Chiebot-Mirror
/
googleapis
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: Publish v1beta.WorkloadIdentityPools API.

Browse Source 
PiperOrigin-RevId: 329778334
pull/618/head
Google APIs 5 years ago committed by Copybara-Service
parent 88d4f10bbe
commit b513a71293
5 changed files with 1158 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 378
      google/iam/v1beta/BUILD.bazel
  2. 23
      google/iam/v1beta/iam_gapic.yaml
  3. 67
      google/iam/v1beta/iam_grpc_service_config.json
  4. 50
      google/iam/v1beta/iam_v1beta.yaml
  5. 640
      google/iam/v1beta/workload_identity_pool.proto

378
google/iam/v1beta/BUILD.bazel
Unescape View File

@ -0,0 +1,378 @@
# This file was automatically generated by BuildFileGenerator
# https://github.com/googleapis/gapic-generator/tree/master/rules_gapic/bazel
# Most of the manual changes to this file will be overwritten.
# It's **only** allowed to change the following rule attribute values:
# - names of *_gapic_assembly_* rules
# - certain parameters of *_gapic_library rules, including but not limited to:
# * extra_protoc_parameters
# * extra_protoc_file_parameters
# The complete list of preserved parameters can be found in the source code.
# This is an API workspace, having public visibility by default makes perfect sense.
package(default_visibility = ["//visibility:public"])
##############################################################################
# Common
##############################################################################
load("@rules_proto//proto:defs.bzl", "proto_library")
load("@com_google_googleapis_imports//:imports.bzl", "proto_library_with_info")
proto_library(
name = "iam_proto",
srcs = [
"workload_identity_pool.proto",
],
deps = [
"//google/api:annotations_proto",
"//google/api:client_proto",
"//google/api:field_behavior_proto",
"//google/api:resource_proto",
"//google/longrunning:operations_proto",
"@com_google_protobuf//:field_mask_proto",
],
)
proto_library_with_info(
name = "iam_proto_with_info",
deps = [
":iam_proto",
"//google/cloud:common_resources_proto",
],
)
##############################################################################
# Java
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"java_gapic_assembly_gradle_pkg",
"java_gapic_library",
"java_gapic_test",
"java_grpc_library",
"java_proto_library",
)
java_proto_library(
name = "iam_java_proto",
deps = [":iam_proto"],
)
java_grpc_library(
name = "iam_java_grpc",
srcs = [":iam_proto"],
deps = [":iam_java_proto"],
)
java_gapic_library(
name = "iam_java_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
test_deps = [
":iam_java_grpc",
],
deps = [
":iam_java_proto",
],
)
java_gapic_test(
name = "iam_java_gapic_test_suite",
test_classes = [
"com.google.cloud.iam.v1beta.WorkloadIdentityPoolsClientTest",
],
runtime_deps = [":iam_java_gapic_test"],
)
# Open Source Packages
java_gapic_assembly_gradle_pkg(
name = "google-iam-v1beta-java",
deps = [
":iam_java_gapic",
":iam_java_grpc",
":iam_java_proto",
":iam_proto",
],
)
##############################################################################
# Go
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"go_gapic_assembly_pkg",
"go_gapic_library",
"go_proto_library",
"go_test",
)
go_proto_library(
name = "iam_go_proto",
compilers = ["@io_bazel_rules_go//proto:go_grpc"],
importpath = "google.golang.org/genproto/googleapis/iam/v1beta",
protos = [":iam_proto"],
deps = [
"//google/api:annotations_go_proto",
"//google/longrunning:longrunning_go_proto",
],
)
go_gapic_library(
name = "iam_go_gapic",
srcs = [":iam_proto_with_info"],
grpc_service_config = "iam_grpc_service_config.json",
importpath = "cloud.google.com/go/iam/apiv1beta;iam",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_go_proto",
"//google/longrunning:longrunning_go_gapic",
"//google/longrunning:longrunning_go_proto",
"@com_google_cloud_go//longrunning:go_default_library",
],
)
go_test(
name = "iam_go_gapic_test",
srcs = [":iam_go_gapic_srcjar_test"],
embed = [":iam_go_gapic"],
importpath = "cloud.google.com/go/iam/apiv1beta",
)
# Open Source Packages
go_gapic_assembly_pkg(
name = "gapi-cloud-iam-v1beta-go",
deps = [
":iam_go_gapic",
":iam_go_gapic_srcjar-test.srcjar",
":iam_go_proto",
],
)
##############################################################################
# Python
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"moved_proto_library",
"py_gapic_assembly_pkg",
"py_gapic_library",
"py_grpc_library",
"py_proto_library",
)
moved_proto_library(
name = "iam_moved_proto",
srcs = [":iam_proto"],
deps = [
"//google/api:annotations_proto",
"//google/api:client_proto",
"//google/api:field_behavior_proto",
"//google/api:resource_proto",
"//google/longrunning:operations_proto",
"@com_google_protobuf//:field_mask_proto",
],
)
py_proto_library(
name = "iam_py_proto",
plugin = "@protoc_docs_plugin//:docs_plugin",
deps = [":iam_moved_proto"],
)
py_grpc_library(
name = "iam_py_grpc",
srcs = [":iam_moved_proto"],
deps = [":iam_py_proto"],
)
py_gapic_library(
name = "iam_py_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_py_grpc",
":iam_py_proto",
],
)
# Open Source Packages
py_gapic_assembly_pkg(
name = "iam-v1beta-py",
deps = [
":iam_py_gapic",
":iam_py_grpc",
":iam_py_proto",
],
)
##############################################################################
# PHP
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"php_gapic_assembly_pkg",
"php_gapic_library",
"php_grpc_library",
"php_proto_library",
)
php_proto_library(
name = "iam_php_proto",
deps = [":iam_proto"],
)
php_grpc_library(
name = "iam_php_grpc",
srcs = [":iam_proto"],
deps = [":iam_php_proto"],
)
php_gapic_library(
name = "iam_php_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_php_grpc",
":iam_php_proto",
],
)
# Open Source Packages
php_gapic_assembly_pkg(
name = "google-iam-v1beta-php",
deps = [
":iam_php_gapic",
":iam_php_grpc",
":iam_php_proto",
],
)
##############################################################################
# Node.js
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"nodejs_gapic_assembly_pkg",
"nodejs_gapic_library",
)
nodejs_gapic_library(
name = "iam_nodejs_gapic",
src = ":iam_proto_with_info",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [],
)
nodejs_gapic_assembly_pkg(
name = "iam-v1beta-nodejs",
deps = [
":iam_nodejs_gapic",
":iam_proto",
],
)
##############################################################################
# Ruby
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"ruby_gapic_assembly_pkg",
"ruby_gapic_library",
"ruby_grpc_library",
"ruby_proto_library",
)
ruby_proto_library(
name = "iam_ruby_proto",
deps = [":iam_proto"],
)
ruby_grpc_library(
name = "iam_ruby_grpc",
srcs = [":iam_proto"],
deps = [":iam_ruby_proto"],
)
ruby_gapic_library(
name = "iam_ruby_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_ruby_grpc",
":iam_ruby_proto",
],
)
# Open Source Packages
ruby_gapic_assembly_pkg(
name = "google-iam-v1beta-ruby",
deps = [
":iam_ruby_gapic",
":iam_ruby_grpc",
":iam_ruby_proto",
],
)
##############################################################################
# C#
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"csharp_gapic_assembly_pkg",
"csharp_gapic_library",
"csharp_grpc_library",
"csharp_proto_library",
)
csharp_proto_library(
name = "iam_csharp_proto",
deps = [":iam_proto"],
)
csharp_grpc_library(
name = "iam_csharp_grpc",
srcs = [":iam_proto"],
deps = [":iam_csharp_proto"],
)
csharp_gapic_library(
name = "iam_csharp_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_csharp_grpc",
":iam_csharp_proto",
],
)
# Open Source Packages
csharp_gapic_assembly_pkg(
name = "google-iam-v1beta-csharp",
deps = [
":iam_csharp_gapic",
":iam_csharp_grpc",
":iam_csharp_proto",
],
)
##############################################################################
# C++
##############################################################################
# Put your C++ rules here

23
google/iam/v1beta/iam_gapic.yaml
Unescape View File

@ -0,0 +1,23 @@
type: com.google.api.codegen.ConfigProto
config_schema_version: 2.0.0
# The settings of generated code in a specific language.
language_settings:
java:
package_name: com.google.cloud.iam.v1beta
python:
package_name: google.cloud.iam_v1beta.gapic
go:
package_name: cloud.google.com/go/iam/apiv1beta
csharp:
package_name: Google.Iam.V1Beta
ruby:
package_name: Google::Cloud::Iam::V1Beta
php:
package_name: Google\Cloud\Iam\V1Beta
nodejs:
package_name: iam.core.v1beta
domain_layer_location: google-cloud
# A list of API interface configurations.
interfaces:
# The fully qualified name of the API interface.
- name: google.iam.v1beta.WorkloadIdentityPools

67
google/iam/v1beta/iam_grpc_service_config.json
Unescape View File

@ -0,0 +1,67 @@
{
"methodConfig": [
{
"name": [
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "ListWorkloadIdentityPools"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "GetWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "CreateWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UpdateWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "DeleteWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UndeleteWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "ListWorkloadIdentityPoolProviders"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "GetWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "CreateWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UpdateWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "DeleteWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UndeleteWorkloadIdentityPoolProvider"
}
],
"timeout": "60s",
"retryPolicy": {
"maxAttempts": 5,
"initialBackoff": "1s",
"maxBackoff": "10s",
"backoffMultiplier": 1.3,
"retryableStatusCodes": [
"UNAVAILABLE",
"DEADLINE_EXCEEDED"
]
}
}
]
}

50
google/iam/v1beta/iam_v1beta.yaml
Unescape View File

@ -0,0 +1,50 @@
type: google.api.Service
config_version: 2
name: iam.googleapis.com
title: Identity and Access Management (IAM) API
apis:
- name: google.iam.v1beta.WorkloadIdentityPools
documentation:
summary: |-
<p>Manages identity and access control for Google Cloud Platform resources,
including the creation of service accounts, which you can use to
authenticate to Google and make API calls.</p> <aside
class="note"><b>Note:</b> This API is tied to the <a
href="/iam/docs/reference/credentials/rest">IAM service account
credentials API</a> (<code>iamcredentials.googleapis.com</code>). Enabling
or disabling this API will also enable or disable the IAM service account
credentials API.</aside>
http:
rules:
- selector: google.longrunning.Operations.CancelOperation
post: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/operations/*}:cancel'
body: '*'
additional_bindings:
- post: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*/operations/*}:cancel'
body: '*'
- selector: google.longrunning.Operations.DeleteOperation
delete: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/operations/*}'
additional_bindings:
- delete: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*/operations/*}'
- selector: google.longrunning.Operations.GetOperation
get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/operations/*}'
additional_bindings:
- get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*/operations/*}'
- selector: google.longrunning.Operations.ListOperations
get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}/operations'
additional_bindings:
- get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}/operations'
authentication:
rules:
- selector: 'google.iam.v1beta.WorkloadIdentityPools.*'
oauth:
canonical_scopes: |-
https://www.googleapis.com/auth/cloud-platform
- selector: 'google.longrunning.Operations.*'
oauth:
canonical_scopes: |-
https://www.googleapis.com/auth/cloud-platform

640
google/iam/v1beta/workload_identity_pool.proto
Unescape View File

@ -0,0 +1,640 @@
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.iam.v1beta;
import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/field_mask.proto";
option go_package = "google.golang.org/genproto/googleapis/iam/v1beta;iam";
option java_multiple_files = true;
option java_outer_classname = "WorkloadIdentityPoolProto";
option java_package = "com.google.iam.v1beta";
// Manages WorkloadIdentityPools.
service WorkloadIdentityPools {
option (google.api.default_host) = "iam.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Lists all non-deleted
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]s in a
// project. If `show_deleted` is set to `true`, then deleted pools are also
// listed.
rpc ListWorkloadIdentityPools(ListWorkloadIdentityPoolsRequest) returns (ListWorkloadIdentityPoolsResponse) {
option (google.api.http) = {
get: "/v1beta/{parent=projects/*/locations/*}/workloadIdentityPools"
};
option (google.api.method_signature) = "parent";
}
// Gets an individual
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
rpc GetWorkloadIdentityPool(GetWorkloadIdentityPoolRequest) returns (WorkloadIdentityPool) {
option (google.api.http) = {
get: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}"
};
option (google.api.method_signature) = "name";
}
// Creates a new
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
//
// You cannot reuse the name of a deleted pool until 30 days after deletion.
rpc CreateWorkloadIdentityPool(CreateWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{parent=projects/*/locations/*}/workloadIdentityPools"
body: "workload_identity_pool"
};
option (google.api.method_signature) = "parent,workload_identity_pool,workload_identity_pool_id";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Updates an existing
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
rpc UpdateWorkloadIdentityPool(UpdateWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
patch: "/v1beta/{workload_identity_pool.name=projects/*/locations/*/workloadIdentityPools/*}"
body: "workload_identity_pool"
};
option (google.api.method_signature) = "workload_identity_pool,update_mask";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Deletes a
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
//
// You cannot use a deleted pool to exchange external
// credentials for Google Cloud credentials. However, deletion does
// not revoke credentials that have already been issued.
// Credentials issued for a deleted pool do not grant access to resources.
// If the pool is undeleted, and the credentials are not expired, they
// grant access again.
// You can undelete a pool for 30 days. After 30 days, deletion is
// permanent.
// You cannot update deleted pools. However, you can view and list them.
rpc DeleteWorkloadIdentityPool(DeleteWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
delete: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Undeletes a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool],
// as long as it was deleted fewer than 30 days ago.
rpc UndeleteWorkloadIdentityPool(UndeleteWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}:undelete"
body: "*"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Lists all non-deleted
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider]s
// in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
// If `show_deleted` is set to `true`, then deleted providers are also listed.
rpc ListWorkloadIdentityPoolProviders(ListWorkloadIdentityPoolProvidersRequest) returns (ListWorkloadIdentityPoolProvidersResponse) {
option (google.api.http) = {
get: "/v1beta/{parent=projects/*/locations/*/workloadIdentityPools/*}/providers"
};
option (google.api.method_signature) = "parent";
}
// Gets an individual
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider].
rpc GetWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderRequest) returns (WorkloadIdentityPoolProvider) {
option (google.api.http) = {
get: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}"
};
option (google.api.method_signature) = "name";
}
// Creates a new
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider]
// in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
//
// You cannot reuse the name of a deleted provider until 30 days after
// deletion.
rpc CreateWorkloadIdentityPoolProvider(CreateWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{parent=projects/*/locations/*/workloadIdentityPools/*}/providers"
body: "workload_identity_pool_provider"
};
option (google.api.method_signature) = "parent,workload_identity_pool_provider,workload_identity_pool_provider_id";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
// Updates an existing
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider].
rpc UpdateWorkloadIdentityPoolProvider(UpdateWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
patch: "/v1beta/{workload_identity_pool_provider.name=projects/*/locations/*/workloadIdentityPools/*/providers/*}"
body: "workload_identity_pool_provider"
};
option (google.api.method_signature) = "workload_identity_pool_provider,update_mask";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
// Deletes a
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider].
// Deleting a provider does not revoke credentials that have already been
// issued; they continue to grant access.
// You can undelete a provider for 30 days. After 30 days, deletion is
// permanent.
// You cannot update deleted providers. However, you can view and list them.
rpc DeleteWorkloadIdentityPoolProvider(DeleteWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
delete: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
// Undeletes a
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider],
// as long as it was deleted fewer than 30 days ago.
rpc UndeleteWorkloadIdentityPoolProvider(UndeleteWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}:undelete"
body: "*"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
}
// Represents a collection of external workload identities. You can define IAM
// policies to grant these identities access to Google Cloud resources.
message WorkloadIdentityPool {
option (google.api.resource) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
pattern: "projects/{project}/locations/{location}/workloadIdentityPools/{workload_identity_pool}"
};
// The current state of the pool.
enum State {
// State unspecified.
STATE_UNSPECIFIED = 0;
// The pool is active, and may be used in Google Cloud policies.
ACTIVE = 1;
// The pool is soft-deleted. Soft-deleted pools are permanently deleted
// after approximately 30 days. You can restore a soft-deleted pool using
// [UndeleteWorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPool].
//
// You cannot reuse the ID of a soft-deleted pool until it is permanently
// deleted.
//
// While a pool is deleted, you cannot use it to exchange tokens, or use
// existing tokens to access resources. If the pool is undeleted, existing
// tokens grant access again.
DELETED = 2;
}
// Output only. The resource name of the pool.
string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
// A display name for the pool. Cannot exceed 32 characters.
string display_name = 2;
// A description of the pool. Cannot exceed 256 characters.
string description = 3;
// Output only. The state of the pool.
State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// Whether the pool is disabled. You cannot use a disabled pool to exchange
// tokens, or use existing tokens to access resources. If
// the pool is re-enabled, existing tokens grant access again.
bool disabled = 5;
}
// A configuration for an external identity provider.
message WorkloadIdentityPoolProvider {
option (google.api.resource) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
pattern: "projects/{project}/locations/{location}/workloadIdentityPools/{workload_identity_pool}/providers/{workload_identity_pool_provider}"
};
// Represents an Amazon Web Services identity provider.
message Aws {
// Required. The AWS account ID.
string account_id = 1 [(google.api.field_behavior) = REQUIRED];
}
// Represents an OpenId Connect 1.0 identity provider.
message Oidc {
// Required. The OIDC issuer URL.
string issuer_uri = 1 [(google.api.field_behavior) = REQUIRED];
// Acceptable values for the `aud` field (audience) in the OIDC token. Token
// exchange requests are rejected if the token audience does not match one
// of the configured values. Each audience may be at most 256 characters. A
// maximum of 10 audiences may be configured.
//
// If this list is empty, the OIDC token audience must be equal to
// the full canonical resource name of the WorkloadIdentityPoolProvider,
// with or without the HTTPS prefix. For example:
//
// ```
// //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
// https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
// ```
repeated string allowed_audiences = 2;
}
// The current state of the provider.
enum State {
// State unspecified.
STATE_UNSPECIFIED = 0;
// The provider is active, and may be used to validate authentication
// credentials.
ACTIVE = 1;
// The provider is soft-deleted. Soft-deleted providers are permanently
// deleted after approximately 30 days. You can restore a soft-deleted
// provider using
// [UndeleteWorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPoolProvider].
//
// You cannot reuse the ID of a soft-deleted provider until it is
// permanently deleted.
DELETED = 2;
}
// Output only. The resource name of the provider.
string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
// A display name for the provider. Cannot exceed 32 characters.
string display_name = 2;
// A description for the provider. Cannot exceed 256 characters.
string description = 3;
// Output only. The state of the provider.
State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// Whether the provider is disabled. You cannot use a disabled provider to
// exchange tokens. However, existing tokens still grant access.
bool disabled = 5;
// Maps attributes from authentication credentials issued by an external
// identity provider to Google Cloud attributes, such as `subject` and
// `segment`.
//
// Each key must be a string specifying the Google Cloud IAM attribute to
// map to.
//
// The following keys are supported:
//
// * `google.subject`: The principal IAM is authenticating. You can reference
// this value in IAM bindings. This is also the
// subject that appears in Cloud Logging logs.
// Cannot exceed 100 characters.
//
// * `google.groups`: Groups the external identity belongs to. You can grant
// groups access to resources using an IAM `principalSet`
// binding; access applies to all members of the group.
//
// You can also provide custom attributes by specifying
// `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of
// the custom attribute to be mapped. You can define a maximum of 50 custom
// attributes. The maximum length of a mapped attribute key is
// 100 characters, and the key may only contain the characters [a-z0-9-].
//
// You can reference these attributes in IAM policies to define fine-grained
// access for a workload to Google Cloud resources. For example:
//
// * `google.subject`:
// `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
//
// * `google.groups`:
// `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
//
// * `attribute.{custom_attribute}`:
// `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
//
// Each value must be a [Common Expression Language]
// (https://opensource.google/projects/cel) function that maps an
// identity provider credential to the normalized attribute specified by the
// corresponding map key.
//
// You can use the `assertion` keyword in the expression to access a JSON
// representation of the authentication credential issued by the provider.
//
// The maximum length of an attribute mapping expression is 2048 characters.
// When evaluated, the total size of all mapped attributes must not exceed
// 8KB.
//
// For AWS providers, the following rules apply:
//
// - If no attribute mapping is defined, the following default mapping
// applies:
//
// ```
// {
// "google.subject":"assertion.arn",
// "attribute.aws_role":
// "assertion.arn.contains('assumed-role')"
// " ? assertion.arn.extract('{account_arn}assumed-role/')"
// " + 'assumed-role/'"
// " + assertion.arn.extract('assumed-role/{role_name}/')"
// " : assertion.arn",
// }
// ```
//
// - If any custom attribute mappings are defined, they must include a mapping
// to the `google.subject` attribute.
//
//
// For OIDC providers, the following rules apply:
//
// - Custom attribute mappings must be defined, and must include a mapping to
// the `google.subject` attribute. For example, the following maps the
// `sub` claim of the incoming credential to the `subject` attribute on
// a Google token.
//
// ```
// {"google.subject": "assertion.sub"}
// ```
map<string, string> attribute_mapping = 6;
// [A Common Expression Language](https://opensource.google/projects/cel)
// expression, in plain text, to restrict what otherwise valid authentication
// credentials issued by the provider should not be accepted.
//
// The expression must output a boolean representing whether to allow the
// federation.
//
// The following keywords may be referenced in the expressions:
//
// * `assertion`: JSON representing the authentication credential issued by
// the provider.
// * `google`: The Google attributes mapped from the assertion in the
// `attribute_mappings`.
// * `attribute`: The custom attributes mapped from the assertion in the
// `attribute_mappings`.
//
// The maximum length of the attribute condition expression is 4096
// characters. If unspecified, all valid authentication credential are
// accepted.
//
// The following example shows how to only allow credentials with a mapped
// `google.groups` value of `admins`:
//
// ```
// "'admins' in google.groups"
// ```
string attribute_condition = 7;
// Identity provider configuration types.
oneof provider_config {
// An Amazon Web Services identity provider.
Aws aws = 8;
// An OpenId Connect 1.0 identity provider.
Oidc oidc = 9;
}
}
// Request message for ListWorkloadIdentityPools.
message ListWorkloadIdentityPoolsRequest {
// Required. The parent resource to list pools for.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// The maximum number of pools to return.
// If unspecified, at most 50 pools are returned.
// The maximum value is 1000; values above are 1000 truncated to 1000.
int32 page_size = 2;
// A page token, received from a previous `ListWorkloadIdentityPools`
// call. Provide this to retrieve the subsequent page.
string page_token = 3;
// Whether to return soft-deleted pools.
bool show_deleted = 4;
}
// Response message for ListWorkloadIdentityPools.
message ListWorkloadIdentityPoolsResponse {
// A list of pools.
repeated WorkloadIdentityPool workload_identity_pools = 1;
// A token, which can be sent as `page_token` to retrieve the next page.
// If this field is omitted, there are no subsequent pages.
string next_page_token = 2;
}
// Request message for GetWorkloadIdentityPool.
message GetWorkloadIdentityPoolRequest {
// Required. The name of the pool to retrieve.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
}
// Request message for CreateWorkloadIdentityPool.
message CreateWorkloadIdentityPoolRequest {
// Required. The parent resource to create the pool in. The only supported
// location is `global`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Required. The pool to create.
WorkloadIdentityPool workload_identity_pool = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The ID to use for the pool, which becomes the
// final component of the resource name. This value should be 4-32 characters,
// and may contain the characters [a-z0-9-]. The prefix `gcp-` is
// reserved for use by Google, and may not be specified.
string workload_identity_pool_id = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for UpdateWorkloadIdentityPool.
message UpdateWorkloadIdentityPoolRequest {
// Required. The pool to update. The `name` field is used to identify the pool.
WorkloadIdentityPool workload_identity_pool = 1 [(google.api.field_behavior) = REQUIRED];
// Required. The list of fields update.
google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
}
// Request message for DeleteWorkloadIdentityPool.
message DeleteWorkloadIdentityPoolRequest {
// Required. The name of the pool to delete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
}
// Request message for UndeleteWorkloadIdentityPool.
message UndeleteWorkloadIdentityPoolRequest {
// Required. The name of the pool to undelete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
}
// Request message for ListWorkloadIdentityPoolProviders.
message ListWorkloadIdentityPoolProvidersRequest {
// Required. The pool to list providers for.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
// The maximum number of providers to return.
// If unspecified, at most 50 providers are returned.
// The maximum value is 100; values above 100 are truncated to 100.
int32 page_size = 2;
// A page token, received from a previous
// `ListWorkloadIdentityPoolProviders` call. Provide this to retrieve the
// subsequent page.
string page_token = 3;
// Whether to return soft-deleted providers.
bool show_deleted = 4;
}
// Response message for ListWorkloadIdentityPoolProviders.
message ListWorkloadIdentityPoolProvidersResponse {
// A list of providers.
repeated WorkloadIdentityPoolProvider workload_identity_pool_providers = 1;
// A token, which can be sent as `page_token` to retrieve the next page.
// If this field is omitted, there are no subsequent pages.
string next_page_token = 2;
}
// Request message for GetWorkloadIdentityPoolProvider.
message GetWorkloadIdentityPoolProviderRequest {
// Required. The name of the provider to retrieve.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
}
];
}
// Request message for CreateWorkloadIdentityPoolProvider.
message CreateWorkloadIdentityPoolProviderRequest {
// Required. The pool to create this provider in.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
// Required. The provider to create.
WorkloadIdentityPoolProvider workload_identity_pool_provider = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The ID for the provider, which becomes the
// final component of the resource name. This value must be 4-32 characters,
// and may contain the characters [a-z0-9-]. The prefix `gcp-` is
// reserved for use by Google, and may not be specified.
string workload_identity_pool_provider_id = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for UpdateWorkloadIdentityPoolProvider.
message UpdateWorkloadIdentityPoolProviderRequest {
// Required. The provider to update.
WorkloadIdentityPoolProvider workload_identity_pool_provider = 1 [(google.api.field_behavior) = REQUIRED];
// Required. The list of fields to update.
google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
}
// Request message for DeleteWorkloadIdentityPoolProvider.
message DeleteWorkloadIdentityPoolProviderRequest {
// Required. The name of the provider to delete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
}
];
}
// Request message for UndeleteWorkloadIdentityPoolProvider.
message UndeleteWorkloadIdentityPoolProviderRequest {
// Required. The name of the provider to undelete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
}
];
}
// Metadata for long-running WorkloadIdentityPool operations.
message WorkloadIdentityPoolOperationMetadata {}
// Metadata for long-running WorkloadIdentityPoolProvider operations.
message WorkloadIdentityPoolProviderOperationMetadata {}
Write Preview
Loading…
Cancel
Save