed and rotated by Google).
+    SYSTEM_MANAGED = 2;
+  }
+
+  // The resource name of the service account in the following format:
+  // `projects/{project}/serviceAccounts/{account}`.
+  //
+  // Using `-` as a wildcard for the project, will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+
+  // Filters the types of keys the user wants to include in the list
+  // response. Duplicate key types are not allowed. If no key type
+  // is provided, all keys are returned.
+  repeated KeyType key_types = 2;
+}
+
+// The service account keys list response.
+message ListServiceAccountKeysResponse {
+  // The public keys for the service account.
+  repeated ServiceAccountKey keys = 1;
+}
+
+// The service account key get by id request.
+message GetServiceAccountKeyRequest {
+  // The resource name of the service account key in the following format:
+  // `projects/{project}/serviceAccounts/{account}/keys/{key}`.
+  //
+  // Using `-` as a wildcard for the project will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+
+  // The output format of the public key requested.
+  // X509_PEM is the default output format.
+  ServiceAccountPublicKeyType public_key_type = 2;
+}
+
+// Represents a service account key.
+//
+// A service account has two sets of key-pairs: user-managed, and
+// system-managed.
+//
+// User-managed key-pairs can be created and deleted by users.  Users are
+// responsible for rotating these keys periodically to ensure security of
+// their service accounts.  Users retain the private key of these key-pairs,
+// and Google retains ONLY the public key.
+//
+// System-managed key-pairs are managed automatically by Google, and rotated
+// daily without user intervention.  The private key never leaves Google's
+// servers to maximize security.
+//
+// Public keys for all service accounts are also published at the OAuth2
+// Service Account API.
+message ServiceAccountKey {
+  // The resource name of the service account key in the following format
+  // `projects/{project}/serviceAccounts/{account}/keys/{key}`.
+  string name = 1;
+
+  // The output format for the private key.
+  // Only provided in `CreateServiceAccountKey` responses, not
+  // in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
+  //
+  // Google never exposes system-managed private keys, and never retains
+  // user-managed private keys.
+  ServiceAccountPrivateKeyType private_key_type = 2;
+
+  // Specifies the algorithm (and possibly key size) for the key.
+  ServiceAccountKeyAlgorithm key_algorithm = 8;
+
+  // The private key data. Only provided in `CreateServiceAccountKey`
+  // responses.
+  bytes private_key_data = 3;
+
+  // The public key data. Only provided in `GetServiceAccountKey` responses.
+  bytes public_key_data = 7;
+
+  // The key can be used after this timestamp.
+  google.protobuf.Timestamp valid_after_time = 4;
+
+  // The key can be used before this timestamp.
+  google.protobuf.Timestamp valid_before_time = 5;
+}
+
+// The service account key create request.
+message CreateServiceAccountKeyRequest {
+  // The resource name of the service account in the following format:
+  // `projects/{project}/serviceAccounts/{account}`.
+  // Using `-` as a wildcard for the project will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+
+  // The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the
+  // default output format.
+  ServiceAccountPrivateKeyType private_key_type = 2;
+
+  // Which type of key and algorithm to use for the key.
+  // The default is currently a 4K RSA key.  However this may change in the
+  // future.
+  ServiceAccountKeyAlgorithm key_algorithm = 3;
+}
+
+// The service account key delete request.
+message DeleteServiceAccountKeyRequest {
+  // The resource name of the service account key in the following format:
+  // `projects/{project}/serviceAccounts/{account}/keys/{key}`.
+  // Using `-` as a wildcard for the project will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+}
+
+// The service account sign blob request.
+message SignBlobRequest {
+  // The resource name of the service account in the following format:
+  // `projects/{project}/serviceAccounts/{account}`.
+  // Using `-` as a wildcard for the project will infer the project from
+  // the account. The `account` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1;
+
+  // The bytes to sign.
+  bytes bytes_to_sign = 2;
+}
+
+// The service account sign blob response.
+message SignBlobResponse {
+  // The id of the key used to sign the blob.
+  string key_id = 1;
+
+  // The signed blob.
+  bytes signature = 2;
+}
+
+// A role in the Identity and Access Management API.
+message Role {
+  // The name of the role.
+  //
+  // When Role is used in CreateRole, the role name must not be set.
+  //
+  // When Role is used in output and other input such as UpdateRole, the role
+  // name is the complete path, e.g., roles/logging.viewer for curated roles
+  // and organizations/{organization-id}/roles/logging.viewer for custom roles.
+  string name = 1;
+
+  // Optional.  A human-readable title for the role.  Typically this
+  // is limited to 100 UTF-8 bytes.
+  string title = 2;
+
+  // Optional.  A human-readable description for the role.
+  string description = 3;
+}
+
+// The grantable role query request.
+message QueryGrantableRolesRequest {
+  // Required. The full resource name to query from the list of grantable roles.
+  //
+  // The name follows the Google Cloud Platform resource format.
+  // For example, a Cloud Platform project with id `my-project` will be named
+  // `//cloudresourcemanager.googleapis.com/projects/my-project`.
+  string full_resource_name = 1;
+}
+
+// The grantable role query response.
+message QueryGrantableRolesResponse {
+  // The list of matching roles.
+  repeated Role roles = 1;
+}
+
+// Supported key algorithms.
+enum ServiceAccountKeyAlgorithm {
+  // An unspecified key algorithm.
+  KEY_ALG_UNSPECIFIED = 0;
+
+  // 1k RSA Key.
+  KEY_ALG_RSA_1024 = 1;
+
+  // 2k RSA Key.
+  KEY_ALG_RSA_2048 = 2;
+}
+
+// Supported private key output formats.
+enum ServiceAccountPrivateKeyType {
+  // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
+  TYPE_UNSPECIFIED = 0;
+
+  // PKCS12 format.
+  // The password for the PKCS12 file is `notasecret`.
+  // For more information, see https://tools.ietf.org/html/rfc7292.
+  TYPE_PKCS12_FILE = 1;
+
+  // Google Credentials File format.
+  TYPE_GOOGLE_CREDENTIALS_FILE = 2;
+}
+
+// Supported public key output formats.
+enum ServiceAccountPublicKeyType {
+  // Unspecified. Returns nothing here.
+  TYPE_NONE = 0;
+
+  // X509 PEM format.
+  TYPE_X509_PEM_FILE = 1;
+
+  // Raw public key.
+  TYPE_RAW_PUBLIC_KEY = 2;
+}

google/iam/admin/v1/iam_gapic.yaml

@@ -0,0 +1,238 @@
+type: com.google.api.codegen.ConfigProto
+language_settings:
+  java:
+    package_name: com.google.cloud.iam.admin.spi.v1
+  python:
+    package_name: google.cloud.gapic.iam_admin.v1
+  go:
+    package_name: cloud.google.com/go/iam/admin/apiv1
+  csharp:
+    package_name: Google.Iam.Admin.V1
+  ruby:
+    package_name: Google::Cloud::Iam::Admin::V1
+  php:
+    package_name: Google\Cloud\Iam\Admin\V1
+  nodejs:
+    package_name: '@google-cloud/iam'
+interfaces:
+- name: google.iam.admin.v1.IAM
+  collections:
+  - name_pattern: projects/{project}
+    entity_name: project
+  - name_pattern: projects/{project}/serviceAccounts/{service_account}
+    entity_name: service_account
+  - name_pattern: projects/{project}/serviceAccounts/{service_account}/keys/{key}
+    entity_name: key
+  retry_codes_def:
+  - name: idempotent
+    retry_codes:
+    - UNAVAILABLE
+    - DEADLINE_EXCEEDED
+  - name: non_idempotent
+    retry_codes: []
+  retry_params_def:
+  - name: default
+    initial_retry_delay_millis: 100
+    retry_delay_multiplier: 1.3
+    max_retry_delay_millis: 60000
+    initial_rpc_timeout_millis: 20000
+    rpc_timeout_multiplier: 1
+    max_rpc_timeout_millis: 20000
+    total_timeout_millis: 600000
+  methods:
+  - name: ListServiceAccounts
+    flattening:
+      groups:
+      - parameters:
+        - name
+    required_fields:
+    - name
+    request_object_method: true
+    page_streaming:
+      request:
+        page_size_field: page_size
+        token_field: page_token
+      response:
+        token_field: next_page_token
+        resources_field: accounts
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: project
+    timeout_millis: 60000
+  - name: GetServiceAccount
+    flattening:
+      groups:
+      - parameters:
+        - name
+    required_fields:
+    - name
+    request_object_method: false
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000
+  - name: CreateServiceAccount
+    flattening:
+      groups:
+      - parameters:
+        - name
+        - account_id
+        - service_account
+    required_fields:
+    - name
+    - account_id
+    request_object_method: true
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: project
+    timeout_millis: 60000
+  - name: UpdateServiceAccount
+    required_fields:
+      - etag
+    request_object_method: true
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000
+  - name: DeleteServiceAccount
+    flattening:
+      groups:
+      - parameters:
+        - name
+    required_fields:
+    - name
+    request_object_method: false
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000
+  - name: ListServiceAccountKeys
+    flattening:
+      groups:
+      - parameters:
+        - name
+        - key_types
+    required_fields:
+    - name
+    request_object_method: true
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000
+  - name: GetServiceAccountKey
+    flattening:
+      groups:
+      - parameters:
+        - name
+        - public_key_type
+    required_fields:
+    - name
+    request_object_method: true
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: key
+    timeout_millis: 60000
+  - name: CreateServiceAccountKey
+    flattening:
+      groups:
+      - parameters:
+        - name
+        - private_key_type
+        - key_algorithm
+    required_fields:
+    - name
+    request_object_method: true
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000
+  - name: DeleteServiceAccountKey
+    flattening:
+      groups:
+      - parameters:
+        - name
+    required_fields:
+    - name
+    request_object_method: false
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: key
+    timeout_millis: 60000
+  - name: SignBlob
+    flattening:
+      groups:
+      - parameters:
+        - name
+        - bytes_to_sign
+    required_fields:
+    - name
+    - bytes_to_sign
+    request_object_method: true
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000
+  - name: GetIamPolicy
+    flattening:
+      groups:
+      - parameters:
+        - resource
+    required_fields:
+    - resource
+    request_object_method: false
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    field_name_patterns:
+      resource: service_account
+    timeout_millis: 60000
+  - name: SetIamPolicy
+    flattening:
+      groups:
+      - parameters:
+        - resource
+        - policy
+    required_fields:
+    - resource
+    - policy
+    request_object_method: true
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    field_name_patterns:
+      resource: service_account
+    timeout_millis: 60000
+  - name: TestIamPermissions
+    flattening:
+      groups:
+      - parameters:
+        - resource
+        - permissions
+    required_fields:
+    - resource
+    - permissions
+    request_object_method: true
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    field_name_patterns:
+      resource: service_account
+    timeout_millis: 60000
+  - name: QueryGrantableRoles
+    flattening:
+      groups:
+      - parameters:
+        - full_resource_name
+    required_fields:
+    - full_resource_name
+    request_object_method: false
+    retry_codes_name: non_idempotent
+    retry_params_name: default
+    timeout_millis: 60000

google/iam/iam.yaml

@@ -0,0 +1,27 @@
+# The IAM API Definition.
+
+type: google.api.Service
+config_version: 2
+name: iam.googleapis.com
+
+title: Google Identity and Access Management (IAM) API
+
+documentation:
+  summary:
+   Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
+
+apis:
+- name: google.iam.admin.v1.IAM
+
+authentication:
+  rules:
+    - selector: '*'
+      oauth:
+        canonical_scopes: https://www.googleapis.com/auth/iam,
+                          https://www.googleapis.com/auth/cloud-platform
+
+context:
+  rules:
+  - selector: '*'
+    requested:
+    - google.rpc.context.OriginContext