1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.bigquery.connection.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/iam/v1/iam_policy.proto"; 24import "google/iam/v1/policy.proto"; 25import "google/protobuf/empty.proto"; 26import "google/protobuf/field_mask.proto"; 27 28option csharp_namespace = "Google.Cloud.BigQuery.Connection.V1"; 29option go_package = "cloud.google.com/go/bigquery/connection/apiv1/connectionpb;connectionpb"; 30option java_multiple_files = true; 31option java_package = "com.google.cloud.bigquery.connection.v1"; 32option php_namespace = "Google\\Cloud\\BigQuery\\Connection\\V1"; 33option (google.api.resource_definition) = { 34 type: "dataproc.googleapis.com/Cluster" 35 pattern: "projects/{project}/regions/{region}/clusters/{cluster}" 36}; 37option (google.api.resource_definition) = { 38 type: "metastore.googleapis.com/Service" 39 pattern: "projects/{project}/locations/{location}/services/{service}" 40}; 41 42// Manages external data source connections and credentials. 43service ConnectionService { 44 option (google.api.default_host) = "bigqueryconnection.googleapis.com"; 45 option (google.api.oauth_scopes) = 46 "https://www.googleapis.com/auth/bigquery," 47 "https://www.googleapis.com/auth/cloud-platform"; 48 49 // Creates a new connection. 50 rpc CreateConnection(CreateConnectionRequest) returns (Connection) { 51 option (google.api.http) = { 52 post: "/v1/{parent=projects/*/locations/*}/connections" 53 body: "connection" 54 }; 55 option (google.api.method_signature) = "parent,connection,connection_id"; 56 } 57 58 // Returns specified connection. 59 rpc GetConnection(GetConnectionRequest) returns (Connection) { 60 option (google.api.http) = { 61 get: "/v1/{name=projects/*/locations/*/connections/*}" 62 }; 63 option (google.api.method_signature) = "name"; 64 } 65 66 // Returns a list of connections in the given project. 67 rpc ListConnections(ListConnectionsRequest) 68 returns (ListConnectionsResponse) { 69 option (google.api.http) = { 70 get: "/v1/{parent=projects/*/locations/*}/connections" 71 }; 72 option (google.api.method_signature) = "parent"; 73 } 74 75 // Updates the specified connection. For security reasons, also resets 76 // credential if connection properties are in the update field mask. 77 rpc UpdateConnection(UpdateConnectionRequest) returns (Connection) { 78 option (google.api.http) = { 79 patch: "/v1/{name=projects/*/locations/*/connections/*}" 80 body: "connection" 81 }; 82 option (google.api.method_signature) = "name,connection,update_mask"; 83 } 84 85 // Deletes connection and associated credential. 86 rpc DeleteConnection(DeleteConnectionRequest) 87 returns (google.protobuf.Empty) { 88 option (google.api.http) = { 89 delete: "/v1/{name=projects/*/locations/*/connections/*}" 90 }; 91 option (google.api.method_signature) = "name"; 92 } 93 94 // Gets the access control policy for a resource. 95 // Returns an empty policy if the resource exists and does not have a policy 96 // set. 97 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) 98 returns (google.iam.v1.Policy) { 99 option (google.api.http) = { 100 post: "/v1/{resource=projects/*/locations/*/connections/*}:getIamPolicy" 101 body: "*" 102 }; 103 option (google.api.method_signature) = "resource,options"; 104 } 105 106 // Sets the access control policy on the specified resource. Replaces any 107 // existing policy. 108 // 109 // Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors. 110 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) 111 returns (google.iam.v1.Policy) { 112 option (google.api.http) = { 113 post: "/v1/{resource=projects/*/locations/*/connections/*}:setIamPolicy" 114 body: "*" 115 }; 116 option (google.api.method_signature) = "resource,policy"; 117 } 118 119 // Returns permissions that a caller has on the specified resource. 120 // If the resource does not exist, this will return an empty set of 121 // permissions, not a `NOT_FOUND` error. 122 // 123 // Note: This operation is designed to be used for building permission-aware 124 // UIs and command-line tools, not for authorization checking. This operation 125 // may "fail open" without warning. 126 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) 127 returns (google.iam.v1.TestIamPermissionsResponse) { 128 option (google.api.http) = { 129 post: "/v1/{resource=projects/*/locations/*/connections/*}:testIamPermissions" 130 body: "*" 131 }; 132 option (google.api.method_signature) = "resource,permissions"; 133 } 134} 135 136// The request for 137// [ConnectionService.CreateConnection][google.cloud.bigquery.connection.v1.ConnectionService.CreateConnection]. 138message CreateConnectionRequest { 139 // Required. Parent resource name. 140 // Must be in the format `projects/{project_id}/locations/{location_id}` 141 string parent = 1 [ 142 (google.api.field_behavior) = REQUIRED, 143 (google.api.resource_reference) = { 144 type: "locations.googleapis.com/Location" 145 } 146 ]; 147 148 // Optional. Connection id that should be assigned to the created connection. 149 string connection_id = 2 [(google.api.field_behavior) = OPTIONAL]; 150 151 // Required. Connection to create. 152 Connection connection = 3 [(google.api.field_behavior) = REQUIRED]; 153} 154 155// The request for 156// [ConnectionService.GetConnection][google.cloud.bigquery.connection.v1.ConnectionService.GetConnection]. 157message GetConnectionRequest { 158 // Required. Name of the requested connection, for example: 159 // `projects/{project_id}/locations/{location_id}/connections/{connection_id}` 160 string name = 1 [ 161 (google.api.field_behavior) = REQUIRED, 162 (google.api.resource_reference) = { 163 type: "bigqueryconnection.googleapis.com/Connection" 164 } 165 ]; 166} 167 168// The request for 169// [ConnectionService.ListConnections][google.cloud.bigquery.connection.v1.ConnectionService.ListConnections]. 170message ListConnectionsRequest { 171 // Required. Parent resource name. 172 // Must be in the form: `projects/{project_id}/locations/{location_id}` 173 string parent = 1 [ 174 (google.api.field_behavior) = REQUIRED, 175 (google.api.resource_reference) = { 176 type: "locations.googleapis.com/Location" 177 } 178 ]; 179 180 // Required. Page size. 181 int32 page_size = 4 [(google.api.field_behavior) = REQUIRED]; 182 183 // Page token. 184 string page_token = 3; 185} 186 187// The response for 188// [ConnectionService.ListConnections][google.cloud.bigquery.connection.v1.ConnectionService.ListConnections]. 189message ListConnectionsResponse { 190 // Next page token. 191 string next_page_token = 1; 192 193 // List of connections. 194 repeated Connection connections = 2; 195} 196 197// The request for 198// [ConnectionService.UpdateConnection][google.cloud.bigquery.connection.v1.ConnectionService.UpdateConnection]. 199message UpdateConnectionRequest { 200 // Required. Name of the connection to update, for example: 201 // `projects/{project_id}/locations/{location_id}/connections/{connection_id}` 202 string name = 1 [ 203 (google.api.field_behavior) = REQUIRED, 204 (google.api.resource_reference) = { 205 type: "bigqueryconnection.googleapis.com/Connection" 206 } 207 ]; 208 209 // Required. Connection containing the updated fields. 210 Connection connection = 2 [(google.api.field_behavior) = REQUIRED]; 211 212 // Required. Update mask for the connection fields to be updated. 213 google.protobuf.FieldMask update_mask = 3 214 [(google.api.field_behavior) = REQUIRED]; 215} 216 217// The request for [ConnectionService.DeleteConnectionRequest][]. 218message DeleteConnectionRequest { 219 // Required. Name of the deleted connection, for example: 220 // `projects/{project_id}/locations/{location_id}/connections/{connection_id}` 221 string name = 1 [ 222 (google.api.field_behavior) = REQUIRED, 223 (google.api.resource_reference) = { 224 type: "bigqueryconnection.googleapis.com/Connection" 225 } 226 ]; 227} 228 229// Configuration parameters to establish connection with an external data 230// source, except the credential attributes. 231message Connection { 232 option (google.api.resource) = { 233 type: "bigqueryconnection.googleapis.com/Connection" 234 pattern: "projects/{project}/locations/{location}/connections/{connection}" 235 }; 236 237 // The resource name of the connection in the form of: 238 // `projects/{project_id}/locations/{location_id}/connections/{connection_id}` 239 string name = 1; 240 241 // User provided display name for the connection. 242 string friendly_name = 2; 243 244 // User provided description. 245 string description = 3; 246 247 // Properties specific to the underlying data source. 248 oneof properties { 249 // Cloud SQL properties. 250 CloudSqlProperties cloud_sql = 4; 251 252 // Amazon Web Services (AWS) properties. 253 AwsProperties aws = 8; 254 255 // Azure properties. 256 AzureProperties azure = 11; 257 258 // Cloud Spanner properties. 259 CloudSpannerProperties cloud_spanner = 21; 260 261 // Cloud Resource properties. 262 CloudResourceProperties cloud_resource = 22; 263 264 // Spark properties. 265 SparkProperties spark = 23; 266 267 // Optional. Salesforce DataCloud properties. This field is intended for 268 // use only by Salesforce partner projects. This field contains properties 269 // for your Salesforce DataCloud connection. 270 SalesforceDataCloudProperties salesforce_data_cloud = 24 271 [(google.api.field_behavior) = OPTIONAL]; 272 } 273 274 // Output only. The creation timestamp of the connection. 275 int64 creation_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 276 277 // Output only. The last update timestamp of the connection. 278 int64 last_modified_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 279 280 // Output only. True, if credential is configured for this connection. 281 bool has_credential = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 282} 283 284// Connection properties specific to the Cloud SQL. 285message CloudSqlProperties { 286 // Supported Cloud SQL database types. 287 enum DatabaseType { 288 // Unspecified database type. 289 DATABASE_TYPE_UNSPECIFIED = 0; 290 291 // Cloud SQL for PostgreSQL. 292 POSTGRES = 1; 293 294 // Cloud SQL for MySQL. 295 MYSQL = 2; 296 } 297 298 // Cloud SQL instance ID in the form `project:location:instance`. 299 string instance_id = 1; 300 301 // Database name. 302 string database = 2; 303 304 // Type of the Cloud SQL database. 305 DatabaseType type = 3; 306 307 // Input only. Cloud SQL credential. 308 CloudSqlCredential credential = 4 [(google.api.field_behavior) = INPUT_ONLY]; 309 310 // Output only. The account ID of the service used for the purpose of this 311 // connection. 312 // 313 // When the connection is used in the context of an operation in 314 // BigQuery, this service account will serve as the identity being used for 315 // connecting to the CloudSQL instance specified in this connection. 316 string service_account_id = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 317} 318 319// Credential info for the Cloud SQL. 320message CloudSqlCredential { 321 // The username for the credential. 322 string username = 1; 323 324 // The password for the credential. 325 string password = 2; 326} 327 328// Connection properties specific to Cloud Spanner. 329message CloudSpannerProperties { 330 // Cloud Spanner database in the form `project/instance/database' 331 string database = 1; 332 333 // If parallelism should be used when reading from Cloud Spanner 334 bool use_parallelism = 2; 335 336 // Allows setting max parallelism per query when executing on Spanner 337 // independent compute resources. If unspecified, default values of 338 // parallelism are chosen that are dependent on the Cloud Spanner instance 339 // configuration. 340 // 341 // REQUIRES: `use_parallelism` must be set. 342 // REQUIRES: Either `use_data_boost` or `use_serverless_analytics` must be 343 // set. 344 int32 max_parallelism = 5; 345 346 // If the serverless analytics service should be used to read data from Cloud 347 // Spanner. 348 // Note: `use_parallelism` must be set when using serverless analytics. 349 bool use_serverless_analytics = 3; 350 351 // If set, the request will be executed via Spanner independent compute 352 // resources. 353 // REQUIRES: `use_parallelism` must be set. 354 // 355 // NOTE: `use_serverless_analytics` will be deprecated. Prefer 356 // `use_data_boost` over `use_serverless_analytics`. 357 bool use_data_boost = 6; 358 359 // Optional. Cloud Spanner database role for fine-grained access control. 360 // The Cloud Spanner admin should have provisioned the database role with 361 // appropriate permissions, such as `SELECT` and `INSERT`. Other users should 362 // only use roles provided by their Cloud Spanner admins. 363 // 364 // For more details, see [About fine-grained access control] 365 // (https://cloud.google.com/spanner/docs/fgac-about). 366 // 367 // REQUIRES: The database role name must start with a letter, and can only 368 // contain letters, numbers, and underscores. 369 string database_role = 4 [(google.api.field_behavior) = OPTIONAL]; 370} 371 372// Connection properties specific to Amazon Web Services (AWS). 373message AwsProperties { 374 // Authentication method chosen at connection creation. 375 oneof authentication_method { 376 // Authentication using Google owned AWS IAM user's access key to assume 377 // into customer's AWS IAM Role. 378 // Deprecated, do not use. 379 AwsCrossAccountRole cross_account_role = 2 [deprecated = true]; 380 381 // Authentication using Google owned service account to assume into 382 // customer's AWS IAM Role. 383 AwsAccessRole access_role = 3; 384 } 385} 386 387// Authentication method for Amazon Web Services (AWS) that uses Google owned 388// AWS IAM user's access key to assume into customer's AWS IAM Role. 389message AwsCrossAccountRole { 390 // The user’s AWS IAM Role that trusts the Google-owned AWS IAM user 391 // Connection. 392 string iam_role_id = 1; 393 394 // Output only. Google-owned AWS IAM User for a Connection. 395 string iam_user_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 396 397 // Output only. A Google-generated id for representing Connection’s identity 398 // in AWS. External Id is also used for preventing the Confused Deputy 399 // Problem. See 400 // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html 401 string external_id = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 402} 403 404// Authentication method for Amazon Web Services (AWS) that uses Google owned 405// Google service account to assume into customer's AWS IAM Role. 406message AwsAccessRole { 407 // The user’s AWS IAM Role that trusts the Google-owned AWS IAM user 408 // Connection. 409 string iam_role_id = 1; 410 411 // A unique Google-owned and Google-generated identity for the Connection. 412 // This identity will be used to access the user's AWS IAM Role. 413 string identity = 2; 414} 415 416// Container for connection properties specific to Azure. 417message AzureProperties { 418 // Output only. The name of the Azure Active Directory Application. 419 string application = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 420 421 // Output only. The client id of the Azure Active Directory Application. 422 string client_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 423 424 // Output only. The object id of the Azure Active Directory Application. 425 string object_id = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 426 427 // The id of customer's directory that host the data. 428 string customer_tenant_id = 4; 429 430 // The URL user will be redirected to after granting consent during connection 431 // setup. 432 string redirect_uri = 5; 433 434 // The client ID of the user's Azure Active Directory Application used for a 435 // federated connection. 436 string federated_application_client_id = 6; 437 438 // Output only. A unique Google-owned and Google-generated identity for the 439 // Connection. This identity will be used to access the user's Azure Active 440 // Directory Application. 441 string identity = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 442} 443 444// Container for connection properties for delegation of access to GCP 445// resources. 446message CloudResourceProperties { 447 // Output only. The account ID of the service created for the purpose of this 448 // connection. 449 // 450 // The service account does not have any permissions associated with it 451 // when it is created. After creation, customers delegate permissions 452 // to the service account. When the connection is used in the context of an 453 // operation in BigQuery, the service account will be used to connect to the 454 // desired resources in GCP. 455 // 456 // The account ID is in the form of: 457 // <service-1234>@gcp-sa-bigquery-cloudresource.iam.gserviceaccount.com 458 string service_account_id = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 459} 460 461// Configuration of the Dataproc Metastore Service. 462message MetastoreServiceConfig { 463 // Optional. Resource name of an existing Dataproc Metastore service. 464 // 465 // Example: 466 // 467 // * `projects/[project_id]/locations/[region]/services/[service_id]` 468 string metastore_service = 1 [ 469 (google.api.field_behavior) = OPTIONAL, 470 (google.api.resource_reference) = { 471 type: "metastore.googleapis.com/Service" 472 } 473 ]; 474} 475 476// Configuration of the Spark History Server. 477message SparkHistoryServerConfig { 478 // Optional. Resource name of an existing Dataproc Cluster to act as a Spark 479 // History Server for the connection. 480 // 481 // Example: 482 // 483 // * `projects/[project_id]/regions/[region]/clusters/[cluster_name]` 484 string dataproc_cluster = 1 [ 485 (google.api.field_behavior) = OPTIONAL, 486 (google.api.resource_reference) = { 487 type: "dataproc.googleapis.com/Cluster" 488 } 489 ]; 490} 491 492// Container for connection properties to execute stored procedures for Apache 493// Spark. 494message SparkProperties { 495 // Output only. The account ID of the service created for the purpose of this 496 // connection. 497 // 498 // The service account does not have any permissions associated with it when 499 // it is created. After creation, customers delegate permissions to the 500 // service account. When the connection is used in the context of a stored 501 // procedure for Apache Spark in BigQuery, the service account is used to 502 // connect to the desired resources in Google Cloud. 503 // 504 // The account ID is in the form of: 505 // bqcx-<projectnumber>-<uniqueid>@gcp-sa-bigquery-consp.iam.gserviceaccount.com 506 string service_account_id = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 507 508 // Optional. Dataproc Metastore Service configuration for the connection. 509 MetastoreServiceConfig metastore_service_config = 3 510 [(google.api.field_behavior) = OPTIONAL]; 511 512 // Optional. Spark History Server configuration for the connection. 513 SparkHistoryServerConfig spark_history_server_config = 4 514 [(google.api.field_behavior) = OPTIONAL]; 515} 516 517// Connection properties specific to Salesforce DataCloud. This is intended for 518// use only by Salesforce partner projects. 519message SalesforceDataCloudProperties { 520 // The URL to the user's Salesforce DataCloud instance. 521 string instance_uri = 1; 522 523 // Output only. A unique Google-owned and Google-generated service account 524 // identity for the connection. 525 string identity = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 526 527 // The ID of the user's Salesforce tenant. 528 string tenant_id = 3; 529} 530