1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.iam.admin.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/iam/v1/iam_policy.proto"; 24import "google/iam/v1/policy.proto"; 25import "google/protobuf/empty.proto"; 26import "google/protobuf/field_mask.proto"; 27import "google/protobuf/timestamp.proto"; 28import "google/type/expr.proto"; 29 30option cc_enable_arenas = true; 31option csharp_namespace = "Google.Cloud.Iam.Admin.V1"; 32option go_package = "cloud.google.com/go/iam/admin/apiv1/adminpb;adminpb"; 33option java_multiple_files = true; 34option java_package = "com.google.iam.admin.v1"; 35option php_namespace = "Google\\Cloud\\Iam\\Admin\\V1"; 36 37// Creates and manages Identity and Access Management (IAM) resources. 38// 39// You can use this service to work with all of the following resources: 40// 41// * **Service accounts**, which identify an application or a virtual machine 42// (VM) instance rather than a person 43// * **Service account keys**, which service accounts use to authenticate with 44// Google APIs 45// * **IAM policies for service accounts**, which specify the roles that a 46// principal has for the service account 47// * **IAM custom roles**, which help you limit the number of permissions that 48// you grant to principals 49// 50// In addition, you can use this service to complete the following tasks, among 51// others: 52// 53// * Test whether a service account can use specific permissions 54// * Check which roles you can grant for a specific resource 55// * Lint, or validate, condition expressions in an IAM policy 56// 57// When you read data from the IAM API, each read is eventually consistent. In 58// other words, if you write data with the IAM API, then immediately read that 59// data, the read operation might return an older version of the data. To deal 60// with this behavior, your application can retry the request with truncated 61// exponential backoff. 62// 63// In contrast, writing data to the IAM API is sequentially consistent. In other 64// words, write operations are always processed in the order in which they were 65// received. 66service IAM { 67 option (google.api.default_host) = "iam.googleapis.com"; 68 option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 69 70 // Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project. 71 rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) { 72 option (google.api.http) = { 73 get: "/v1/{name=projects/*}/serviceAccounts" 74 }; 75 option (google.api.method_signature) = "name"; 76 } 77 78 // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 79 rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) { 80 option (google.api.http) = { 81 get: "/v1/{name=projects/*/serviceAccounts/*}" 82 }; 83 option (google.api.method_signature) = "name"; 84 } 85 86 // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 87 rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) { 88 option (google.api.http) = { 89 post: "/v1/{name=projects/*}/serviceAccounts" 90 body: "*" 91 }; 92 option (google.api.method_signature) = "name,account_id,service_account"; 93 } 94 95 // **Note:** We are in the process of deprecating this method. Use 96 // [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead. 97 // 98 // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 99 // 100 // You can update only the `display_name` field. 101 rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { 102 option (google.api.http) = { 103 put: "/v1/{name=projects/*/serviceAccounts/*}" 104 body: "*" 105 }; 106 } 107 108 // Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 109 rpc PatchServiceAccount(PatchServiceAccountRequest) returns (ServiceAccount) { 110 option (google.api.http) = { 111 patch: "/v1/{service_account.name=projects/*/serviceAccounts/*}" 112 body: "*" 113 }; 114 } 115 116 // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 117 // 118 // **Warning:** After you delete a service account, you might not be able to 119 // undelete it. If you know that you need to re-enable the service account in 120 // the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead. 121 // 122 // If you delete a service account, IAM permanently removes the service 123 // account 30 days later. Google Cloud cannot recover the service account 124 // after it is permanently removed, even if you file a support request. 125 // 126 // To help avoid unplanned outages, we recommend that you disable the service 127 // account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the 128 // service account, then wait at least 24 hours and watch for unintended 129 // consequences. If there are no unintended consequences, you can delete the 130 // service account. 131 rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) { 132 option (google.api.http) = { 133 delete: "/v1/{name=projects/*/serviceAccounts/*}" 134 }; 135 option (google.api.method_signature) = "name"; 136 } 137 138 // Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 139 // 140 // **Important:** It is not always possible to restore a deleted service 141 // account. Use this method only as a last resort. 142 // 143 // After you delete a service account, IAM permanently removes the service 144 // account 30 days later. There is no way to restore a deleted service account 145 // that has been permanently removed. 146 rpc UndeleteServiceAccount(UndeleteServiceAccountRequest) returns (UndeleteServiceAccountResponse) { 147 option (google.api.http) = { 148 post: "/v1/{name=projects/*/serviceAccounts/*}:undelete" 149 body: "*" 150 }; 151 } 152 153 // Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by 154 // [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount]. 155 // 156 // If the service account is already enabled, then this method has no effect. 157 // 158 // If the service account was disabled by other means—for example, if Google 159 // disabled the service account because it was compromised—you cannot use this 160 // method to enable the service account. 161 rpc EnableServiceAccount(EnableServiceAccountRequest) returns (google.protobuf.Empty) { 162 option (google.api.http) = { 163 post: "/v1/{name=projects/*/serviceAccounts/*}:enable" 164 body: "*" 165 }; 166 } 167 168 // Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately. 169 // 170 // If an application uses the service account to authenticate, that 171 // application can no longer call Google APIs or access Google Cloud 172 // resources. Existing access tokens for the service account are rejected, and 173 // requests for new access tokens will fail. 174 // 175 // To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you 176 // re-enable the service account, its existing access tokens will be accepted, 177 // and you can request new access tokens. 178 // 179 // To help avoid unplanned outages, we recommend that you disable the service 180 // account before you delete it. Use this method to disable the service 181 // account, then wait at least 24 hours and watch for unintended consequences. 182 // If there are no unintended consequences, you can delete the service account 183 // with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount]. 184 rpc DisableServiceAccount(DisableServiceAccountRequest) returns (google.protobuf.Empty) { 185 option (google.api.http) = { 186 post: "/v1/{name=projects/*/serviceAccounts/*}:disable" 187 body: "*" 188 }; 189 } 190 191 // Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account. 192 rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) { 193 option (google.api.http) = { 194 get: "/v1/{name=projects/*/serviceAccounts/*}/keys" 195 }; 196 option (google.api.method_signature) = "name,key_types"; 197 } 198 199 // Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. 200 rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) { 201 option (google.api.http) = { 202 get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" 203 }; 204 option (google.api.method_signature) = "name,public_key_type"; 205 } 206 207 // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. 208 rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) { 209 option (google.api.http) = { 210 post: "/v1/{name=projects/*/serviceAccounts/*}/keys" 211 body: "*" 212 }; 213 option (google.api.method_signature) = "name,private_key_type,key_algorithm"; 214 } 215 216 // Uploads the public key portion of a key pair that you manage, and 217 // associates the public key with a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 218 // 219 // After you upload the public key, you can use the private key from the key 220 // pair as a service account key. 221 rpc UploadServiceAccountKey(UploadServiceAccountKeyRequest) returns (ServiceAccountKey) { 222 option (google.api.http) = { 223 post: "/v1/{name=projects/*/serviceAccounts/*}/keys:upload" 224 body: "*" 225 }; 226 } 227 228 // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not 229 // revoke short-lived credentials that have been issued based on the service 230 // account key. 231 rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) { 232 option (google.api.http) = { 233 delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" 234 }; 235 option (google.api.method_signature) = "name"; 236 } 237 238 // Disable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. A disabled service account key can be 239 // re-enabled with [EnableServiceAccountKey][google.iam.admin.v1.IAM.EnableServiceAccountKey]. 240 rpc DisableServiceAccountKey(DisableServiceAccountKeyRequest) returns (google.protobuf.Empty) { 241 option (google.api.http) = { 242 post: "/v1/{name=projects/*/serviceAccounts/*/keys/*}:disable" 243 body: "*" 244 }; 245 option (google.api.method_signature) = "name"; 246 } 247 248 // Enable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. 249 rpc EnableServiceAccountKey(EnableServiceAccountKeyRequest) returns (google.protobuf.Empty) { 250 option (google.api.http) = { 251 post: "/v1/{name=projects/*/serviceAccounts/*/keys/*}:enable" 252 body: "*" 253 }; 254 option (google.api.method_signature) = "name"; 255 } 256 257 // **Note:** This method is deprecated. Use the 258 // [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob) 259 // method in the IAM Service Account Credentials API instead. If you currently 260 // use this method, see the [migration 261 // guide](https://cloud.google.com/iam/help/credentials/migrate-api) for 262 // instructions. 263 // 264 // Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 265 rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) { 266 option deprecated = true; 267 option (google.api.http) = { 268 post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" 269 body: "*" 270 }; 271 option (google.api.method_signature) = "name,bytes_to_sign"; 272 } 273 274 // **Note:** This method is deprecated. Use the 275 // [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt) 276 // method in the IAM Service Account Credentials API instead. If you currently 277 // use this method, see the [migration 278 // guide](https://cloud.google.com/iam/help/credentials/migrate-api) for 279 // instructions. 280 // 281 // Signs a JSON Web Token (JWT) using the system-managed private key for a 282 // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 283 rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) { 284 option deprecated = true; 285 option (google.api.http) = { 286 post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt" 287 body: "*" 288 }; 289 option (google.api.method_signature) = "name,payload"; 290 } 291 292 // Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM 293 // policy specifies which principals have access to the service account. 294 // 295 // This method does not tell you whether the service account has been granted 296 // any roles on other resources. To check whether a service account has role 297 // grants on a resource, use the `getIamPolicy` method for that resource. For 298 // example, to view the role grants for a project, call the Resource Manager 299 // API's 300 // [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy) 301 // method. 302 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { 303 option (google.api.http) = { 304 post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" 305 }; 306 option (google.api.method_signature) = "resource"; 307 } 308 309 // Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 310 // 311 // Use this method to grant or revoke access to the service account. For 312 // example, you could grant a principal the ability to impersonate the service 313 // account. 314 // 315 // This method does not enable the service account to access other resources. 316 // To grant roles to a service account on a resource, follow these steps: 317 // 318 // 1. Call the resource's `getIamPolicy` method to get its current IAM policy. 319 // 2. Edit the policy so that it binds the service account to an IAM role for 320 // the resource. 321 // 3. Call the resource's `setIamPolicy` method to update its IAM policy. 322 // 323 // For detailed instructions, see 324 // [Manage access to project, folders, and 325 // organizations](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts) 326 // or [Manage access to other 327 // resources](https://cloud.google.com/iam/help/access/manage-other-resources). 328 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { 329 option (google.api.http) = { 330 post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" 331 body: "*" 332 }; 333 option (google.api.method_signature) = "resource,policy"; 334 } 335 336 // Tests whether the caller has the specified permissions on a 337 // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 338 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { 339 option (google.api.http) = { 340 post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" 341 body: "*" 342 }; 343 option (google.api.method_signature) = "resource,permissions"; 344 } 345 346 // Lists roles that can be granted on a Google Cloud resource. A role is 347 // grantable if the IAM policy for the resource can contain bindings to the 348 // role. 349 rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) { 350 option (google.api.http) = { 351 post: "/v1/roles:queryGrantableRoles" 352 body: "*" 353 }; 354 option (google.api.method_signature) = "full_resource_name"; 355 } 356 357 // Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role 358 // that is defined for an organization or project. 359 rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) { 360 option (google.api.http) = { 361 get: "/v1/roles" 362 additional_bindings { 363 get: "/v1/{parent=organizations/*}/roles" 364 } 365 additional_bindings { 366 get: "/v1/{parent=projects/*}/roles" 367 } 368 }; 369 } 370 371 // Gets the definition of a [Role][google.iam.admin.v1.Role]. 372 rpc GetRole(GetRoleRequest) returns (Role) { 373 option (google.api.http) = { 374 get: "/v1/{name=roles/*}" 375 additional_bindings { 376 get: "/v1/{name=organizations/*/roles/*}" 377 } 378 additional_bindings { 379 get: "/v1/{name=projects/*/roles/*}" 380 } 381 }; 382 } 383 384 // Creates a new custom [Role][google.iam.admin.v1.Role]. 385 rpc CreateRole(CreateRoleRequest) returns (Role) { 386 option (google.api.http) = { 387 post: "/v1/{parent=organizations/*}/roles" 388 body: "*" 389 additional_bindings { 390 post: "/v1/{parent=projects/*}/roles" 391 body: "*" 392 } 393 }; 394 } 395 396 // Updates the definition of a custom [Role][google.iam.admin.v1.Role]. 397 rpc UpdateRole(UpdateRoleRequest) returns (Role) { 398 option (google.api.http) = { 399 patch: "/v1/{name=organizations/*/roles/*}" 400 body: "role" 401 additional_bindings { 402 patch: "/v1/{name=projects/*/roles/*}" 403 body: "role" 404 } 405 }; 406 } 407 408 // Deletes a custom [Role][google.iam.admin.v1.Role]. 409 // 410 // When you delete a custom role, the following changes occur immediately: 411 // 412 // * You cannot bind a principal to the custom role in an IAM 413 // [Policy][google.iam.v1.Policy]. 414 // * Existing bindings to the custom role are not changed, but they have no 415 // effect. 416 // * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom 417 // role. 418 // 419 // You have 7 days to undelete the custom role. After 7 days, the following 420 // changes occur: 421 // 422 // * The custom role is permanently deleted and cannot be recovered. 423 // * If an IAM policy contains a binding to the custom role, the binding is 424 // permanently removed. 425 rpc DeleteRole(DeleteRoleRequest) returns (Role) { 426 option (google.api.http) = { 427 delete: "/v1/{name=organizations/*/roles/*}" 428 additional_bindings { 429 delete: "/v1/{name=projects/*/roles/*}" 430 } 431 }; 432 } 433 434 // Undeletes a custom [Role][google.iam.admin.v1.Role]. 435 rpc UndeleteRole(UndeleteRoleRequest) returns (Role) { 436 option (google.api.http) = { 437 post: "/v1/{name=organizations/*/roles/*}:undelete" 438 body: "*" 439 additional_bindings { 440 post: "/v1/{name=projects/*/roles/*}:undelete" 441 body: "*" 442 } 443 }; 444 } 445 446 // Lists every permission that you can test on a resource. A permission is 447 // testable if you can check whether a principal has that permission on the 448 // resource. 449 rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) { 450 option (google.api.http) = { 451 post: "/v1/permissions:queryTestablePermissions" 452 body: "*" 453 }; 454 } 455 456 // Returns a list of services that allow you to opt into audit logs that are 457 // not generated by default. 458 // 459 // To learn more about audit logs, see the [Logging 460 // documentation](https://cloud.google.com/logging/docs/audit). 461 rpc QueryAuditableServices(QueryAuditableServicesRequest) returns (QueryAuditableServicesResponse) { 462 option (google.api.http) = { 463 post: "/v1/iamPolicies:queryAuditableServices" 464 body: "*" 465 }; 466 } 467 468 // Lints, or validates, an IAM policy. Currently checks the 469 // [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition 470 // expression for a role binding. 471 // 472 // Successful calls to this method always return an HTTP `200 OK` status code, 473 // even if the linter detects an issue in the IAM policy. 474 rpc LintPolicy(LintPolicyRequest) returns (LintPolicyResponse) { 475 option (google.api.http) = { 476 post: "/v1/iamPolicies:lintPolicy" 477 body: "*" 478 }; 479 } 480} 481 482// An IAM service account. 483// 484// A service account is an account for an application or a virtual machine (VM) 485// instance, not a person. You can use a service account to call Google APIs. To 486// learn more, read the [overview of service 487// accounts](https://cloud.google.com/iam/help/service-accounts/overview). 488// 489// When you create a service account, you specify the project ID that owns the 490// service account, as well as a name that must be unique within the project. 491// IAM uses these values to create an email address that identifies the service 492// account. 493message ServiceAccount { 494 option (google.api.resource) = { 495 type: "iam.googleapis.com/ServiceAccount" 496 pattern: "projects/{project}/serviceAccounts/{service_account}" 497 }; 498 499 // The resource name of the service account. 500 // 501 // Use one of the following formats: 502 // 503 // * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` 504 // * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` 505 // 506 // As an alternative, you can use the `-` wildcard character instead of the 507 // project ID: 508 // 509 // * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` 510 // * `projects/-/serviceAccounts/{UNIQUE_ID}` 511 // 512 // When possible, avoid using the `-` wildcard character, because it can cause 513 // response messages to contain misleading error codes. For example, if you 514 // try to get the service account 515 // `projects/-/serviceAccounts/fake@example.com`, which does not exist, the 516 // response contains an HTTP `403 Forbidden` error instead of a `404 Not 517 // Found` error. 518 string name = 1; 519 520 // Output only. The ID of the project that owns the service account. 521 string project_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 522 523 // Output only. The unique, stable numeric ID for the service account. 524 // 525 // Each service account retains its unique ID even if you delete the service 526 // account. For example, if you delete a service account, then create a new 527 // service account with the same name, the new service account has a different 528 // unique ID than the deleted service account. 529 string unique_id = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 530 531 // Output only. The email address of the service account. 532 string email = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 533 534 // Optional. A user-specified, human-readable name for the service account. The maximum 535 // length is 100 UTF-8 bytes. 536 string display_name = 6 [(google.api.field_behavior) = OPTIONAL]; 537 538 // Deprecated. Do not use. 539 bytes etag = 7 [deprecated = true]; 540 541 // Optional. A user-specified, human-readable description of the service account. The 542 // maximum length is 256 UTF-8 bytes. 543 string description = 8 [(google.api.field_behavior) = OPTIONAL]; 544 545 // Output only. The OAuth 2.0 client ID for the service account. 546 string oauth2_client_id = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 547 548 // Output only. Whether the service account is disabled. 549 bool disabled = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; 550} 551 552// The service account create request. 553message CreateServiceAccountRequest { 554 // Required. The resource name of the project associated with the service 555 // accounts, such as `projects/my-project-123`. 556 string name = 1 [ 557 (google.api.field_behavior) = REQUIRED, 558 (google.api.resource_reference) = { 559 type: "cloudresourcemanager.googleapis.com/Project" 560 } 561 ]; 562 563 // Required. The account id that is used to generate the service account 564 // email address and a stable unique id. It is unique within a project, 565 // must be 6-30 characters long, and match the regular expression 566 // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. 567 string account_id = 2 [(google.api.field_behavior) = REQUIRED]; 568 569 // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to 570 // create. Currently, only the following values are user assignable: 571 // `display_name` and `description`. 572 ServiceAccount service_account = 3; 573} 574 575// The service account list request. 576message ListServiceAccountsRequest { 577 // Required. The resource name of the project associated with the service 578 // accounts, such as `projects/my-project-123`. 579 string name = 1 [ 580 (google.api.field_behavior) = REQUIRED, 581 (google.api.resource_reference) = { 582 type: "cloudresourcemanager.googleapis.com/Project" 583 } 584 ]; 585 586 // Optional limit on the number of service accounts to include in the 587 // response. Further accounts can subsequently be obtained by including the 588 // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] 589 // in a subsequent request. 590 // 591 // The default is 20, and the maximum is 100. 592 int32 page_size = 2; 593 594 // Optional pagination token returned in an earlier 595 // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]. 596 string page_token = 3; 597} 598 599// The service account list response. 600message ListServiceAccountsResponse { 601 // The list of matching service accounts. 602 repeated ServiceAccount accounts = 1; 603 604 // To retrieve the next page of results, set 605 // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] 606 // to this value. 607 string next_page_token = 2; 608} 609 610// The service account get request. 611message GetServiceAccountRequest { 612 // Required. The resource name of the service account in the following format: 613 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 614 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 615 // the account. The `ACCOUNT` value can be the `email` address or the 616 // `unique_id` of the service account. 617 string name = 1 [ 618 (google.api.field_behavior) = REQUIRED, 619 (google.api.resource_reference) = { 620 type: "iam.googleapis.com/ServiceAccount" 621 } 622 ]; 623} 624 625// The service account delete request. 626message DeleteServiceAccountRequest { 627 // Required. The resource name of the service account in the following format: 628 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 629 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 630 // the account. The `ACCOUNT` value can be the `email` address or the 631 // `unique_id` of the service account. 632 string name = 1 [ 633 (google.api.field_behavior) = REQUIRED, 634 (google.api.resource_reference) = { 635 type: "iam.googleapis.com/ServiceAccount" 636 } 637 ]; 638} 639 640// The service account patch request. 641// 642// You can patch only the `display_name` and `description` fields. You must use 643// the `update_mask` field to specify which of these fields you want to patch. 644// 645// Only the fields specified in the request are guaranteed to be returned in 646// the response. Other fields may be empty in the response. 647message PatchServiceAccountRequest { 648 ServiceAccount service_account = 1; 649 650 google.protobuf.FieldMask update_mask = 2; 651} 652 653// The service account undelete request. 654message UndeleteServiceAccountRequest { 655 // The resource name of the service account in the following format: 656 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`. 657 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 658 // the account. 659 string name = 1; 660} 661 662message UndeleteServiceAccountResponse { 663 // Metadata for the restored service account. 664 ServiceAccount restored_account = 1; 665} 666 667// The service account enable request. 668message EnableServiceAccountRequest { 669 // The resource name of the service account in the following format: 670 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 671 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 672 // the account. The `ACCOUNT` value can be the `email` address or the 673 // `unique_id` of the service account. 674 string name = 1; 675} 676 677// The service account disable request. 678message DisableServiceAccountRequest { 679 // The resource name of the service account in the following format: 680 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 681 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 682 // the account. The `ACCOUNT` value can be the `email` address or the 683 // `unique_id` of the service account. 684 string name = 1; 685} 686 687// The service account keys list request. 688message ListServiceAccountKeysRequest { 689 // `KeyType` filters to selectively retrieve certain varieties 690 // of keys. 691 enum KeyType { 692 // Unspecified key type. The presence of this in the 693 // message will immediately result in an error. 694 KEY_TYPE_UNSPECIFIED = 0; 695 696 // User-managed keys (managed and rotated by the user). 697 USER_MANAGED = 1; 698 699 // System-managed keys (managed and rotated by Google). 700 SYSTEM_MANAGED = 2; 701 } 702 703 // Required. The resource name of the service account in the following format: 704 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 705 // 706 // Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from 707 // the account. The `ACCOUNT` value can be the `email` address or the 708 // `unique_id` of the service account. 709 string name = 1 [ 710 (google.api.field_behavior) = REQUIRED, 711 (google.api.resource_reference) = { 712 type: "iam.googleapis.com/ServiceAccount" 713 } 714 ]; 715 716 // Filters the types of keys the user wants to include in the list 717 // response. Duplicate key types are not allowed. If no key type 718 // is provided, all keys are returned. 719 repeated KeyType key_types = 2; 720} 721 722// The service account keys list response. 723message ListServiceAccountKeysResponse { 724 // The public keys for the service account. 725 repeated ServiceAccountKey keys = 1; 726} 727 728// The service account key get by id request. 729message GetServiceAccountKeyRequest { 730 // Required. The resource name of the service account key in the following format: 731 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 732 // 733 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 734 // the account. The `ACCOUNT` value can be the `email` address or the 735 // `unique_id` of the service account. 736 string name = 1 [ 737 (google.api.field_behavior) = REQUIRED, 738 (google.api.resource_reference) = { 739 type: "iam.googleapis.com/Key" 740 } 741 ]; 742 743 // Optional. The output format of the public key. The default is `TYPE_NONE`, which 744 // means that the public key is not returned. 745 ServiceAccountPublicKeyType public_key_type = 2 [(google.api.field_behavior) = OPTIONAL]; 746} 747 748// Supported key algorithms. 749enum ServiceAccountKeyAlgorithm { 750 // An unspecified key algorithm. 751 KEY_ALG_UNSPECIFIED = 0; 752 753 // 1k RSA Key. 754 KEY_ALG_RSA_1024 = 1; 755 756 // 2k RSA Key. 757 KEY_ALG_RSA_2048 = 2; 758} 759 760// Supported private key output formats. 761enum ServiceAccountPrivateKeyType { 762 // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`. 763 TYPE_UNSPECIFIED = 0; 764 765 // PKCS12 format. 766 // The password for the PKCS12 file is `notasecret`. 767 // For more information, see https://tools.ietf.org/html/rfc7292. 768 TYPE_PKCS12_FILE = 1; 769 770 // Google Credentials File format. 771 TYPE_GOOGLE_CREDENTIALS_FILE = 2; 772} 773 774// Supported public key output formats. 775enum ServiceAccountPublicKeyType { 776 // Do not return the public key. 777 TYPE_NONE = 0; 778 779 // X509 PEM format. 780 TYPE_X509_PEM_FILE = 1; 781 782 // Raw public key. 783 TYPE_RAW_PUBLIC_KEY = 2; 784} 785 786// Service Account Key Origin. 787enum ServiceAccountKeyOrigin { 788 // Unspecified key origin. 789 ORIGIN_UNSPECIFIED = 0; 790 791 // Key is provided by user. 792 USER_PROVIDED = 1; 793 794 // Key is provided by Google. 795 GOOGLE_PROVIDED = 2; 796} 797 798// Represents a service account key. 799// 800// A service account has two sets of key-pairs: user-managed, and 801// system-managed. 802// 803// User-managed key-pairs can be created and deleted by users. Users are 804// responsible for rotating these keys periodically to ensure security of 805// their service accounts. Users retain the private key of these key-pairs, 806// and Google retains ONLY the public key. 807// 808// System-managed keys are automatically rotated by Google, and are used for 809// signing for a maximum of two weeks. The rotation process is probabilistic, 810// and usage of the new key will gradually ramp up and down over the key's 811// lifetime. 812// 813// If you cache the public key set for a service account, we recommend that you 814// update the cache every 15 minutes. User-managed keys can be added and removed 815// at any time, so it is important to update the cache frequently. For 816// Google-managed keys, Google will publish a key at least 6 hours before it is 817// first used for signing and will keep publishing it for at least 6 hours after 818// it was last used for signing. 819// 820// Public keys for all service accounts are also published at the OAuth2 821// Service Account API. 822message ServiceAccountKey { 823 option (google.api.resource) = { 824 type: "iam.googleapis.com/Key" 825 pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}" 826 }; 827 828 // The resource name of the service account key in the following format 829 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 830 string name = 1; 831 832 // The output format for the private key. 833 // Only provided in `CreateServiceAccountKey` responses, not 834 // in `GetServiceAccountKey` or `ListServiceAccountKey` responses. 835 // 836 // Google never exposes system-managed private keys, and never retains 837 // user-managed private keys. 838 ServiceAccountPrivateKeyType private_key_type = 2; 839 840 // Specifies the algorithm (and possibly key size) for the key. 841 ServiceAccountKeyAlgorithm key_algorithm = 8; 842 843 // The private key data. Only provided in `CreateServiceAccountKey` 844 // responses. Make sure to keep the private key data secure because it 845 // allows for the assertion of the service account identity. 846 // When base64 decoded, the private key data can be used to authenticate with 847 // Google API client libraries and with 848 // <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud 849 // auth activate-service-account</a>. 850 bytes private_key_data = 3; 851 852 // The public key data. Only provided in `GetServiceAccountKey` responses. 853 bytes public_key_data = 7; 854 855 // The key can be used after this timestamp. 856 google.protobuf.Timestamp valid_after_time = 4; 857 858 // The key can be used before this timestamp. 859 // For system-managed key pairs, this timestamp is the end time for the 860 // private key signing operation. The public key could still be used 861 // for verification for a few hours after this time. 862 google.protobuf.Timestamp valid_before_time = 5; 863 864 // The key origin. 865 ServiceAccountKeyOrigin key_origin = 9; 866 867 // The key type. 868 ListServiceAccountKeysRequest.KeyType key_type = 10; 869 870 // The key status. 871 bool disabled = 11; 872} 873 874// The service account key create request. 875message CreateServiceAccountKeyRequest { 876 // Required. The resource name of the service account in the following format: 877 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 878 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 879 // the account. The `ACCOUNT` value can be the `email` address or the 880 // `unique_id` of the service account. 881 string name = 1 [ 882 (google.api.field_behavior) = REQUIRED, 883 (google.api.resource_reference) = { 884 type: "iam.googleapis.com/ServiceAccount" 885 } 886 ]; 887 888 // The output format of the private key. The default value is 889 // `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File 890 // format. 891 ServiceAccountPrivateKeyType private_key_type = 2; 892 893 // Which type of key and algorithm to use for the key. 894 // The default is currently a 2K RSA key. However this may change in the 895 // future. 896 ServiceAccountKeyAlgorithm key_algorithm = 3; 897} 898 899// The service account key upload request. 900message UploadServiceAccountKeyRequest { 901 // The resource name of the service account in the following format: 902 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 903 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 904 // the account. The `ACCOUNT` value can be the `email` address or the 905 // `unique_id` of the service account. 906 string name = 1; 907 908 // The public key to associate with the service account. Must be an RSA public 909 // key that is wrapped in an X.509 v3 certificate. Include the first line, 910 // `-----BEGIN CERTIFICATE-----`, and the last line, 911 // `-----END CERTIFICATE-----`. 912 bytes public_key_data = 2; 913} 914 915// The service account key delete request. 916message DeleteServiceAccountKeyRequest { 917 // Required. The resource name of the service account key in the following format: 918 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 919 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 920 // the account. The `ACCOUNT` value can be the `email` address or the 921 // `unique_id` of the service account. 922 string name = 1 [ 923 (google.api.field_behavior) = REQUIRED, 924 (google.api.resource_reference) = { 925 type: "iam.googleapis.com/Key" 926 } 927 ]; 928} 929 930// The service account key disable request. 931message DisableServiceAccountKeyRequest { 932 // Required. The resource name of the service account key in the following format: 933 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 934 // 935 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 936 // the account. The `ACCOUNT` value can be the `email` address or the 937 // `unique_id` of the service account. 938 string name = 1 [ 939 (google.api.field_behavior) = REQUIRED, 940 (google.api.resource_reference) = { 941 type: "iam.googleapis.com/Key" 942 } 943 ]; 944} 945 946// The service account key enable request. 947message EnableServiceAccountKeyRequest { 948 // Required. The resource name of the service account key in the following format: 949 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 950 // 951 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 952 // the account. The `ACCOUNT` value can be the `email` address or the 953 // `unique_id` of the service account. 954 string name = 1 [ 955 (google.api.field_behavior) = REQUIRED, 956 (google.api.resource_reference) = { 957 type: "iam.googleapis.com/Key" 958 } 959 ]; 960} 961 962// Deprecated. [Migrate to Service Account Credentials 963// API](https://cloud.google.com/iam/help/credentials/migrate-api). 964// 965// The service account sign blob request. 966message SignBlobRequest { 967 // Required. Deprecated. [Migrate to Service Account Credentials 968 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 969 // 970 // The resource name of the service account in the following format: 971 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 972 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 973 // the account. The `ACCOUNT` value can be the `email` address or the 974 // `unique_id` of the service account. 975 string name = 1 [ 976 deprecated = true, 977 (google.api.field_behavior) = REQUIRED, 978 (google.api.resource_reference) = { 979 type: "iam.googleapis.com/ServiceAccount" 980 } 981 ]; 982 983 // Required. Deprecated. [Migrate to Service Account Credentials 984 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 985 // 986 // The bytes to sign. 987 bytes bytes_to_sign = 2 [ 988 deprecated = true, 989 (google.api.field_behavior) = REQUIRED 990 ]; 991} 992 993// Deprecated. [Migrate to Service Account Credentials 994// API](https://cloud.google.com/iam/help/credentials/migrate-api). 995// 996// The service account sign blob response. 997message SignBlobResponse { 998 // Deprecated. [Migrate to Service Account Credentials 999 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1000 // 1001 // The id of the key used to sign the blob. 1002 string key_id = 1 [deprecated = true]; 1003 1004 // Deprecated. [Migrate to Service Account Credentials 1005 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1006 // 1007 // The signed blob. 1008 bytes signature = 2 [deprecated = true]; 1009} 1010 1011// Deprecated. [Migrate to Service Account Credentials 1012// API](https://cloud.google.com/iam/help/credentials/migrate-api). 1013// 1014// The service account sign JWT request. 1015message SignJwtRequest { 1016 // Required. Deprecated. [Migrate to Service Account Credentials 1017 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1018 // 1019 // The resource name of the service account in the following format: 1020 // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1021 // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1022 // the account. The `ACCOUNT` value can be the `email` address or the 1023 // `unique_id` of the service account. 1024 string name = 1 [ 1025 deprecated = true, 1026 (google.api.field_behavior) = REQUIRED, 1027 (google.api.resource_reference) = { 1028 type: "iam.googleapis.com/ServiceAccount" 1029 } 1030 ]; 1031 1032 // Required. Deprecated. [Migrate to Service Account Credentials 1033 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1034 // 1035 // The JWT payload to sign. Must be a serialized JSON object that contains a 1036 // JWT Claims Set. For example: `{"sub": "[email protected]", "iat": 313435}` 1037 // 1038 // If the JWT Claims Set contains an expiration time (`exp`) claim, it must be 1039 // an integer timestamp that is not in the past and no more than 12 hours in 1040 // the future. 1041 // 1042 // If the JWT Claims Set does not contain an expiration time (`exp`) claim, 1043 // this claim is added automatically, with a timestamp that is 1 hour in the 1044 // future. 1045 string payload = 2 [ 1046 deprecated = true, 1047 (google.api.field_behavior) = REQUIRED 1048 ]; 1049} 1050 1051// Deprecated. [Migrate to Service Account Credentials 1052// API](https://cloud.google.com/iam/help/credentials/migrate-api). 1053// 1054// The service account sign JWT response. 1055message SignJwtResponse { 1056 // Deprecated. [Migrate to Service Account Credentials 1057 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1058 // 1059 // The id of the key used to sign the JWT. 1060 string key_id = 1 [deprecated = true]; 1061 1062 // Deprecated. [Migrate to Service Account Credentials 1063 // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1064 // 1065 // The signed JWT. 1066 string signed_jwt = 2 [deprecated = true]; 1067} 1068 1069// A role in the Identity and Access Management API. 1070message Role { 1071 // A stage representing a role's lifecycle phase. 1072 enum RoleLaunchStage { 1073 // The user has indicated this role is currently in an Alpha phase. If this 1074 // launch stage is selected, the `stage` field will not be included when 1075 // requesting the definition for a given role. 1076 ALPHA = 0; 1077 1078 // The user has indicated this role is currently in a Beta phase. 1079 BETA = 1; 1080 1081 // The user has indicated this role is generally available. 1082 GA = 2; 1083 1084 // The user has indicated this role is being deprecated. 1085 DEPRECATED = 4; 1086 1087 // This role is disabled and will not contribute permissions to any 1088 // principals it is granted to in policies. 1089 DISABLED = 5; 1090 1091 // The user has indicated this role is currently in an EAP phase. 1092 EAP = 6; 1093 } 1094 1095 // The name of the role. 1096 // 1097 // When Role is used in CreateRole, the role name must not be set. 1098 // 1099 // When Role is used in output and other input such as UpdateRole, the role 1100 // name is the complete path, e.g., roles/logging.viewer for predefined roles 1101 // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles. 1102 string name = 1; 1103 1104 // Optional. A human-readable title for the role. Typically this 1105 // is limited to 100 UTF-8 bytes. 1106 string title = 2; 1107 1108 // Optional. A human-readable description for the role. 1109 string description = 3; 1110 1111 // The names of the permissions this role grants when bound in an IAM policy. 1112 repeated string included_permissions = 7; 1113 1114 // The current launch stage of the role. If the `ALPHA` launch stage has been 1115 // selected for a role, the `stage` field will not be included in the 1116 // returned definition for the role. 1117 RoleLaunchStage stage = 8; 1118 1119 // Used to perform a consistent read-modify-write. 1120 bytes etag = 9; 1121 1122 // The current deleted state of the role. This field is read only. 1123 // It will be ignored in calls to CreateRole and UpdateRole. 1124 bool deleted = 11; 1125} 1126 1127// The grantable role query request. 1128message QueryGrantableRolesRequest { 1129 // Required. The full resource name to query from the list of grantable roles. 1130 // 1131 // The name follows the Google Cloud Platform resource format. 1132 // For example, a Cloud Platform project with id `my-project` will be named 1133 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1134 string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; 1135 1136 RoleView view = 2; 1137 1138 // Optional limit on the number of roles to include in the response. 1139 // 1140 // The default is 300, and the maximum is 1,000. 1141 int32 page_size = 3; 1142 1143 // Optional pagination token returned in an earlier 1144 // QueryGrantableRolesResponse. 1145 string page_token = 4; 1146} 1147 1148// The grantable role query response. 1149message QueryGrantableRolesResponse { 1150 // The list of matching roles. 1151 repeated Role roles = 1; 1152 1153 // To retrieve the next page of results, set 1154 // `QueryGrantableRolesRequest.page_token` to this value. 1155 string next_page_token = 2; 1156} 1157 1158// A view for Role objects. 1159enum RoleView { 1160 // Omits the `included_permissions` field. 1161 // This is the default value. 1162 BASIC = 0; 1163 1164 // Returns all fields. 1165 FULL = 1; 1166} 1167 1168// The request to get all roles defined under a resource. 1169message ListRolesRequest { 1170 // The `parent` parameter's value depends on the target resource for the 1171 // request, namely 1172 // [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), 1173 // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), 1174 // or 1175 // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1176 // Each resource type's `parent` value format is described below: 1177 // 1178 // * [`roles.list()`](https://cloud.google.com/iam/reference/rest/v1/roles/list): An empty string. 1179 // This method doesn't require a resource; it simply returns all 1180 // [predefined 1181 // roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) 1182 // in Cloud IAM. Example request URL: `https://iam.googleapis.com/v1/roles` 1183 // 1184 // * [`projects.roles.list()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/list): 1185 // `projects/{PROJECT_ID}`. This method lists all project-level 1186 // [custom 1187 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1188 // Example request URL: 1189 // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` 1190 // 1191 // * [`organizations.roles.list()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/list): 1192 // `organizations/{ORGANIZATION_ID}`. This method lists all 1193 // organization-level [custom 1194 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1195 // Example request URL: 1196 // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` 1197 // 1198 // Note: Wildcard (*) values are invalid; you must specify a complete project 1199 // ID or organization ID. 1200 string parent = 1 [(google.api.resource_reference) = { 1201 type: "*" 1202 }]; 1203 1204 // Optional limit on the number of roles to include in the response. 1205 // 1206 // The default is 300, and the maximum is 1,000. 1207 int32 page_size = 2; 1208 1209 // Optional pagination token returned in an earlier ListRolesResponse. 1210 string page_token = 3; 1211 1212 // Optional view for the returned Role objects. When `FULL` is specified, 1213 // the `includedPermissions` field is returned, which includes a list of all 1214 // permissions in the role. The default value is `BASIC`, which does not 1215 // return the `includedPermissions` field. 1216 RoleView view = 4; 1217 1218 // Include Roles that have been deleted. 1219 bool show_deleted = 6; 1220} 1221 1222// The response containing the roles defined under a resource. 1223message ListRolesResponse { 1224 // The Roles defined on this resource. 1225 repeated Role roles = 1; 1226 1227 // To retrieve the next page of results, set 1228 // `ListRolesRequest.page_token` to this value. 1229 string next_page_token = 2; 1230} 1231 1232// The request to get the definition of an existing role. 1233message GetRoleRequest { 1234 // The `name` parameter's value depends on the target resource for the 1235 // request, namely 1236 // [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), 1237 // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), 1238 // or 1239 // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1240 // Each resource type's `name` value format is described below: 1241 // 1242 // * [`roles.get()`](https://cloud.google.com/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`. 1243 // This method returns results from all 1244 // [predefined 1245 // roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) 1246 // in Cloud IAM. Example request URL: 1247 // `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` 1248 // 1249 // * [`projects.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/get): 1250 // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only 1251 // [custom 1252 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1253 // have been created at the project level. Example request URL: 1254 // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1255 // 1256 // * [`organizations.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/get): 1257 // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1258 // returns only [custom 1259 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1260 // have been created at the organization level. Example request URL: 1261 // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1262 // 1263 // Note: Wildcard (*) values are invalid; you must specify a complete project 1264 // ID or organization ID. 1265 string name = 1 [(google.api.resource_reference) = { 1266 type: "*" 1267 }]; 1268} 1269 1270// The request to create a new role. 1271message CreateRoleRequest { 1272 // The `parent` parameter's value depends on the target resource for the 1273 // request, namely 1274 // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1275 // or 1276 // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1277 // Each resource type's `parent` value format is described below: 1278 // 1279 // * [`projects.roles.create()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/create): 1280 // `projects/{PROJECT_ID}`. This method creates project-level 1281 // [custom 1282 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1283 // Example request URL: 1284 // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` 1285 // 1286 // * [`organizations.roles.create()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/create): 1287 // `organizations/{ORGANIZATION_ID}`. This method creates organization-level 1288 // [custom 1289 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1290 // Example request URL: 1291 // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` 1292 // 1293 // Note: Wildcard (*) values are invalid; you must specify a complete project 1294 // ID or organization ID. 1295 string parent = 1 [(google.api.resource_reference) = { 1296 type: "*" 1297 }]; 1298 1299 // The role ID to use for this role. 1300 // 1301 // A role ID may contain alphanumeric characters, underscores (`_`), and 1302 // periods (`.`). It must contain a minimum of 3 characters and a maximum of 1303 // 64 characters. 1304 string role_id = 2; 1305 1306 // The Role resource to create. 1307 Role role = 3; 1308} 1309 1310// The request to update a role. 1311message UpdateRoleRequest { 1312 // The `name` parameter's value depends on the target resource for the 1313 // request, namely 1314 // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1315 // or 1316 // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1317 // Each resource type's `name` value format is described below: 1318 // 1319 // * [`projects.roles.patch()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/patch): 1320 // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only 1321 // [custom 1322 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1323 // have been created at the project level. Example request URL: 1324 // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1325 // 1326 // * [`organizations.roles.patch()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/patch): 1327 // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1328 // updates only [custom 1329 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1330 // have been created at the organization level. Example request URL: 1331 // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1332 // 1333 // Note: Wildcard (*) values are invalid; you must specify a complete project 1334 // ID or organization ID. 1335 string name = 1 [(google.api.resource_reference) = { 1336 type: "*" 1337 }]; 1338 1339 // The updated role. 1340 Role role = 2; 1341 1342 // A mask describing which fields in the Role have changed. 1343 google.protobuf.FieldMask update_mask = 3; 1344} 1345 1346// The request to delete an existing role. 1347message DeleteRoleRequest { 1348 // The `name` parameter's value depends on the target resource for the 1349 // request, namely 1350 // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1351 // or 1352 // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1353 // Each resource type's `name` value format is described below: 1354 // 1355 // * [`projects.roles.delete()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/delete): 1356 // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only 1357 // [custom 1358 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1359 // have been created at the project level. Example request URL: 1360 // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1361 // 1362 // * [`organizations.roles.delete()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/delete): 1363 // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1364 // deletes only [custom 1365 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1366 // have been created at the organization level. Example request URL: 1367 // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1368 // 1369 // Note: Wildcard (*) values are invalid; you must specify a complete project 1370 // ID or organization ID. 1371 string name = 1 [(google.api.resource_reference) = { 1372 type: "*" 1373 }]; 1374 1375 // Used to perform a consistent read-modify-write. 1376 bytes etag = 2; 1377} 1378 1379// The request to undelete an existing role. 1380message UndeleteRoleRequest { 1381 // The `name` parameter's value depends on the target resource for the 1382 // request, namely 1383 // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1384 // or 1385 // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1386 // Each resource type's `name` value format is described below: 1387 // 1388 // * [`projects.roles.undelete()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/undelete): 1389 // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes 1390 // only [custom 1391 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1392 // have been created at the project level. Example request URL: 1393 // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1394 // 1395 // * [`organizations.roles.undelete()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/undelete): 1396 // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1397 // undeletes only [custom 1398 // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1399 // have been created at the organization level. Example request URL: 1400 // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1401 // 1402 // Note: Wildcard (*) values are invalid; you must specify a complete project 1403 // ID or organization ID. 1404 string name = 1 [(google.api.resource_reference) = { 1405 type: "*" 1406 }]; 1407 1408 // Used to perform a consistent read-modify-write. 1409 bytes etag = 2; 1410} 1411 1412// A permission which can be included by a role. 1413message Permission { 1414 // A stage representing a permission's lifecycle phase. 1415 enum PermissionLaunchStage { 1416 // The permission is currently in an alpha phase. 1417 ALPHA = 0; 1418 1419 // The permission is currently in a beta phase. 1420 BETA = 1; 1421 1422 // The permission is generally available. 1423 GA = 2; 1424 1425 // The permission is being deprecated. 1426 DEPRECATED = 3; 1427 } 1428 1429 // The state of the permission with regards to custom roles. 1430 enum CustomRolesSupportLevel { 1431 // Default state. Permission is fully supported for custom role use. 1432 SUPPORTED = 0; 1433 1434 // Permission is being tested to check custom role compatibility. 1435 TESTING = 1; 1436 1437 // Permission is not supported for custom role use. 1438 NOT_SUPPORTED = 2; 1439 } 1440 1441 // The name of this Permission. 1442 string name = 1; 1443 1444 // The title of this Permission. 1445 string title = 2; 1446 1447 // A brief description of what this Permission is used for. 1448 // This permission can ONLY be used in predefined roles. 1449 string description = 3; 1450 1451 bool only_in_predefined_roles = 4 [deprecated = true]; 1452 1453 // The current launch stage of the permission. 1454 PermissionLaunchStage stage = 5; 1455 1456 // The current custom role support level. 1457 CustomRolesSupportLevel custom_roles_support_level = 6; 1458 1459 // The service API associated with the permission is not enabled. 1460 bool api_disabled = 7; 1461 1462 // The preferred name for this permission. If present, then this permission is 1463 // an alias of, and equivalent to, the listed primary_permission. 1464 string primary_permission = 8; 1465} 1466 1467// A request to get permissions which can be tested on a resource. 1468message QueryTestablePermissionsRequest { 1469 // Required. The full resource name to query from the list of testable 1470 // permissions. 1471 // 1472 // The name follows the Google Cloud Platform resource format. 1473 // For example, a Cloud Platform project with id `my-project` will be named 1474 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1475 string full_resource_name = 1; 1476 1477 // Optional limit on the number of permissions to include in the response. 1478 // 1479 // The default is 100, and the maximum is 1,000. 1480 int32 page_size = 2; 1481 1482 // Optional pagination token returned in an earlier 1483 // QueryTestablePermissionsRequest. 1484 string page_token = 3; 1485} 1486 1487// The response containing permissions which can be tested on a resource. 1488message QueryTestablePermissionsResponse { 1489 // The Permissions testable on the requested resource. 1490 repeated Permission permissions = 1; 1491 1492 // To retrieve the next page of results, set 1493 // `QueryTestableRolesRequest.page_token` to this value. 1494 string next_page_token = 2; 1495} 1496 1497// A request to get the list of auditable services for a resource. 1498message QueryAuditableServicesRequest { 1499 // Required. The full resource name to query from the list of auditable 1500 // services. 1501 // 1502 // The name follows the Google Cloud Platform resource format. 1503 // For example, a Cloud Platform project with id `my-project` will be named 1504 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1505 string full_resource_name = 1; 1506} 1507 1508// A response containing a list of auditable services for a resource. 1509message QueryAuditableServicesResponse { 1510 // Contains information about an auditable service. 1511 message AuditableService { 1512 // Public name of the service. 1513 // For example, the service name for Cloud IAM is 'iam.googleapis.com'. 1514 string name = 1; 1515 } 1516 1517 // The auditable services for a resource. 1518 repeated AuditableService services = 1; 1519} 1520 1521// The request to lint a Cloud IAM policy object. 1522message LintPolicyRequest { 1523 // The full resource name of the policy this lint request is about. 1524 // 1525 // The name follows the Google Cloud Platform (GCP) resource format. 1526 // For example, a GCP project with ID `my-project` will be named 1527 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1528 // 1529 // The resource name is not used to read the policy instance from the Cloud 1530 // IAM database. The candidate policy for lint has to be provided in the same 1531 // request object. 1532 string full_resource_name = 1; 1533 1534 // Required. The Cloud IAM object to be linted. 1535 oneof lint_object { 1536 // [google.iam.v1.Binding.condition] [google.iam.v1.Binding.condition] object to be linted. 1537 google.type.Expr condition = 5; 1538 } 1539} 1540 1541// Structured response of a single validation unit. 1542message LintResult { 1543 // Possible Level values of a validation unit corresponding to its domain 1544 // of discourse. 1545 enum Level { 1546 // Level is unspecified. 1547 LEVEL_UNSPECIFIED = 0; 1548 1549 // A validation unit which operates on an individual condition within a 1550 // binding. 1551 CONDITION = 3; 1552 } 1553 1554 // Possible Severity values of an issued result. 1555 enum Severity { 1556 // Severity is unspecified. 1557 SEVERITY_UNSPECIFIED = 0; 1558 1559 // A validation unit returns an error only for critical issues. If an 1560 // attempt is made to set the problematic policy without rectifying the 1561 // critical issue, it causes the `setPolicy` operation to fail. 1562 ERROR = 1; 1563 1564 // Any issue which is severe enough but does not cause an error. 1565 // For example, suspicious constructs in the input object will not 1566 // necessarily fail `setPolicy`, but there is a high likelihood that they 1567 // won't behave as expected during policy evaluation in `checkPolicy`. 1568 // This includes the following common scenarios: 1569 // 1570 // - Unsatisfiable condition: Expired timestamp in date/time condition. 1571 // - Ineffective condition: Condition on a <principal, role> pair which is 1572 // granted unconditionally in another binding of the same policy. 1573 WARNING = 2; 1574 1575 // Reserved for the issues that are not severe as `ERROR`/`WARNING`, but 1576 // need special handling. For instance, messages about skipped validation 1577 // units are issued as `NOTICE`. 1578 NOTICE = 3; 1579 1580 // Any informative statement which is not severe enough to raise 1581 // `ERROR`/`WARNING`/`NOTICE`, like auto-correction recommendations on the 1582 // input content. Note that current version of the linter does not utilize 1583 // `INFO`. 1584 INFO = 4; 1585 1586 // Deprecated severity level. 1587 DEPRECATED = 5; 1588 } 1589 1590 // The validation unit level. 1591 Level level = 1; 1592 1593 // The validation unit name, for instance 1594 // "lintValidationUnits/ConditionComplexityCheck". 1595 string validation_unit_name = 2; 1596 1597 // The validation unit severity. 1598 Severity severity = 3; 1599 1600 // The name of the field for which this lint result is about. 1601 // 1602 // For nested messages `field_name` consists of names of the embedded fields 1603 // separated by period character. The top-level qualifier is the input object 1604 // to lint in the request. For example, the `field_name` value 1605 // `condition.expression` identifies a lint result for the `expression` field 1606 // of the provided condition. 1607 string field_name = 5; 1608 1609 // 0-based character position of problematic construct within the object 1610 // identified by `field_name`. Currently, this is populated only for condition 1611 // expression. 1612 int32 location_offset = 6; 1613 1614 // Human readable debug message associated with the issue. 1615 string debug_message = 7; 1616} 1617 1618// The response of a lint operation. An empty response indicates 1619// the operation was able to fully execute and no lint issue was found. 1620message LintPolicyResponse { 1621 // List of lint results sorted by `severity` in descending order. 1622 repeated LintResult lint_results = 1; 1623} 1624