1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.iam.v1beta; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/longrunning/operations.proto"; 24import "google/protobuf/field_mask.proto"; 25 26option go_package = "cloud.google.com/go/iam/apiv1beta/iampb;iampb"; 27option java_multiple_files = true; 28option java_outer_classname = "WorkloadIdentityPoolProto"; 29option java_package = "com.google.iam.v1beta"; 30 31// Manages WorkloadIdentityPools. 32service WorkloadIdentityPools { 33 option (google.api.default_host) = "iam.googleapis.com"; 34 option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 35 36 // Lists all non-deleted 37 // [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]s in a 38 // project. If `show_deleted` is set to `true`, then deleted pools are also 39 // listed. 40 rpc ListWorkloadIdentityPools(ListWorkloadIdentityPoolsRequest) returns (ListWorkloadIdentityPoolsResponse) { 41 option (google.api.http) = { 42 get: "/v1beta/{parent=projects/*/locations/*}/workloadIdentityPools" 43 }; 44 option (google.api.method_signature) = "parent"; 45 } 46 47 // Gets an individual 48 // [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. 49 rpc GetWorkloadIdentityPool(GetWorkloadIdentityPoolRequest) returns (WorkloadIdentityPool) { 50 option (google.api.http) = { 51 get: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}" 52 }; 53 option (google.api.method_signature) = "name"; 54 } 55 56 // Creates a new 57 // [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. 58 // 59 // You cannot reuse the name of a deleted pool until 30 days after deletion. 60 rpc CreateWorkloadIdentityPool(CreateWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) { 61 option (google.api.http) = { 62 post: "/v1beta/{parent=projects/*/locations/*}/workloadIdentityPools" 63 body: "workload_identity_pool" 64 }; 65 option (google.api.method_signature) = "parent,workload_identity_pool,workload_identity_pool_id"; 66 option (google.longrunning.operation_info) = { 67 response_type: "WorkloadIdentityPool" 68 metadata_type: "WorkloadIdentityPoolOperationMetadata" 69 }; 70 } 71 72 // Updates an existing 73 // [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. 74 rpc UpdateWorkloadIdentityPool(UpdateWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) { 75 option (google.api.http) = { 76 patch: "/v1beta/{workload_identity_pool.name=projects/*/locations/*/workloadIdentityPools/*}" 77 body: "workload_identity_pool" 78 }; 79 option (google.api.method_signature) = "workload_identity_pool,update_mask"; 80 option (google.longrunning.operation_info) = { 81 response_type: "WorkloadIdentityPool" 82 metadata_type: "WorkloadIdentityPoolOperationMetadata" 83 }; 84 } 85 86 // Deletes a 87 // [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. 88 // 89 // You cannot use a deleted pool to exchange external 90 // credentials for Google Cloud credentials. However, deletion does 91 // not revoke credentials that have already been issued. 92 // Credentials issued for a deleted pool do not grant access to resources. 93 // If the pool is undeleted, and the credentials are not expired, they 94 // grant access again. 95 // You can undelete a pool for 30 days. After 30 days, deletion is 96 // permanent. 97 // You cannot update deleted pools. However, you can view and list them. 98 rpc DeleteWorkloadIdentityPool(DeleteWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) { 99 option (google.api.http) = { 100 delete: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}" 101 }; 102 option (google.api.method_signature) = "name"; 103 option (google.longrunning.operation_info) = { 104 response_type: "WorkloadIdentityPool" 105 metadata_type: "WorkloadIdentityPoolOperationMetadata" 106 }; 107 } 108 109 // Undeletes a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool], 110 // as long as it was deleted fewer than 30 days ago. 111 rpc UndeleteWorkloadIdentityPool(UndeleteWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) { 112 option (google.api.http) = { 113 post: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}:undelete" 114 body: "*" 115 }; 116 option (google.api.method_signature) = "name"; 117 option (google.longrunning.operation_info) = { 118 response_type: "WorkloadIdentityPool" 119 metadata_type: "WorkloadIdentityPoolOperationMetadata" 120 }; 121 } 122 123 // Lists all non-deleted 124 // [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider]s 125 // in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. 126 // If `show_deleted` is set to `true`, then deleted providers are also listed. 127 rpc ListWorkloadIdentityPoolProviders(ListWorkloadIdentityPoolProvidersRequest) returns (ListWorkloadIdentityPoolProvidersResponse) { 128 option (google.api.http) = { 129 get: "/v1beta/{parent=projects/*/locations/*/workloadIdentityPools/*}/providers" 130 }; 131 option (google.api.method_signature) = "parent"; 132 } 133 134 // Gets an individual 135 // [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider]. 136 rpc GetWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderRequest) returns (WorkloadIdentityPoolProvider) { 137 option (google.api.http) = { 138 get: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}" 139 }; 140 option (google.api.method_signature) = "name"; 141 } 142 143 // Creates a new 144 // [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider] 145 // in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. 146 // 147 // You cannot reuse the name of a deleted provider until 30 days after 148 // deletion. 149 rpc CreateWorkloadIdentityPoolProvider(CreateWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) { 150 option (google.api.http) = { 151 post: "/v1beta/{parent=projects/*/locations/*/workloadIdentityPools/*}/providers" 152 body: "workload_identity_pool_provider" 153 }; 154 option (google.api.method_signature) = "parent,workload_identity_pool_provider,workload_identity_pool_provider_id"; 155 option (google.longrunning.operation_info) = { 156 response_type: "WorkloadIdentityPoolProvider" 157 metadata_type: "WorkloadIdentityPoolProviderOperationMetadata" 158 }; 159 } 160 161 // Updates an existing 162 // [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider]. 163 rpc UpdateWorkloadIdentityPoolProvider(UpdateWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) { 164 option (google.api.http) = { 165 patch: "/v1beta/{workload_identity_pool_provider.name=projects/*/locations/*/workloadIdentityPools/*/providers/*}" 166 body: "workload_identity_pool_provider" 167 }; 168 option (google.api.method_signature) = "workload_identity_pool_provider,update_mask"; 169 option (google.longrunning.operation_info) = { 170 response_type: "WorkloadIdentityPoolProvider" 171 metadata_type: "WorkloadIdentityPoolProviderOperationMetadata" 172 }; 173 } 174 175 // Deletes a 176 // [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider]. 177 // Deleting a provider does not revoke credentials that have already been 178 // issued; they continue to grant access. 179 // You can undelete a provider for 30 days. After 30 days, deletion is 180 // permanent. 181 // You cannot update deleted providers. However, you can view and list them. 182 rpc DeleteWorkloadIdentityPoolProvider(DeleteWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) { 183 option (google.api.http) = { 184 delete: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}" 185 }; 186 option (google.api.method_signature) = "name"; 187 option (google.longrunning.operation_info) = { 188 response_type: "WorkloadIdentityPoolProvider" 189 metadata_type: "WorkloadIdentityPoolProviderOperationMetadata" 190 }; 191 } 192 193 // Undeletes a 194 // [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider], 195 // as long as it was deleted fewer than 30 days ago. 196 rpc UndeleteWorkloadIdentityPoolProvider(UndeleteWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) { 197 option (google.api.http) = { 198 post: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}:undelete" 199 body: "*" 200 }; 201 option (google.api.method_signature) = "name"; 202 option (google.longrunning.operation_info) = { 203 response_type: "WorkloadIdentityPoolProvider" 204 metadata_type: "WorkloadIdentityPoolProviderOperationMetadata" 205 }; 206 } 207} 208 209// Represents a collection of external workload identities. You can define IAM 210// policies to grant these identities access to Google Cloud resources. 211message WorkloadIdentityPool { 212 option (google.api.resource) = { 213 type: "iam.googleapis.com/WorkloadIdentityPool" 214 pattern: "projects/{project}/locations/{location}/workloadIdentityPools/{workload_identity_pool}" 215 }; 216 217 // The current state of the pool. 218 enum State { 219 // State unspecified. 220 STATE_UNSPECIFIED = 0; 221 222 // The pool is active, and may be used in Google Cloud policies. 223 ACTIVE = 1; 224 225 // The pool is soft-deleted. Soft-deleted pools are permanently deleted 226 // after approximately 30 days. You can restore a soft-deleted pool using 227 // [UndeleteWorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPool]. 228 // 229 // You cannot reuse the ID of a soft-deleted pool until it is permanently 230 // deleted. 231 // 232 // While a pool is deleted, you cannot use it to exchange tokens, or use 233 // existing tokens to access resources. If the pool is undeleted, existing 234 // tokens grant access again. 235 DELETED = 2; 236 } 237 238 // Output only. The resource name of the pool. 239 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 240 241 // A display name for the pool. Cannot exceed 32 characters. 242 string display_name = 2; 243 244 // A description of the pool. Cannot exceed 256 characters. 245 string description = 3; 246 247 // Output only. The state of the pool. 248 State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 249 250 // Whether the pool is disabled. You cannot use a disabled pool to exchange 251 // tokens, or use existing tokens to access resources. If 252 // the pool is re-enabled, existing tokens grant access again. 253 bool disabled = 5; 254} 255 256// A configuration for an external identity provider. 257message WorkloadIdentityPoolProvider { 258 option (google.api.resource) = { 259 type: "iam.googleapis.com/WorkloadIdentityPoolProvider" 260 pattern: "projects/{project}/locations/{location}/workloadIdentityPools/{workload_identity_pool}/providers/{workload_identity_pool_provider}" 261 }; 262 263 // Represents an Amazon Web Services identity provider. 264 message Aws { 265 // Required. The AWS account ID. 266 string account_id = 1 [(google.api.field_behavior) = REQUIRED]; 267 } 268 269 // Represents an OpenId Connect 1.0 identity provider. 270 message Oidc { 271 // Required. The OIDC issuer URL. 272 string issuer_uri = 1 [(google.api.field_behavior) = REQUIRED]; 273 274 // Acceptable values for the `aud` field (audience) in the OIDC token. Token 275 // exchange requests are rejected if the token audience does not match one 276 // of the configured values. Each audience may be at most 256 characters. A 277 // maximum of 10 audiences may be configured. 278 // 279 // If this list is empty, the OIDC token audience must be equal to 280 // the full canonical resource name of the WorkloadIdentityPoolProvider, 281 // with or without the HTTPS prefix. For example: 282 // 283 // ``` 284 // //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> 285 // https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> 286 // ``` 287 repeated string allowed_audiences = 2; 288 } 289 290 // The current state of the provider. 291 enum State { 292 // State unspecified. 293 STATE_UNSPECIFIED = 0; 294 295 // The provider is active, and may be used to validate authentication 296 // credentials. 297 ACTIVE = 1; 298 299 // The provider is soft-deleted. Soft-deleted providers are permanently 300 // deleted after approximately 30 days. You can restore a soft-deleted 301 // provider using 302 // [UndeleteWorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPoolProvider]. 303 // 304 // You cannot reuse the ID of a soft-deleted provider until it is 305 // permanently deleted. 306 DELETED = 2; 307 } 308 309 // Output only. The resource name of the provider. 310 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 311 312 // A display name for the provider. Cannot exceed 32 characters. 313 string display_name = 2; 314 315 // A description for the provider. Cannot exceed 256 characters. 316 string description = 3; 317 318 // Output only. The state of the provider. 319 State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 320 321 // Whether the provider is disabled. You cannot use a disabled provider to 322 // exchange tokens. However, existing tokens still grant access. 323 bool disabled = 5; 324 325 // Maps attributes from authentication credentials issued by an external 326 // identity provider to Google Cloud attributes, such as `subject` and 327 // `segment`. 328 // 329 // Each key must be a string specifying the Google Cloud IAM attribute to 330 // map to. 331 // 332 // The following keys are supported: 333 // 334 // * `google.subject`: The principal IAM is authenticating. You can reference 335 // this value in IAM bindings. This is also the 336 // subject that appears in Cloud Logging logs. 337 // Cannot exceed 127 characters. 338 // 339 // * `google.groups`: Groups the external identity belongs to. You can grant 340 // groups access to resources using an IAM `principalSet` 341 // binding; access applies to all members of the group. 342 // 343 // You can also provide custom attributes by specifying 344 // `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of 345 // the custom attribute to be mapped. You can define a maximum of 50 custom 346 // attributes. The maximum length of a mapped attribute key is 347 // 100 characters, and the key may only contain the characters [a-z0-9_]. 348 // 349 // You can reference these attributes in IAM policies to define fine-grained 350 // access for a workload to Google Cloud resources. For example: 351 // 352 // * `google.subject`: 353 // `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` 354 // 355 // * `google.groups`: 356 // `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` 357 // 358 // * `attribute.{custom_attribute}`: 359 // `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` 360 // 361 // Each value must be a [Common Expression Language] 362 // (https://opensource.google/projects/cel) function that maps an 363 // identity provider credential to the normalized attribute specified by the 364 // corresponding map key. 365 // 366 // You can use the `assertion` keyword in the expression to access a JSON 367 // representation of the authentication credential issued by the provider. 368 // 369 // The maximum length of an attribute mapping expression is 2048 characters. 370 // When evaluated, the total size of all mapped attributes must not exceed 371 // 8KB. 372 // 373 // For AWS providers, the following rules apply: 374 // 375 // - If no attribute mapping is defined, the following default mapping 376 // applies: 377 // 378 // ``` 379 // { 380 // "google.subject":"assertion.arn", 381 // "attribute.aws_role": 382 // "assertion.arn.contains('assumed-role')" 383 // " ? assertion.arn.extract('{account_arn}assumed-role/')" 384 // " + 'assumed-role/'" 385 // " + assertion.arn.extract('assumed-role/{role_name}/')" 386 // " : assertion.arn", 387 // } 388 // ``` 389 // 390 // - If any custom attribute mappings are defined, they must include a mapping 391 // to the `google.subject` attribute. 392 // 393 // 394 // For OIDC providers, the following rules apply: 395 // 396 // - Custom attribute mappings must be defined, and must include a mapping to 397 // the `google.subject` attribute. For example, the following maps the 398 // `sub` claim of the incoming credential to the `subject` attribute on 399 // a Google token. 400 // 401 // ``` 402 // {"google.subject": "assertion.sub"} 403 // ``` 404 map<string, string> attribute_mapping = 6; 405 406 // [A Common Expression Language](https://opensource.google/projects/cel) 407 // expression, in plain text, to restrict what otherwise valid authentication 408 // credentials issued by the provider should not be accepted. 409 // 410 // The expression must output a boolean representing whether to allow the 411 // federation. 412 // 413 // The following keywords may be referenced in the expressions: 414 // 415 // * `assertion`: JSON representing the authentication credential issued by 416 // the provider. 417 // * `google`: The Google attributes mapped from the assertion in the 418 // `attribute_mappings`. 419 // * `attribute`: The custom attributes mapped from the assertion in the 420 // `attribute_mappings`. 421 // 422 // The maximum length of the attribute condition expression is 4096 423 // characters. If unspecified, all valid authentication credential are 424 // accepted. 425 // 426 // The following example shows how to only allow credentials with a mapped 427 // `google.groups` value of `admins`: 428 // 429 // ``` 430 // "'admins' in google.groups" 431 // ``` 432 string attribute_condition = 7; 433 434 // Identity provider configuration types. 435 oneof provider_config { 436 // An Amazon Web Services identity provider. 437 Aws aws = 8; 438 439 // An OpenId Connect 1.0 identity provider. 440 Oidc oidc = 9; 441 } 442} 443 444// Request message for ListWorkloadIdentityPools. 445message ListWorkloadIdentityPoolsRequest { 446 // Required. The parent resource to list pools for. 447 string parent = 1 [ 448 (google.api.field_behavior) = REQUIRED, 449 (google.api.resource_reference) = { 450 type: "cloudresourcemanager.googleapis.com/Project" 451 } 452 ]; 453 454 // The maximum number of pools to return. 455 // If unspecified, at most 50 pools are returned. 456 // The maximum value is 1000; values above are 1000 truncated to 1000. 457 int32 page_size = 2; 458 459 // A page token, received from a previous `ListWorkloadIdentityPools` 460 // call. Provide this to retrieve the subsequent page. 461 string page_token = 3; 462 463 // Whether to return soft-deleted pools. 464 bool show_deleted = 4; 465} 466 467// Response message for ListWorkloadIdentityPools. 468message ListWorkloadIdentityPoolsResponse { 469 // A list of pools. 470 repeated WorkloadIdentityPool workload_identity_pools = 1; 471 472 // A token, which can be sent as `page_token` to retrieve the next page. 473 // If this field is omitted, there are no subsequent pages. 474 string next_page_token = 2; 475} 476 477// Request message for GetWorkloadIdentityPool. 478message GetWorkloadIdentityPoolRequest { 479 // Required. The name of the pool to retrieve. 480 string name = 1 [ 481 (google.api.field_behavior) = REQUIRED, 482 (google.api.resource_reference) = { 483 type: "iam.googleapis.com/WorkloadIdentityPool" 484 } 485 ]; 486} 487 488// Request message for CreateWorkloadIdentityPool. 489message CreateWorkloadIdentityPoolRequest { 490 // Required. The parent resource to create the pool in. The only supported 491 // location is `global`. 492 string parent = 1 [ 493 (google.api.field_behavior) = REQUIRED, 494 (google.api.resource_reference) = { 495 type: "cloudresourcemanager.googleapis.com/Project" 496 } 497 ]; 498 499 // Required. The pool to create. 500 WorkloadIdentityPool workload_identity_pool = 2 [(google.api.field_behavior) = REQUIRED]; 501 502 // Required. The ID to use for the pool, which becomes the 503 // final component of the resource name. This value should be 4-32 characters, 504 // and may contain the characters [a-z0-9-]. The prefix `gcp-` is 505 // reserved for use by Google, and may not be specified. 506 string workload_identity_pool_id = 3 [(google.api.field_behavior) = REQUIRED]; 507} 508 509// Request message for UpdateWorkloadIdentityPool. 510message UpdateWorkloadIdentityPoolRequest { 511 // Required. The pool to update. The `name` field is used to identify the pool. 512 WorkloadIdentityPool workload_identity_pool = 1 [(google.api.field_behavior) = REQUIRED]; 513 514 // Required. The list of fields update. 515 google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; 516} 517 518// Request message for DeleteWorkloadIdentityPool. 519message DeleteWorkloadIdentityPoolRequest { 520 // Required. The name of the pool to delete. 521 string name = 1 [ 522 (google.api.field_behavior) = REQUIRED, 523 (google.api.resource_reference) = { 524 type: "iam.googleapis.com/WorkloadIdentityPool" 525 } 526 ]; 527} 528 529// Request message for UndeleteWorkloadIdentityPool. 530message UndeleteWorkloadIdentityPoolRequest { 531 // Required. The name of the pool to undelete. 532 string name = 1 [ 533 (google.api.field_behavior) = REQUIRED, 534 (google.api.resource_reference) = { 535 type: "iam.googleapis.com/WorkloadIdentityPool" 536 } 537 ]; 538} 539 540// Request message for ListWorkloadIdentityPoolProviders. 541message ListWorkloadIdentityPoolProvidersRequest { 542 // Required. The pool to list providers for. 543 string parent = 1 [ 544 (google.api.field_behavior) = REQUIRED, 545 (google.api.resource_reference) = { 546 type: "iam.googleapis.com/WorkloadIdentityPool" 547 } 548 ]; 549 550 // The maximum number of providers to return. 551 // If unspecified, at most 50 providers are returned. 552 // The maximum value is 100; values above 100 are truncated to 100. 553 int32 page_size = 2; 554 555 // A page token, received from a previous 556 // `ListWorkloadIdentityPoolProviders` call. Provide this to retrieve the 557 // subsequent page. 558 string page_token = 3; 559 560 // Whether to return soft-deleted providers. 561 bool show_deleted = 4; 562} 563 564// Response message for ListWorkloadIdentityPoolProviders. 565message ListWorkloadIdentityPoolProvidersResponse { 566 // A list of providers. 567 repeated WorkloadIdentityPoolProvider workload_identity_pool_providers = 1; 568 569 // A token, which can be sent as `page_token` to retrieve the next page. 570 // If this field is omitted, there are no subsequent pages. 571 string next_page_token = 2; 572} 573 574// Request message for GetWorkloadIdentityPoolProvider. 575message GetWorkloadIdentityPoolProviderRequest { 576 // Required. The name of the provider to retrieve. 577 string name = 1 [ 578 (google.api.field_behavior) = REQUIRED, 579 (google.api.resource_reference) = { 580 type: "iam.googleapis.com/WorkloadIdentityPoolProvider" 581 } 582 ]; 583} 584 585// Request message for CreateWorkloadIdentityPoolProvider. 586message CreateWorkloadIdentityPoolProviderRequest { 587 // Required. The pool to create this provider in. 588 string parent = 1 [ 589 (google.api.field_behavior) = REQUIRED, 590 (google.api.resource_reference) = { 591 type: "iam.googleapis.com/WorkloadIdentityPool" 592 } 593 ]; 594 595 // Required. The provider to create. 596 WorkloadIdentityPoolProvider workload_identity_pool_provider = 2 [(google.api.field_behavior) = REQUIRED]; 597 598 // Required. The ID for the provider, which becomes the 599 // final component of the resource name. This value must be 4-32 characters, 600 // and may contain the characters [a-z0-9-]. The prefix `gcp-` is 601 // reserved for use by Google, and may not be specified. 602 string workload_identity_pool_provider_id = 3 [(google.api.field_behavior) = REQUIRED]; 603} 604 605// Request message for UpdateWorkloadIdentityPoolProvider. 606message UpdateWorkloadIdentityPoolProviderRequest { 607 // Required. The provider to update. 608 WorkloadIdentityPoolProvider workload_identity_pool_provider = 1 [(google.api.field_behavior) = REQUIRED]; 609 610 // Required. The list of fields to update. 611 google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; 612} 613 614// Request message for DeleteWorkloadIdentityPoolProvider. 615message DeleteWorkloadIdentityPoolProviderRequest { 616 // Required. The name of the provider to delete. 617 string name = 1 [ 618 (google.api.field_behavior) = REQUIRED, 619 (google.api.resource_reference) = { 620 type: "iam.googleapis.com/WorkloadIdentityPoolProvider" 621 } 622 ]; 623} 624 625// Request message for UndeleteWorkloadIdentityPoolProvider. 626message UndeleteWorkloadIdentityPoolProviderRequest { 627 // Required. The name of the provider to undelete. 628 string name = 1 [ 629 (google.api.field_behavior) = REQUIRED, 630 (google.api.resource_reference) = { 631 type: "iam.googleapis.com/WorkloadIdentityPoolProvider" 632 } 633 ]; 634} 635 636// Metadata for long-running WorkloadIdentityPool operations. 637message WorkloadIdentityPoolOperationMetadata {} 638 639// Metadata for long-running WorkloadIdentityPoolProvider operations. 640message WorkloadIdentityPoolProviderOperationMetadata {} 641