1// Copyright 2020 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.iam.credentials.v1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/duration.proto";
22import "google/protobuf/timestamp.proto";
23
24option cc_enable_arenas = true;
25option csharp_namespace = "Google.Cloud.Iam.Credentials.V1";
26option go_package = "cloud.google.com/go/iam/credentials/apiv1/credentialspb;credentialspb";
27option java_multiple_files = true;
28option java_outer_classname = "IAMCredentialsCommonProto";
29option java_package = "com.google.cloud.iam.credentials.v1";
30option php_namespace = "Google\\Cloud\\Iam\\Credentials\\V1";
31option (google.api.resource_definition) = {
32  type: "iam.googleapis.com/ServiceAccount"
33  pattern: "projects/{project}/serviceAccounts/{service_account}"
34};
35
36message GenerateAccessTokenRequest {
37  // Required. The resource name of the service account for which the credentials
38  // are requested, in the following format:
39  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
40  // character is required; replacing it with a project ID is invalid.
41  string name = 1 [
42    (google.api.field_behavior) = REQUIRED,
43    (google.api.resource_reference) = {
44      type: "iam.googleapis.com/ServiceAccount"
45    }
46  ];
47
48  // The sequence of service accounts in a delegation chain. Each service
49  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
50  // on its next service account in the chain. The last service account in the
51  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
52  // on the service account that is specified in the `name` field of the
53  // request.
54  //
55  // The delegates must have the following format:
56  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
57  // character is required; replacing it with a project ID is invalid.
58  repeated string delegates = 2;
59
60  // Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
61  // See https://developers.google.com/identity/protocols/googlescopes for more
62  // information.
63  // At least one value required.
64  repeated string scope = 4 [(google.api.field_behavior) = REQUIRED];
65
66  // The desired lifetime duration of the access token in seconds.
67  // Must be set to a value less than or equal to 3600 (1 hour). If a value is
68  // not specified, the token's lifetime will be set to a default value of one
69  // hour.
70  google.protobuf.Duration lifetime = 7;
71}
72
73message GenerateAccessTokenResponse {
74  // The OAuth 2.0 access token.
75  string access_token = 1;
76
77  // Token expiration time.
78  // The expiration time is always set.
79  google.protobuf.Timestamp expire_time = 3;
80}
81
82message SignBlobRequest {
83  // Required. The resource name of the service account for which the credentials
84  // are requested, in the following format:
85  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
86  // character is required; replacing it with a project ID is invalid.
87  string name = 1 [
88    (google.api.field_behavior) = REQUIRED,
89    (google.api.resource_reference) = {
90      type: "iam.googleapis.com/ServiceAccount"
91    }
92  ];
93
94  // The sequence of service accounts in a delegation chain. Each service
95  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
96  // on its next service account in the chain. The last service account in the
97  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
98  // on the service account that is specified in the `name` field of the
99  // request.
100  //
101  // The delegates must have the following format:
102  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
103  // character is required; replacing it with a project ID is invalid.
104  repeated string delegates = 3;
105
106  // Required. The bytes to sign.
107  bytes payload = 5 [(google.api.field_behavior) = REQUIRED];
108}
109
110message SignBlobResponse {
111  // The ID of the key used to sign the blob.
112  string key_id = 1;
113
114  // The signed blob.
115  bytes signed_blob = 4;
116}
117
118message SignJwtRequest {
119  // Required. The resource name of the service account for which the credentials
120  // are requested, in the following format:
121  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
122  // character is required; replacing it with a project ID is invalid.
123  string name = 1 [
124    (google.api.field_behavior) = REQUIRED,
125    (google.api.resource_reference) = {
126      type: "iam.googleapis.com/ServiceAccount"
127    }
128  ];
129
130  // The sequence of service accounts in a delegation chain. Each service
131  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
132  // on its next service account in the chain. The last service account in the
133  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
134  // on the service account that is specified in the `name` field of the
135  // request.
136  //
137  // The delegates must have the following format:
138  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
139  // character is required; replacing it with a project ID is invalid.
140  repeated string delegates = 3;
141
142  // Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
143  string payload = 5 [(google.api.field_behavior) = REQUIRED];
144}
145
146message SignJwtResponse {
147  // The ID of the key used to sign the JWT.
148  string key_id = 1;
149
150  // The signed JWT.
151  string signed_jwt = 2;
152}
153
154message GenerateIdTokenRequest {
155  // Required. The resource name of the service account for which the credentials
156  // are requested, in the following format:
157  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
158  // character is required; replacing it with a project ID is invalid.
159  string name = 1 [
160    (google.api.field_behavior) = REQUIRED,
161    (google.api.resource_reference) = {
162      type: "iam.googleapis.com/ServiceAccount"
163    }
164  ];
165
166  // The sequence of service accounts in a delegation chain. Each service
167  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
168  // on its next service account in the chain. The last service account in the
169  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
170  // on the service account that is specified in the `name` field of the
171  // request.
172  //
173  // The delegates must have the following format:
174  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
175  // character is required; replacing it with a project ID is invalid.
176  repeated string delegates = 2;
177
178  // Required. The audience for the token, such as the API or account that this token
179  // grants access to.
180  string audience = 3 [(google.api.field_behavior) = REQUIRED];
181
182  // Include the service account email in the token. If set to `true`, the
183  // token will contain `email` and `email_verified` claims.
184  bool include_email = 4;
185}
186
187message GenerateIdTokenResponse {
188  // The OpenId Connect ID token.
189  string token = 1;
190}
191