1*d5c09012SAndroid Build Coastguard Worker// Copyright 2022 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.iam.admin.v1; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workerimport "google/api/annotations.proto"; 20*d5c09012SAndroid Build Coastguard Workerimport "google/api/client.proto"; 21*d5c09012SAndroid Build Coastguard Workerimport "google/api/field_behavior.proto"; 22*d5c09012SAndroid Build Coastguard Workerimport "google/api/resource.proto"; 23*d5c09012SAndroid Build Coastguard Workerimport "google/iam/v1/iam_policy.proto"; 24*d5c09012SAndroid Build Coastguard Workerimport "google/iam/v1/policy.proto"; 25*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/empty.proto"; 26*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/field_mask.proto"; 27*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/timestamp.proto"; 28*d5c09012SAndroid Build Coastguard Workerimport "google/type/expr.proto"; 29*d5c09012SAndroid Build Coastguard Worker 30*d5c09012SAndroid Build Coastguard Workeroption cc_enable_arenas = true; 31*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.Iam.Admin.V1"; 32*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/iam/admin/apiv1/adminpb;adminpb"; 33*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 34*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.iam.admin.v1"; 35*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\Iam\\Admin\\V1"; 36*d5c09012SAndroid Build Coastguard Worker 37*d5c09012SAndroid Build Coastguard Worker// Creates and manages Identity and Access Management (IAM) resources. 38*d5c09012SAndroid Build Coastguard Worker// 39*d5c09012SAndroid Build Coastguard Worker// You can use this service to work with all of the following resources: 40*d5c09012SAndroid Build Coastguard Worker// 41*d5c09012SAndroid Build Coastguard Worker// * **Service accounts**, which identify an application or a virtual machine 42*d5c09012SAndroid Build Coastguard Worker// (VM) instance rather than a person 43*d5c09012SAndroid Build Coastguard Worker// * **Service account keys**, which service accounts use to authenticate with 44*d5c09012SAndroid Build Coastguard Worker// Google APIs 45*d5c09012SAndroid Build Coastguard Worker// * **IAM policies for service accounts**, which specify the roles that a 46*d5c09012SAndroid Build Coastguard Worker// principal has for the service account 47*d5c09012SAndroid Build Coastguard Worker// * **IAM custom roles**, which help you limit the number of permissions that 48*d5c09012SAndroid Build Coastguard Worker// you grant to principals 49*d5c09012SAndroid Build Coastguard Worker// 50*d5c09012SAndroid Build Coastguard Worker// In addition, you can use this service to complete the following tasks, among 51*d5c09012SAndroid Build Coastguard Worker// others: 52*d5c09012SAndroid Build Coastguard Worker// 53*d5c09012SAndroid Build Coastguard Worker// * Test whether a service account can use specific permissions 54*d5c09012SAndroid Build Coastguard Worker// * Check which roles you can grant for a specific resource 55*d5c09012SAndroid Build Coastguard Worker// * Lint, or validate, condition expressions in an IAM policy 56*d5c09012SAndroid Build Coastguard Worker// 57*d5c09012SAndroid Build Coastguard Worker// When you read data from the IAM API, each read is eventually consistent. In 58*d5c09012SAndroid Build Coastguard Worker// other words, if you write data with the IAM API, then immediately read that 59*d5c09012SAndroid Build Coastguard Worker// data, the read operation might return an older version of the data. To deal 60*d5c09012SAndroid Build Coastguard Worker// with this behavior, your application can retry the request with truncated 61*d5c09012SAndroid Build Coastguard Worker// exponential backoff. 62*d5c09012SAndroid Build Coastguard Worker// 63*d5c09012SAndroid Build Coastguard Worker// In contrast, writing data to the IAM API is sequentially consistent. In other 64*d5c09012SAndroid Build Coastguard Worker// words, write operations are always processed in the order in which they were 65*d5c09012SAndroid Build Coastguard Worker// received. 66*d5c09012SAndroid Build Coastguard Workerservice IAM { 67*d5c09012SAndroid Build Coastguard Worker option (google.api.default_host) = "iam.googleapis.com"; 68*d5c09012SAndroid Build Coastguard Worker option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 69*d5c09012SAndroid Build Coastguard Worker 70*d5c09012SAndroid Build Coastguard Worker // Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project. 71*d5c09012SAndroid Build Coastguard Worker rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) { 72*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 73*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*}/serviceAccounts" 74*d5c09012SAndroid Build Coastguard Worker }; 75*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 76*d5c09012SAndroid Build Coastguard Worker } 77*d5c09012SAndroid Build Coastguard Worker 78*d5c09012SAndroid Build Coastguard Worker // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 79*d5c09012SAndroid Build Coastguard Worker rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) { 80*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 81*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/serviceAccounts/*}" 82*d5c09012SAndroid Build Coastguard Worker }; 83*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 84*d5c09012SAndroid Build Coastguard Worker } 85*d5c09012SAndroid Build Coastguard Worker 86*d5c09012SAndroid Build Coastguard Worker // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 87*d5c09012SAndroid Build Coastguard Worker rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) { 88*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 89*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*}/serviceAccounts" 90*d5c09012SAndroid Build Coastguard Worker body: "*" 91*d5c09012SAndroid Build Coastguard Worker }; 92*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name,account_id,service_account"; 93*d5c09012SAndroid Build Coastguard Worker } 94*d5c09012SAndroid Build Coastguard Worker 95*d5c09012SAndroid Build Coastguard Worker // **Note:** We are in the process of deprecating this method. Use 96*d5c09012SAndroid Build Coastguard Worker // [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead. 97*d5c09012SAndroid Build Coastguard Worker // 98*d5c09012SAndroid Build Coastguard Worker // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 99*d5c09012SAndroid Build Coastguard Worker // 100*d5c09012SAndroid Build Coastguard Worker // You can update only the `display_name` field. 101*d5c09012SAndroid Build Coastguard Worker rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { 102*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 103*d5c09012SAndroid Build Coastguard Worker put: "/v1/{name=projects/*/serviceAccounts/*}" 104*d5c09012SAndroid Build Coastguard Worker body: "*" 105*d5c09012SAndroid Build Coastguard Worker }; 106*d5c09012SAndroid Build Coastguard Worker } 107*d5c09012SAndroid Build Coastguard Worker 108*d5c09012SAndroid Build Coastguard Worker // Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 109*d5c09012SAndroid Build Coastguard Worker rpc PatchServiceAccount(PatchServiceAccountRequest) returns (ServiceAccount) { 110*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 111*d5c09012SAndroid Build Coastguard Worker patch: "/v1/{service_account.name=projects/*/serviceAccounts/*}" 112*d5c09012SAndroid Build Coastguard Worker body: "*" 113*d5c09012SAndroid Build Coastguard Worker }; 114*d5c09012SAndroid Build Coastguard Worker } 115*d5c09012SAndroid Build Coastguard Worker 116*d5c09012SAndroid Build Coastguard Worker // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 117*d5c09012SAndroid Build Coastguard Worker // 118*d5c09012SAndroid Build Coastguard Worker // **Warning:** After you delete a service account, you might not be able to 119*d5c09012SAndroid Build Coastguard Worker // undelete it. If you know that you need to re-enable the service account in 120*d5c09012SAndroid Build Coastguard Worker // the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead. 121*d5c09012SAndroid Build Coastguard Worker // 122*d5c09012SAndroid Build Coastguard Worker // If you delete a service account, IAM permanently removes the service 123*d5c09012SAndroid Build Coastguard Worker // account 30 days later. Google Cloud cannot recover the service account 124*d5c09012SAndroid Build Coastguard Worker // after it is permanently removed, even if you file a support request. 125*d5c09012SAndroid Build Coastguard Worker // 126*d5c09012SAndroid Build Coastguard Worker // To help avoid unplanned outages, we recommend that you disable the service 127*d5c09012SAndroid Build Coastguard Worker // account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the 128*d5c09012SAndroid Build Coastguard Worker // service account, then wait at least 24 hours and watch for unintended 129*d5c09012SAndroid Build Coastguard Worker // consequences. If there are no unintended consequences, you can delete the 130*d5c09012SAndroid Build Coastguard Worker // service account. 131*d5c09012SAndroid Build Coastguard Worker rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) { 132*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 133*d5c09012SAndroid Build Coastguard Worker delete: "/v1/{name=projects/*/serviceAccounts/*}" 134*d5c09012SAndroid Build Coastguard Worker }; 135*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 136*d5c09012SAndroid Build Coastguard Worker } 137*d5c09012SAndroid Build Coastguard Worker 138*d5c09012SAndroid Build Coastguard Worker // Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 139*d5c09012SAndroid Build Coastguard Worker // 140*d5c09012SAndroid Build Coastguard Worker // **Important:** It is not always possible to restore a deleted service 141*d5c09012SAndroid Build Coastguard Worker // account. Use this method only as a last resort. 142*d5c09012SAndroid Build Coastguard Worker // 143*d5c09012SAndroid Build Coastguard Worker // After you delete a service account, IAM permanently removes the service 144*d5c09012SAndroid Build Coastguard Worker // account 30 days later. There is no way to restore a deleted service account 145*d5c09012SAndroid Build Coastguard Worker // that has been permanently removed. 146*d5c09012SAndroid Build Coastguard Worker rpc UndeleteServiceAccount(UndeleteServiceAccountRequest) returns (UndeleteServiceAccountResponse) { 147*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 148*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}:undelete" 149*d5c09012SAndroid Build Coastguard Worker body: "*" 150*d5c09012SAndroid Build Coastguard Worker }; 151*d5c09012SAndroid Build Coastguard Worker } 152*d5c09012SAndroid Build Coastguard Worker 153*d5c09012SAndroid Build Coastguard Worker // Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by 154*d5c09012SAndroid Build Coastguard Worker // [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount]. 155*d5c09012SAndroid Build Coastguard Worker // 156*d5c09012SAndroid Build Coastguard Worker // If the service account is already enabled, then this method has no effect. 157*d5c09012SAndroid Build Coastguard Worker // 158*d5c09012SAndroid Build Coastguard Worker // If the service account was disabled by other means—for example, if Google 159*d5c09012SAndroid Build Coastguard Worker // disabled the service account because it was compromised—you cannot use this 160*d5c09012SAndroid Build Coastguard Worker // method to enable the service account. 161*d5c09012SAndroid Build Coastguard Worker rpc EnableServiceAccount(EnableServiceAccountRequest) returns (google.protobuf.Empty) { 162*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 163*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}:enable" 164*d5c09012SAndroid Build Coastguard Worker body: "*" 165*d5c09012SAndroid Build Coastguard Worker }; 166*d5c09012SAndroid Build Coastguard Worker } 167*d5c09012SAndroid Build Coastguard Worker 168*d5c09012SAndroid Build Coastguard Worker // Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately. 169*d5c09012SAndroid Build Coastguard Worker // 170*d5c09012SAndroid Build Coastguard Worker // If an application uses the service account to authenticate, that 171*d5c09012SAndroid Build Coastguard Worker // application can no longer call Google APIs or access Google Cloud 172*d5c09012SAndroid Build Coastguard Worker // resources. Existing access tokens for the service account are rejected, and 173*d5c09012SAndroid Build Coastguard Worker // requests for new access tokens will fail. 174*d5c09012SAndroid Build Coastguard Worker // 175*d5c09012SAndroid Build Coastguard Worker // To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you 176*d5c09012SAndroid Build Coastguard Worker // re-enable the service account, its existing access tokens will be accepted, 177*d5c09012SAndroid Build Coastguard Worker // and you can request new access tokens. 178*d5c09012SAndroid Build Coastguard Worker // 179*d5c09012SAndroid Build Coastguard Worker // To help avoid unplanned outages, we recommend that you disable the service 180*d5c09012SAndroid Build Coastguard Worker // account before you delete it. Use this method to disable the service 181*d5c09012SAndroid Build Coastguard Worker // account, then wait at least 24 hours and watch for unintended consequences. 182*d5c09012SAndroid Build Coastguard Worker // If there are no unintended consequences, you can delete the service account 183*d5c09012SAndroid Build Coastguard Worker // with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount]. 184*d5c09012SAndroid Build Coastguard Worker rpc DisableServiceAccount(DisableServiceAccountRequest) returns (google.protobuf.Empty) { 185*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 186*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}:disable" 187*d5c09012SAndroid Build Coastguard Worker body: "*" 188*d5c09012SAndroid Build Coastguard Worker }; 189*d5c09012SAndroid Build Coastguard Worker } 190*d5c09012SAndroid Build Coastguard Worker 191*d5c09012SAndroid Build Coastguard Worker // Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account. 192*d5c09012SAndroid Build Coastguard Worker rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) { 193*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 194*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/serviceAccounts/*}/keys" 195*d5c09012SAndroid Build Coastguard Worker }; 196*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name,key_types"; 197*d5c09012SAndroid Build Coastguard Worker } 198*d5c09012SAndroid Build Coastguard Worker 199*d5c09012SAndroid Build Coastguard Worker // Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. 200*d5c09012SAndroid Build Coastguard Worker rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) { 201*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 202*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" 203*d5c09012SAndroid Build Coastguard Worker }; 204*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name,public_key_type"; 205*d5c09012SAndroid Build Coastguard Worker } 206*d5c09012SAndroid Build Coastguard Worker 207*d5c09012SAndroid Build Coastguard Worker // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. 208*d5c09012SAndroid Build Coastguard Worker rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) { 209*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 210*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}/keys" 211*d5c09012SAndroid Build Coastguard Worker body: "*" 212*d5c09012SAndroid Build Coastguard Worker }; 213*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name,private_key_type,key_algorithm"; 214*d5c09012SAndroid Build Coastguard Worker } 215*d5c09012SAndroid Build Coastguard Worker 216*d5c09012SAndroid Build Coastguard Worker // Uploads the public key portion of a key pair that you manage, and 217*d5c09012SAndroid Build Coastguard Worker // associates the public key with a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 218*d5c09012SAndroid Build Coastguard Worker // 219*d5c09012SAndroid Build Coastguard Worker // After you upload the public key, you can use the private key from the key 220*d5c09012SAndroid Build Coastguard Worker // pair as a service account key. 221*d5c09012SAndroid Build Coastguard Worker rpc UploadServiceAccountKey(UploadServiceAccountKeyRequest) returns (ServiceAccountKey) { 222*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 223*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}/keys:upload" 224*d5c09012SAndroid Build Coastguard Worker body: "*" 225*d5c09012SAndroid Build Coastguard Worker }; 226*d5c09012SAndroid Build Coastguard Worker } 227*d5c09012SAndroid Build Coastguard Worker 228*d5c09012SAndroid Build Coastguard Worker // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not 229*d5c09012SAndroid Build Coastguard Worker // revoke short-lived credentials that have been issued based on the service 230*d5c09012SAndroid Build Coastguard Worker // account key. 231*d5c09012SAndroid Build Coastguard Worker rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) { 232*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 233*d5c09012SAndroid Build Coastguard Worker delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" 234*d5c09012SAndroid Build Coastguard Worker }; 235*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 236*d5c09012SAndroid Build Coastguard Worker } 237*d5c09012SAndroid Build Coastguard Worker 238*d5c09012SAndroid Build Coastguard Worker // Disable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. A disabled service account key can be 239*d5c09012SAndroid Build Coastguard Worker // re-enabled with [EnableServiceAccountKey][google.iam.admin.v1.IAM.EnableServiceAccountKey]. 240*d5c09012SAndroid Build Coastguard Worker rpc DisableServiceAccountKey(DisableServiceAccountKeyRequest) returns (google.protobuf.Empty) { 241*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 242*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*/keys/*}:disable" 243*d5c09012SAndroid Build Coastguard Worker body: "*" 244*d5c09012SAndroid Build Coastguard Worker }; 245*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 246*d5c09012SAndroid Build Coastguard Worker } 247*d5c09012SAndroid Build Coastguard Worker 248*d5c09012SAndroid Build Coastguard Worker // Enable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. 249*d5c09012SAndroid Build Coastguard Worker rpc EnableServiceAccountKey(EnableServiceAccountKeyRequest) returns (google.protobuf.Empty) { 250*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 251*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*/keys/*}:enable" 252*d5c09012SAndroid Build Coastguard Worker body: "*" 253*d5c09012SAndroid Build Coastguard Worker }; 254*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 255*d5c09012SAndroid Build Coastguard Worker } 256*d5c09012SAndroid Build Coastguard Worker 257*d5c09012SAndroid Build Coastguard Worker // **Note:** This method is deprecated. Use the 258*d5c09012SAndroid Build Coastguard Worker // [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob) 259*d5c09012SAndroid Build Coastguard Worker // method in the IAM Service Account Credentials API instead. If you currently 260*d5c09012SAndroid Build Coastguard Worker // use this method, see the [migration 261*d5c09012SAndroid Build Coastguard Worker // guide](https://cloud.google.com/iam/help/credentials/migrate-api) for 262*d5c09012SAndroid Build Coastguard Worker // instructions. 263*d5c09012SAndroid Build Coastguard Worker // 264*d5c09012SAndroid Build Coastguard Worker // Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 265*d5c09012SAndroid Build Coastguard Worker rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) { 266*d5c09012SAndroid Build Coastguard Worker option deprecated = true; 267*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 268*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" 269*d5c09012SAndroid Build Coastguard Worker body: "*" 270*d5c09012SAndroid Build Coastguard Worker }; 271*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name,bytes_to_sign"; 272*d5c09012SAndroid Build Coastguard Worker } 273*d5c09012SAndroid Build Coastguard Worker 274*d5c09012SAndroid Build Coastguard Worker // **Note:** This method is deprecated. Use the 275*d5c09012SAndroid Build Coastguard Worker // [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt) 276*d5c09012SAndroid Build Coastguard Worker // method in the IAM Service Account Credentials API instead. If you currently 277*d5c09012SAndroid Build Coastguard Worker // use this method, see the [migration 278*d5c09012SAndroid Build Coastguard Worker // guide](https://cloud.google.com/iam/help/credentials/migrate-api) for 279*d5c09012SAndroid Build Coastguard Worker // instructions. 280*d5c09012SAndroid Build Coastguard Worker // 281*d5c09012SAndroid Build Coastguard Worker // Signs a JSON Web Token (JWT) using the system-managed private key for a 282*d5c09012SAndroid Build Coastguard Worker // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 283*d5c09012SAndroid Build Coastguard Worker rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) { 284*d5c09012SAndroid Build Coastguard Worker option deprecated = true; 285*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 286*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt" 287*d5c09012SAndroid Build Coastguard Worker body: "*" 288*d5c09012SAndroid Build Coastguard Worker }; 289*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name,payload"; 290*d5c09012SAndroid Build Coastguard Worker } 291*d5c09012SAndroid Build Coastguard Worker 292*d5c09012SAndroid Build Coastguard Worker // Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM 293*d5c09012SAndroid Build Coastguard Worker // policy specifies which principals have access to the service account. 294*d5c09012SAndroid Build Coastguard Worker // 295*d5c09012SAndroid Build Coastguard Worker // This method does not tell you whether the service account has been granted 296*d5c09012SAndroid Build Coastguard Worker // any roles on other resources. To check whether a service account has role 297*d5c09012SAndroid Build Coastguard Worker // grants on a resource, use the `getIamPolicy` method for that resource. For 298*d5c09012SAndroid Build Coastguard Worker // example, to view the role grants for a project, call the Resource Manager 299*d5c09012SAndroid Build Coastguard Worker // API's 300*d5c09012SAndroid Build Coastguard Worker // [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy) 301*d5c09012SAndroid Build Coastguard Worker // method. 302*d5c09012SAndroid Build Coastguard Worker rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { 303*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 304*d5c09012SAndroid Build Coastguard Worker post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" 305*d5c09012SAndroid Build Coastguard Worker }; 306*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "resource"; 307*d5c09012SAndroid Build Coastguard Worker } 308*d5c09012SAndroid Build Coastguard Worker 309*d5c09012SAndroid Build Coastguard Worker // Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 310*d5c09012SAndroid Build Coastguard Worker // 311*d5c09012SAndroid Build Coastguard Worker // Use this method to grant or revoke access to the service account. For 312*d5c09012SAndroid Build Coastguard Worker // example, you could grant a principal the ability to impersonate the service 313*d5c09012SAndroid Build Coastguard Worker // account. 314*d5c09012SAndroid Build Coastguard Worker // 315*d5c09012SAndroid Build Coastguard Worker // This method does not enable the service account to access other resources. 316*d5c09012SAndroid Build Coastguard Worker // To grant roles to a service account on a resource, follow these steps: 317*d5c09012SAndroid Build Coastguard Worker // 318*d5c09012SAndroid Build Coastguard Worker // 1. Call the resource's `getIamPolicy` method to get its current IAM policy. 319*d5c09012SAndroid Build Coastguard Worker // 2. Edit the policy so that it binds the service account to an IAM role for 320*d5c09012SAndroid Build Coastguard Worker // the resource. 321*d5c09012SAndroid Build Coastguard Worker // 3. Call the resource's `setIamPolicy` method to update its IAM policy. 322*d5c09012SAndroid Build Coastguard Worker // 323*d5c09012SAndroid Build Coastguard Worker // For detailed instructions, see 324*d5c09012SAndroid Build Coastguard Worker // [Manage access to project, folders, and 325*d5c09012SAndroid Build Coastguard Worker // organizations](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts) 326*d5c09012SAndroid Build Coastguard Worker // or [Manage access to other 327*d5c09012SAndroid Build Coastguard Worker // resources](https://cloud.google.com/iam/help/access/manage-other-resources). 328*d5c09012SAndroid Build Coastguard Worker rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { 329*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 330*d5c09012SAndroid Build Coastguard Worker post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" 331*d5c09012SAndroid Build Coastguard Worker body: "*" 332*d5c09012SAndroid Build Coastguard Worker }; 333*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "resource,policy"; 334*d5c09012SAndroid Build Coastguard Worker } 335*d5c09012SAndroid Build Coastguard Worker 336*d5c09012SAndroid Build Coastguard Worker // Tests whether the caller has the specified permissions on a 337*d5c09012SAndroid Build Coastguard Worker // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. 338*d5c09012SAndroid Build Coastguard Worker rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { 339*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 340*d5c09012SAndroid Build Coastguard Worker post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" 341*d5c09012SAndroid Build Coastguard Worker body: "*" 342*d5c09012SAndroid Build Coastguard Worker }; 343*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "resource,permissions"; 344*d5c09012SAndroid Build Coastguard Worker } 345*d5c09012SAndroid Build Coastguard Worker 346*d5c09012SAndroid Build Coastguard Worker // Lists roles that can be granted on a Google Cloud resource. A role is 347*d5c09012SAndroid Build Coastguard Worker // grantable if the IAM policy for the resource can contain bindings to the 348*d5c09012SAndroid Build Coastguard Worker // role. 349*d5c09012SAndroid Build Coastguard Worker rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) { 350*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 351*d5c09012SAndroid Build Coastguard Worker post: "/v1/roles:queryGrantableRoles" 352*d5c09012SAndroid Build Coastguard Worker body: "*" 353*d5c09012SAndroid Build Coastguard Worker }; 354*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "full_resource_name"; 355*d5c09012SAndroid Build Coastguard Worker } 356*d5c09012SAndroid Build Coastguard Worker 357*d5c09012SAndroid Build Coastguard Worker // Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role 358*d5c09012SAndroid Build Coastguard Worker // that is defined for an organization or project. 359*d5c09012SAndroid Build Coastguard Worker rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) { 360*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 361*d5c09012SAndroid Build Coastguard Worker get: "/v1/roles" 362*d5c09012SAndroid Build Coastguard Worker additional_bindings { 363*d5c09012SAndroid Build Coastguard Worker get: "/v1/{parent=organizations/*}/roles" 364*d5c09012SAndroid Build Coastguard Worker } 365*d5c09012SAndroid Build Coastguard Worker additional_bindings { 366*d5c09012SAndroid Build Coastguard Worker get: "/v1/{parent=projects/*}/roles" 367*d5c09012SAndroid Build Coastguard Worker } 368*d5c09012SAndroid Build Coastguard Worker }; 369*d5c09012SAndroid Build Coastguard Worker } 370*d5c09012SAndroid Build Coastguard Worker 371*d5c09012SAndroid Build Coastguard Worker // Gets the definition of a [Role][google.iam.admin.v1.Role]. 372*d5c09012SAndroid Build Coastguard Worker rpc GetRole(GetRoleRequest) returns (Role) { 373*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 374*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=roles/*}" 375*d5c09012SAndroid Build Coastguard Worker additional_bindings { 376*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=organizations/*/roles/*}" 377*d5c09012SAndroid Build Coastguard Worker } 378*d5c09012SAndroid Build Coastguard Worker additional_bindings { 379*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/roles/*}" 380*d5c09012SAndroid Build Coastguard Worker } 381*d5c09012SAndroid Build Coastguard Worker }; 382*d5c09012SAndroid Build Coastguard Worker } 383*d5c09012SAndroid Build Coastguard Worker 384*d5c09012SAndroid Build Coastguard Worker // Creates a new custom [Role][google.iam.admin.v1.Role]. 385*d5c09012SAndroid Build Coastguard Worker rpc CreateRole(CreateRoleRequest) returns (Role) { 386*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 387*d5c09012SAndroid Build Coastguard Worker post: "/v1/{parent=organizations/*}/roles" 388*d5c09012SAndroid Build Coastguard Worker body: "*" 389*d5c09012SAndroid Build Coastguard Worker additional_bindings { 390*d5c09012SAndroid Build Coastguard Worker post: "/v1/{parent=projects/*}/roles" 391*d5c09012SAndroid Build Coastguard Worker body: "*" 392*d5c09012SAndroid Build Coastguard Worker } 393*d5c09012SAndroid Build Coastguard Worker }; 394*d5c09012SAndroid Build Coastguard Worker } 395*d5c09012SAndroid Build Coastguard Worker 396*d5c09012SAndroid Build Coastguard Worker // Updates the definition of a custom [Role][google.iam.admin.v1.Role]. 397*d5c09012SAndroid Build Coastguard Worker rpc UpdateRole(UpdateRoleRequest) returns (Role) { 398*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 399*d5c09012SAndroid Build Coastguard Worker patch: "/v1/{name=organizations/*/roles/*}" 400*d5c09012SAndroid Build Coastguard Worker body: "role" 401*d5c09012SAndroid Build Coastguard Worker additional_bindings { 402*d5c09012SAndroid Build Coastguard Worker patch: "/v1/{name=projects/*/roles/*}" 403*d5c09012SAndroid Build Coastguard Worker body: "role" 404*d5c09012SAndroid Build Coastguard Worker } 405*d5c09012SAndroid Build Coastguard Worker }; 406*d5c09012SAndroid Build Coastguard Worker } 407*d5c09012SAndroid Build Coastguard Worker 408*d5c09012SAndroid Build Coastguard Worker // Deletes a custom [Role][google.iam.admin.v1.Role]. 409*d5c09012SAndroid Build Coastguard Worker // 410*d5c09012SAndroid Build Coastguard Worker // When you delete a custom role, the following changes occur immediately: 411*d5c09012SAndroid Build Coastguard Worker // 412*d5c09012SAndroid Build Coastguard Worker // * You cannot bind a principal to the custom role in an IAM 413*d5c09012SAndroid Build Coastguard Worker // [Policy][google.iam.v1.Policy]. 414*d5c09012SAndroid Build Coastguard Worker // * Existing bindings to the custom role are not changed, but they have no 415*d5c09012SAndroid Build Coastguard Worker // effect. 416*d5c09012SAndroid Build Coastguard Worker // * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom 417*d5c09012SAndroid Build Coastguard Worker // role. 418*d5c09012SAndroid Build Coastguard Worker // 419*d5c09012SAndroid Build Coastguard Worker // You have 7 days to undelete the custom role. After 7 days, the following 420*d5c09012SAndroid Build Coastguard Worker // changes occur: 421*d5c09012SAndroid Build Coastguard Worker // 422*d5c09012SAndroid Build Coastguard Worker // * The custom role is permanently deleted and cannot be recovered. 423*d5c09012SAndroid Build Coastguard Worker // * If an IAM policy contains a binding to the custom role, the binding is 424*d5c09012SAndroid Build Coastguard Worker // permanently removed. 425*d5c09012SAndroid Build Coastguard Worker rpc DeleteRole(DeleteRoleRequest) returns (Role) { 426*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 427*d5c09012SAndroid Build Coastguard Worker delete: "/v1/{name=organizations/*/roles/*}" 428*d5c09012SAndroid Build Coastguard Worker additional_bindings { 429*d5c09012SAndroid Build Coastguard Worker delete: "/v1/{name=projects/*/roles/*}" 430*d5c09012SAndroid Build Coastguard Worker } 431*d5c09012SAndroid Build Coastguard Worker }; 432*d5c09012SAndroid Build Coastguard Worker } 433*d5c09012SAndroid Build Coastguard Worker 434*d5c09012SAndroid Build Coastguard Worker // Undeletes a custom [Role][google.iam.admin.v1.Role]. 435*d5c09012SAndroid Build Coastguard Worker rpc UndeleteRole(UndeleteRoleRequest) returns (Role) { 436*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 437*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=organizations/*/roles/*}:undelete" 438*d5c09012SAndroid Build Coastguard Worker body: "*" 439*d5c09012SAndroid Build Coastguard Worker additional_bindings { 440*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/roles/*}:undelete" 441*d5c09012SAndroid Build Coastguard Worker body: "*" 442*d5c09012SAndroid Build Coastguard Worker } 443*d5c09012SAndroid Build Coastguard Worker }; 444*d5c09012SAndroid Build Coastguard Worker } 445*d5c09012SAndroid Build Coastguard Worker 446*d5c09012SAndroid Build Coastguard Worker // Lists every permission that you can test on a resource. A permission is 447*d5c09012SAndroid Build Coastguard Worker // testable if you can check whether a principal has that permission on the 448*d5c09012SAndroid Build Coastguard Worker // resource. 449*d5c09012SAndroid Build Coastguard Worker rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) { 450*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 451*d5c09012SAndroid Build Coastguard Worker post: "/v1/permissions:queryTestablePermissions" 452*d5c09012SAndroid Build Coastguard Worker body: "*" 453*d5c09012SAndroid Build Coastguard Worker }; 454*d5c09012SAndroid Build Coastguard Worker } 455*d5c09012SAndroid Build Coastguard Worker 456*d5c09012SAndroid Build Coastguard Worker // Returns a list of services that allow you to opt into audit logs that are 457*d5c09012SAndroid Build Coastguard Worker // not generated by default. 458*d5c09012SAndroid Build Coastguard Worker // 459*d5c09012SAndroid Build Coastguard Worker // To learn more about audit logs, see the [Logging 460*d5c09012SAndroid Build Coastguard Worker // documentation](https://cloud.google.com/logging/docs/audit). 461*d5c09012SAndroid Build Coastguard Worker rpc QueryAuditableServices(QueryAuditableServicesRequest) returns (QueryAuditableServicesResponse) { 462*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 463*d5c09012SAndroid Build Coastguard Worker post: "/v1/iamPolicies:queryAuditableServices" 464*d5c09012SAndroid Build Coastguard Worker body: "*" 465*d5c09012SAndroid Build Coastguard Worker }; 466*d5c09012SAndroid Build Coastguard Worker } 467*d5c09012SAndroid Build Coastguard Worker 468*d5c09012SAndroid Build Coastguard Worker // Lints, or validates, an IAM policy. Currently checks the 469*d5c09012SAndroid Build Coastguard Worker // [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition 470*d5c09012SAndroid Build Coastguard Worker // expression for a role binding. 471*d5c09012SAndroid Build Coastguard Worker // 472*d5c09012SAndroid Build Coastguard Worker // Successful calls to this method always return an HTTP `200 OK` status code, 473*d5c09012SAndroid Build Coastguard Worker // even if the linter detects an issue in the IAM policy. 474*d5c09012SAndroid Build Coastguard Worker rpc LintPolicy(LintPolicyRequest) returns (LintPolicyResponse) { 475*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 476*d5c09012SAndroid Build Coastguard Worker post: "/v1/iamPolicies:lintPolicy" 477*d5c09012SAndroid Build Coastguard Worker body: "*" 478*d5c09012SAndroid Build Coastguard Worker }; 479*d5c09012SAndroid Build Coastguard Worker } 480*d5c09012SAndroid Build Coastguard Worker} 481*d5c09012SAndroid Build Coastguard Worker 482*d5c09012SAndroid Build Coastguard Worker// An IAM service account. 483*d5c09012SAndroid Build Coastguard Worker// 484*d5c09012SAndroid Build Coastguard Worker// A service account is an account for an application or a virtual machine (VM) 485*d5c09012SAndroid Build Coastguard Worker// instance, not a person. You can use a service account to call Google APIs. To 486*d5c09012SAndroid Build Coastguard Worker// learn more, read the [overview of service 487*d5c09012SAndroid Build Coastguard Worker// accounts](https://cloud.google.com/iam/help/service-accounts/overview). 488*d5c09012SAndroid Build Coastguard Worker// 489*d5c09012SAndroid Build Coastguard Worker// When you create a service account, you specify the project ID that owns the 490*d5c09012SAndroid Build Coastguard Worker// service account, as well as a name that must be unique within the project. 491*d5c09012SAndroid Build Coastguard Worker// IAM uses these values to create an email address that identifies the service 492*d5c09012SAndroid Build Coastguard Worker// account. 493*d5c09012SAndroid Build Coastguard Workermessage ServiceAccount { 494*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 495*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 496*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/serviceAccounts/{service_account}" 497*d5c09012SAndroid Build Coastguard Worker }; 498*d5c09012SAndroid Build Coastguard Worker 499*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account. 500*d5c09012SAndroid Build Coastguard Worker // 501*d5c09012SAndroid Build Coastguard Worker // Use one of the following formats: 502*d5c09012SAndroid Build Coastguard Worker // 503*d5c09012SAndroid Build Coastguard Worker // * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` 504*d5c09012SAndroid Build Coastguard Worker // * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` 505*d5c09012SAndroid Build Coastguard Worker // 506*d5c09012SAndroid Build Coastguard Worker // As an alternative, you can use the `-` wildcard character instead of the 507*d5c09012SAndroid Build Coastguard Worker // project ID: 508*d5c09012SAndroid Build Coastguard Worker // 509*d5c09012SAndroid Build Coastguard Worker // * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` 510*d5c09012SAndroid Build Coastguard Worker // * `projects/-/serviceAccounts/{UNIQUE_ID}` 511*d5c09012SAndroid Build Coastguard Worker // 512*d5c09012SAndroid Build Coastguard Worker // When possible, avoid using the `-` wildcard character, because it can cause 513*d5c09012SAndroid Build Coastguard Worker // response messages to contain misleading error codes. For example, if you 514*d5c09012SAndroid Build Coastguard Worker // try to get the service account 515*d5c09012SAndroid Build Coastguard Worker // `projects/-/serviceAccounts/fake@example.com`, which does not exist, the 516*d5c09012SAndroid Build Coastguard Worker // response contains an HTTP `403 Forbidden` error instead of a `404 Not 517*d5c09012SAndroid Build Coastguard Worker // Found` error. 518*d5c09012SAndroid Build Coastguard Worker string name = 1; 519*d5c09012SAndroid Build Coastguard Worker 520*d5c09012SAndroid Build Coastguard Worker // Output only. The ID of the project that owns the service account. 521*d5c09012SAndroid Build Coastguard Worker string project_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 522*d5c09012SAndroid Build Coastguard Worker 523*d5c09012SAndroid Build Coastguard Worker // Output only. The unique, stable numeric ID for the service account. 524*d5c09012SAndroid Build Coastguard Worker // 525*d5c09012SAndroid Build Coastguard Worker // Each service account retains its unique ID even if you delete the service 526*d5c09012SAndroid Build Coastguard Worker // account. For example, if you delete a service account, then create a new 527*d5c09012SAndroid Build Coastguard Worker // service account with the same name, the new service account has a different 528*d5c09012SAndroid Build Coastguard Worker // unique ID than the deleted service account. 529*d5c09012SAndroid Build Coastguard Worker string unique_id = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 530*d5c09012SAndroid Build Coastguard Worker 531*d5c09012SAndroid Build Coastguard Worker // Output only. The email address of the service account. 532*d5c09012SAndroid Build Coastguard Worker string email = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 533*d5c09012SAndroid Build Coastguard Worker 534*d5c09012SAndroid Build Coastguard Worker // Optional. A user-specified, human-readable name for the service account. The maximum 535*d5c09012SAndroid Build Coastguard Worker // length is 100 UTF-8 bytes. 536*d5c09012SAndroid Build Coastguard Worker string display_name = 6 [(google.api.field_behavior) = OPTIONAL]; 537*d5c09012SAndroid Build Coastguard Worker 538*d5c09012SAndroid Build Coastguard Worker // Deprecated. Do not use. 539*d5c09012SAndroid Build Coastguard Worker bytes etag = 7 [deprecated = true]; 540*d5c09012SAndroid Build Coastguard Worker 541*d5c09012SAndroid Build Coastguard Worker // Optional. A user-specified, human-readable description of the service account. The 542*d5c09012SAndroid Build Coastguard Worker // maximum length is 256 UTF-8 bytes. 543*d5c09012SAndroid Build Coastguard Worker string description = 8 [(google.api.field_behavior) = OPTIONAL]; 544*d5c09012SAndroid Build Coastguard Worker 545*d5c09012SAndroid Build Coastguard Worker // Output only. The OAuth 2.0 client ID for the service account. 546*d5c09012SAndroid Build Coastguard Worker string oauth2_client_id = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 547*d5c09012SAndroid Build Coastguard Worker 548*d5c09012SAndroid Build Coastguard Worker // Output only. Whether the service account is disabled. 549*d5c09012SAndroid Build Coastguard Worker bool disabled = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; 550*d5c09012SAndroid Build Coastguard Worker} 551*d5c09012SAndroid Build Coastguard Worker 552*d5c09012SAndroid Build Coastguard Worker// The service account create request. 553*d5c09012SAndroid Build Coastguard Workermessage CreateServiceAccountRequest { 554*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the project associated with the service 555*d5c09012SAndroid Build Coastguard Worker // accounts, such as `projects/my-project-123`. 556*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 557*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 558*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 559*d5c09012SAndroid Build Coastguard Worker type: "cloudresourcemanager.googleapis.com/Project" 560*d5c09012SAndroid Build Coastguard Worker } 561*d5c09012SAndroid Build Coastguard Worker ]; 562*d5c09012SAndroid Build Coastguard Worker 563*d5c09012SAndroid Build Coastguard Worker // Required. The account id that is used to generate the service account 564*d5c09012SAndroid Build Coastguard Worker // email address and a stable unique id. It is unique within a project, 565*d5c09012SAndroid Build Coastguard Worker // must be 6-30 characters long, and match the regular expression 566*d5c09012SAndroid Build Coastguard Worker // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. 567*d5c09012SAndroid Build Coastguard Worker string account_id = 2 [(google.api.field_behavior) = REQUIRED]; 568*d5c09012SAndroid Build Coastguard Worker 569*d5c09012SAndroid Build Coastguard Worker // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to 570*d5c09012SAndroid Build Coastguard Worker // create. Currently, only the following values are user assignable: 571*d5c09012SAndroid Build Coastguard Worker // `display_name` and `description`. 572*d5c09012SAndroid Build Coastguard Worker ServiceAccount service_account = 3; 573*d5c09012SAndroid Build Coastguard Worker} 574*d5c09012SAndroid Build Coastguard Worker 575*d5c09012SAndroid Build Coastguard Worker// The service account list request. 576*d5c09012SAndroid Build Coastguard Workermessage ListServiceAccountsRequest { 577*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the project associated with the service 578*d5c09012SAndroid Build Coastguard Worker // accounts, such as `projects/my-project-123`. 579*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 580*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 581*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 582*d5c09012SAndroid Build Coastguard Worker type: "cloudresourcemanager.googleapis.com/Project" 583*d5c09012SAndroid Build Coastguard Worker } 584*d5c09012SAndroid Build Coastguard Worker ]; 585*d5c09012SAndroid Build Coastguard Worker 586*d5c09012SAndroid Build Coastguard Worker // Optional limit on the number of service accounts to include in the 587*d5c09012SAndroid Build Coastguard Worker // response. Further accounts can subsequently be obtained by including the 588*d5c09012SAndroid Build Coastguard Worker // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] 589*d5c09012SAndroid Build Coastguard Worker // in a subsequent request. 590*d5c09012SAndroid Build Coastguard Worker // 591*d5c09012SAndroid Build Coastguard Worker // The default is 20, and the maximum is 100. 592*d5c09012SAndroid Build Coastguard Worker int32 page_size = 2; 593*d5c09012SAndroid Build Coastguard Worker 594*d5c09012SAndroid Build Coastguard Worker // Optional pagination token returned in an earlier 595*d5c09012SAndroid Build Coastguard Worker // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]. 596*d5c09012SAndroid Build Coastguard Worker string page_token = 3; 597*d5c09012SAndroid Build Coastguard Worker} 598*d5c09012SAndroid Build Coastguard Worker 599*d5c09012SAndroid Build Coastguard Worker// The service account list response. 600*d5c09012SAndroid Build Coastguard Workermessage ListServiceAccountsResponse { 601*d5c09012SAndroid Build Coastguard Worker // The list of matching service accounts. 602*d5c09012SAndroid Build Coastguard Worker repeated ServiceAccount accounts = 1; 603*d5c09012SAndroid Build Coastguard Worker 604*d5c09012SAndroid Build Coastguard Worker // To retrieve the next page of results, set 605*d5c09012SAndroid Build Coastguard Worker // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] 606*d5c09012SAndroid Build Coastguard Worker // to this value. 607*d5c09012SAndroid Build Coastguard Worker string next_page_token = 2; 608*d5c09012SAndroid Build Coastguard Worker} 609*d5c09012SAndroid Build Coastguard Worker 610*d5c09012SAndroid Build Coastguard Worker// The service account get request. 611*d5c09012SAndroid Build Coastguard Workermessage GetServiceAccountRequest { 612*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account in the following format: 613*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 614*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 615*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 616*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 617*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 618*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 619*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 620*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 621*d5c09012SAndroid Build Coastguard Worker } 622*d5c09012SAndroid Build Coastguard Worker ]; 623*d5c09012SAndroid Build Coastguard Worker} 624*d5c09012SAndroid Build Coastguard Worker 625*d5c09012SAndroid Build Coastguard Worker// The service account delete request. 626*d5c09012SAndroid Build Coastguard Workermessage DeleteServiceAccountRequest { 627*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account in the following format: 628*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 629*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 630*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 631*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 632*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 633*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 634*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 635*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 636*d5c09012SAndroid Build Coastguard Worker } 637*d5c09012SAndroid Build Coastguard Worker ]; 638*d5c09012SAndroid Build Coastguard Worker} 639*d5c09012SAndroid Build Coastguard Worker 640*d5c09012SAndroid Build Coastguard Worker// The service account patch request. 641*d5c09012SAndroid Build Coastguard Worker// 642*d5c09012SAndroid Build Coastguard Worker// You can patch only the `display_name` and `description` fields. You must use 643*d5c09012SAndroid Build Coastguard Worker// the `update_mask` field to specify which of these fields you want to patch. 644*d5c09012SAndroid Build Coastguard Worker// 645*d5c09012SAndroid Build Coastguard Worker// Only the fields specified in the request are guaranteed to be returned in 646*d5c09012SAndroid Build Coastguard Worker// the response. Other fields may be empty in the response. 647*d5c09012SAndroid Build Coastguard Workermessage PatchServiceAccountRequest { 648*d5c09012SAndroid Build Coastguard Worker ServiceAccount service_account = 1; 649*d5c09012SAndroid Build Coastguard Worker 650*d5c09012SAndroid Build Coastguard Worker google.protobuf.FieldMask update_mask = 2; 651*d5c09012SAndroid Build Coastguard Worker} 652*d5c09012SAndroid Build Coastguard Worker 653*d5c09012SAndroid Build Coastguard Worker// The service account undelete request. 654*d5c09012SAndroid Build Coastguard Workermessage UndeleteServiceAccountRequest { 655*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account in the following format: 656*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`. 657*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 658*d5c09012SAndroid Build Coastguard Worker // the account. 659*d5c09012SAndroid Build Coastguard Worker string name = 1; 660*d5c09012SAndroid Build Coastguard Worker} 661*d5c09012SAndroid Build Coastguard Worker 662*d5c09012SAndroid Build Coastguard Workermessage UndeleteServiceAccountResponse { 663*d5c09012SAndroid Build Coastguard Worker // Metadata for the restored service account. 664*d5c09012SAndroid Build Coastguard Worker ServiceAccount restored_account = 1; 665*d5c09012SAndroid Build Coastguard Worker} 666*d5c09012SAndroid Build Coastguard Worker 667*d5c09012SAndroid Build Coastguard Worker// The service account enable request. 668*d5c09012SAndroid Build Coastguard Workermessage EnableServiceAccountRequest { 669*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account in the following format: 670*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 671*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 672*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 673*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 674*d5c09012SAndroid Build Coastguard Worker string name = 1; 675*d5c09012SAndroid Build Coastguard Worker} 676*d5c09012SAndroid Build Coastguard Worker 677*d5c09012SAndroid Build Coastguard Worker// The service account disable request. 678*d5c09012SAndroid Build Coastguard Workermessage DisableServiceAccountRequest { 679*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account in the following format: 680*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 681*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 682*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 683*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 684*d5c09012SAndroid Build Coastguard Worker string name = 1; 685*d5c09012SAndroid Build Coastguard Worker} 686*d5c09012SAndroid Build Coastguard Worker 687*d5c09012SAndroid Build Coastguard Worker// The service account keys list request. 688*d5c09012SAndroid Build Coastguard Workermessage ListServiceAccountKeysRequest { 689*d5c09012SAndroid Build Coastguard Worker // `KeyType` filters to selectively retrieve certain varieties 690*d5c09012SAndroid Build Coastguard Worker // of keys. 691*d5c09012SAndroid Build Coastguard Worker enum KeyType { 692*d5c09012SAndroid Build Coastguard Worker // Unspecified key type. The presence of this in the 693*d5c09012SAndroid Build Coastguard Worker // message will immediately result in an error. 694*d5c09012SAndroid Build Coastguard Worker KEY_TYPE_UNSPECIFIED = 0; 695*d5c09012SAndroid Build Coastguard Worker 696*d5c09012SAndroid Build Coastguard Worker // User-managed keys (managed and rotated by the user). 697*d5c09012SAndroid Build Coastguard Worker USER_MANAGED = 1; 698*d5c09012SAndroid Build Coastguard Worker 699*d5c09012SAndroid Build Coastguard Worker // System-managed keys (managed and rotated by Google). 700*d5c09012SAndroid Build Coastguard Worker SYSTEM_MANAGED = 2; 701*d5c09012SAndroid Build Coastguard Worker } 702*d5c09012SAndroid Build Coastguard Worker 703*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account in the following format: 704*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 705*d5c09012SAndroid Build Coastguard Worker // 706*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from 707*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 708*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 709*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 710*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 711*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 712*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 713*d5c09012SAndroid Build Coastguard Worker } 714*d5c09012SAndroid Build Coastguard Worker ]; 715*d5c09012SAndroid Build Coastguard Worker 716*d5c09012SAndroid Build Coastguard Worker // Filters the types of keys the user wants to include in the list 717*d5c09012SAndroid Build Coastguard Worker // response. Duplicate key types are not allowed. If no key type 718*d5c09012SAndroid Build Coastguard Worker // is provided, all keys are returned. 719*d5c09012SAndroid Build Coastguard Worker repeated KeyType key_types = 2; 720*d5c09012SAndroid Build Coastguard Worker} 721*d5c09012SAndroid Build Coastguard Worker 722*d5c09012SAndroid Build Coastguard Worker// The service account keys list response. 723*d5c09012SAndroid Build Coastguard Workermessage ListServiceAccountKeysResponse { 724*d5c09012SAndroid Build Coastguard Worker // The public keys for the service account. 725*d5c09012SAndroid Build Coastguard Worker repeated ServiceAccountKey keys = 1; 726*d5c09012SAndroid Build Coastguard Worker} 727*d5c09012SAndroid Build Coastguard Worker 728*d5c09012SAndroid Build Coastguard Worker// The service account key get by id request. 729*d5c09012SAndroid Build Coastguard Workermessage GetServiceAccountKeyRequest { 730*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account key in the following format: 731*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 732*d5c09012SAndroid Build Coastguard Worker // 733*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 734*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 735*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 736*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 737*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 738*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 739*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/Key" 740*d5c09012SAndroid Build Coastguard Worker } 741*d5c09012SAndroid Build Coastguard Worker ]; 742*d5c09012SAndroid Build Coastguard Worker 743*d5c09012SAndroid Build Coastguard Worker // Optional. The output format of the public key. The default is `TYPE_NONE`, which 744*d5c09012SAndroid Build Coastguard Worker // means that the public key is not returned. 745*d5c09012SAndroid Build Coastguard Worker ServiceAccountPublicKeyType public_key_type = 2 [(google.api.field_behavior) = OPTIONAL]; 746*d5c09012SAndroid Build Coastguard Worker} 747*d5c09012SAndroid Build Coastguard Worker 748*d5c09012SAndroid Build Coastguard Worker// Supported key algorithms. 749*d5c09012SAndroid Build Coastguard Workerenum ServiceAccountKeyAlgorithm { 750*d5c09012SAndroid Build Coastguard Worker // An unspecified key algorithm. 751*d5c09012SAndroid Build Coastguard Worker KEY_ALG_UNSPECIFIED = 0; 752*d5c09012SAndroid Build Coastguard Worker 753*d5c09012SAndroid Build Coastguard Worker // 1k RSA Key. 754*d5c09012SAndroid Build Coastguard Worker KEY_ALG_RSA_1024 = 1; 755*d5c09012SAndroid Build Coastguard Worker 756*d5c09012SAndroid Build Coastguard Worker // 2k RSA Key. 757*d5c09012SAndroid Build Coastguard Worker KEY_ALG_RSA_2048 = 2; 758*d5c09012SAndroid Build Coastguard Worker} 759*d5c09012SAndroid Build Coastguard Worker 760*d5c09012SAndroid Build Coastguard Worker// Supported private key output formats. 761*d5c09012SAndroid Build Coastguard Workerenum ServiceAccountPrivateKeyType { 762*d5c09012SAndroid Build Coastguard Worker // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`. 763*d5c09012SAndroid Build Coastguard Worker TYPE_UNSPECIFIED = 0; 764*d5c09012SAndroid Build Coastguard Worker 765*d5c09012SAndroid Build Coastguard Worker // PKCS12 format. 766*d5c09012SAndroid Build Coastguard Worker // The password for the PKCS12 file is `notasecret`. 767*d5c09012SAndroid Build Coastguard Worker // For more information, see https://tools.ietf.org/html/rfc7292. 768*d5c09012SAndroid Build Coastguard Worker TYPE_PKCS12_FILE = 1; 769*d5c09012SAndroid Build Coastguard Worker 770*d5c09012SAndroid Build Coastguard Worker // Google Credentials File format. 771*d5c09012SAndroid Build Coastguard Worker TYPE_GOOGLE_CREDENTIALS_FILE = 2; 772*d5c09012SAndroid Build Coastguard Worker} 773*d5c09012SAndroid Build Coastguard Worker 774*d5c09012SAndroid Build Coastguard Worker// Supported public key output formats. 775*d5c09012SAndroid Build Coastguard Workerenum ServiceAccountPublicKeyType { 776*d5c09012SAndroid Build Coastguard Worker // Do not return the public key. 777*d5c09012SAndroid Build Coastguard Worker TYPE_NONE = 0; 778*d5c09012SAndroid Build Coastguard Worker 779*d5c09012SAndroid Build Coastguard Worker // X509 PEM format. 780*d5c09012SAndroid Build Coastguard Worker TYPE_X509_PEM_FILE = 1; 781*d5c09012SAndroid Build Coastguard Worker 782*d5c09012SAndroid Build Coastguard Worker // Raw public key. 783*d5c09012SAndroid Build Coastguard Worker TYPE_RAW_PUBLIC_KEY = 2; 784*d5c09012SAndroid Build Coastguard Worker} 785*d5c09012SAndroid Build Coastguard Worker 786*d5c09012SAndroid Build Coastguard Worker// Service Account Key Origin. 787*d5c09012SAndroid Build Coastguard Workerenum ServiceAccountKeyOrigin { 788*d5c09012SAndroid Build Coastguard Worker // Unspecified key origin. 789*d5c09012SAndroid Build Coastguard Worker ORIGIN_UNSPECIFIED = 0; 790*d5c09012SAndroid Build Coastguard Worker 791*d5c09012SAndroid Build Coastguard Worker // Key is provided by user. 792*d5c09012SAndroid Build Coastguard Worker USER_PROVIDED = 1; 793*d5c09012SAndroid Build Coastguard Worker 794*d5c09012SAndroid Build Coastguard Worker // Key is provided by Google. 795*d5c09012SAndroid Build Coastguard Worker GOOGLE_PROVIDED = 2; 796*d5c09012SAndroid Build Coastguard Worker} 797*d5c09012SAndroid Build Coastguard Worker 798*d5c09012SAndroid Build Coastguard Worker// Represents a service account key. 799*d5c09012SAndroid Build Coastguard Worker// 800*d5c09012SAndroid Build Coastguard Worker// A service account has two sets of key-pairs: user-managed, and 801*d5c09012SAndroid Build Coastguard Worker// system-managed. 802*d5c09012SAndroid Build Coastguard Worker// 803*d5c09012SAndroid Build Coastguard Worker// User-managed key-pairs can be created and deleted by users. Users are 804*d5c09012SAndroid Build Coastguard Worker// responsible for rotating these keys periodically to ensure security of 805*d5c09012SAndroid Build Coastguard Worker// their service accounts. Users retain the private key of these key-pairs, 806*d5c09012SAndroid Build Coastguard Worker// and Google retains ONLY the public key. 807*d5c09012SAndroid Build Coastguard Worker// 808*d5c09012SAndroid Build Coastguard Worker// System-managed keys are automatically rotated by Google, and are used for 809*d5c09012SAndroid Build Coastguard Worker// signing for a maximum of two weeks. The rotation process is probabilistic, 810*d5c09012SAndroid Build Coastguard Worker// and usage of the new key will gradually ramp up and down over the key's 811*d5c09012SAndroid Build Coastguard Worker// lifetime. 812*d5c09012SAndroid Build Coastguard Worker// 813*d5c09012SAndroid Build Coastguard Worker// If you cache the public key set for a service account, we recommend that you 814*d5c09012SAndroid Build Coastguard Worker// update the cache every 15 minutes. User-managed keys can be added and removed 815*d5c09012SAndroid Build Coastguard Worker// at any time, so it is important to update the cache frequently. For 816*d5c09012SAndroid Build Coastguard Worker// Google-managed keys, Google will publish a key at least 6 hours before it is 817*d5c09012SAndroid Build Coastguard Worker// first used for signing and will keep publishing it for at least 6 hours after 818*d5c09012SAndroid Build Coastguard Worker// it was last used for signing. 819*d5c09012SAndroid Build Coastguard Worker// 820*d5c09012SAndroid Build Coastguard Worker// Public keys for all service accounts are also published at the OAuth2 821*d5c09012SAndroid Build Coastguard Worker// Service Account API. 822*d5c09012SAndroid Build Coastguard Workermessage ServiceAccountKey { 823*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 824*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/Key" 825*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}" 826*d5c09012SAndroid Build Coastguard Worker }; 827*d5c09012SAndroid Build Coastguard Worker 828*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account key in the following format 829*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 830*d5c09012SAndroid Build Coastguard Worker string name = 1; 831*d5c09012SAndroid Build Coastguard Worker 832*d5c09012SAndroid Build Coastguard Worker // The output format for the private key. 833*d5c09012SAndroid Build Coastguard Worker // Only provided in `CreateServiceAccountKey` responses, not 834*d5c09012SAndroid Build Coastguard Worker // in `GetServiceAccountKey` or `ListServiceAccountKey` responses. 835*d5c09012SAndroid Build Coastguard Worker // 836*d5c09012SAndroid Build Coastguard Worker // Google never exposes system-managed private keys, and never retains 837*d5c09012SAndroid Build Coastguard Worker // user-managed private keys. 838*d5c09012SAndroid Build Coastguard Worker ServiceAccountPrivateKeyType private_key_type = 2; 839*d5c09012SAndroid Build Coastguard Worker 840*d5c09012SAndroid Build Coastguard Worker // Specifies the algorithm (and possibly key size) for the key. 841*d5c09012SAndroid Build Coastguard Worker ServiceAccountKeyAlgorithm key_algorithm = 8; 842*d5c09012SAndroid Build Coastguard Worker 843*d5c09012SAndroid Build Coastguard Worker // The private key data. Only provided in `CreateServiceAccountKey` 844*d5c09012SAndroid Build Coastguard Worker // responses. Make sure to keep the private key data secure because it 845*d5c09012SAndroid Build Coastguard Worker // allows for the assertion of the service account identity. 846*d5c09012SAndroid Build Coastguard Worker // When base64 decoded, the private key data can be used to authenticate with 847*d5c09012SAndroid Build Coastguard Worker // Google API client libraries and with 848*d5c09012SAndroid Build Coastguard Worker // <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud 849*d5c09012SAndroid Build Coastguard Worker // auth activate-service-account</a>. 850*d5c09012SAndroid Build Coastguard Worker bytes private_key_data = 3; 851*d5c09012SAndroid Build Coastguard Worker 852*d5c09012SAndroid Build Coastguard Worker // The public key data. Only provided in `GetServiceAccountKey` responses. 853*d5c09012SAndroid Build Coastguard Worker bytes public_key_data = 7; 854*d5c09012SAndroid Build Coastguard Worker 855*d5c09012SAndroid Build Coastguard Worker // The key can be used after this timestamp. 856*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp valid_after_time = 4; 857*d5c09012SAndroid Build Coastguard Worker 858*d5c09012SAndroid Build Coastguard Worker // The key can be used before this timestamp. 859*d5c09012SAndroid Build Coastguard Worker // For system-managed key pairs, this timestamp is the end time for the 860*d5c09012SAndroid Build Coastguard Worker // private key signing operation. The public key could still be used 861*d5c09012SAndroid Build Coastguard Worker // for verification for a few hours after this time. 862*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp valid_before_time = 5; 863*d5c09012SAndroid Build Coastguard Worker 864*d5c09012SAndroid Build Coastguard Worker // The key origin. 865*d5c09012SAndroid Build Coastguard Worker ServiceAccountKeyOrigin key_origin = 9; 866*d5c09012SAndroid Build Coastguard Worker 867*d5c09012SAndroid Build Coastguard Worker // The key type. 868*d5c09012SAndroid Build Coastguard Worker ListServiceAccountKeysRequest.KeyType key_type = 10; 869*d5c09012SAndroid Build Coastguard Worker 870*d5c09012SAndroid Build Coastguard Worker // The key status. 871*d5c09012SAndroid Build Coastguard Worker bool disabled = 11; 872*d5c09012SAndroid Build Coastguard Worker} 873*d5c09012SAndroid Build Coastguard Worker 874*d5c09012SAndroid Build Coastguard Worker// The service account key create request. 875*d5c09012SAndroid Build Coastguard Workermessage CreateServiceAccountKeyRequest { 876*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account in the following format: 877*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 878*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 879*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 880*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 881*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 882*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 883*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 884*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 885*d5c09012SAndroid Build Coastguard Worker } 886*d5c09012SAndroid Build Coastguard Worker ]; 887*d5c09012SAndroid Build Coastguard Worker 888*d5c09012SAndroid Build Coastguard Worker // The output format of the private key. The default value is 889*d5c09012SAndroid Build Coastguard Worker // `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File 890*d5c09012SAndroid Build Coastguard Worker // format. 891*d5c09012SAndroid Build Coastguard Worker ServiceAccountPrivateKeyType private_key_type = 2; 892*d5c09012SAndroid Build Coastguard Worker 893*d5c09012SAndroid Build Coastguard Worker // Which type of key and algorithm to use for the key. 894*d5c09012SAndroid Build Coastguard Worker // The default is currently a 2K RSA key. However this may change in the 895*d5c09012SAndroid Build Coastguard Worker // future. 896*d5c09012SAndroid Build Coastguard Worker ServiceAccountKeyAlgorithm key_algorithm = 3; 897*d5c09012SAndroid Build Coastguard Worker} 898*d5c09012SAndroid Build Coastguard Worker 899*d5c09012SAndroid Build Coastguard Worker// The service account key upload request. 900*d5c09012SAndroid Build Coastguard Workermessage UploadServiceAccountKeyRequest { 901*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account in the following format: 902*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 903*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 904*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 905*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 906*d5c09012SAndroid Build Coastguard Worker string name = 1; 907*d5c09012SAndroid Build Coastguard Worker 908*d5c09012SAndroid Build Coastguard Worker // The public key to associate with the service account. Must be an RSA public 909*d5c09012SAndroid Build Coastguard Worker // key that is wrapped in an X.509 v3 certificate. Include the first line, 910*d5c09012SAndroid Build Coastguard Worker // `-----BEGIN CERTIFICATE-----`, and the last line, 911*d5c09012SAndroid Build Coastguard Worker // `-----END CERTIFICATE-----`. 912*d5c09012SAndroid Build Coastguard Worker bytes public_key_data = 2; 913*d5c09012SAndroid Build Coastguard Worker} 914*d5c09012SAndroid Build Coastguard Worker 915*d5c09012SAndroid Build Coastguard Worker// The service account key delete request. 916*d5c09012SAndroid Build Coastguard Workermessage DeleteServiceAccountKeyRequest { 917*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account key in the following format: 918*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 919*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 920*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 921*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 922*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 923*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 924*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 925*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/Key" 926*d5c09012SAndroid Build Coastguard Worker } 927*d5c09012SAndroid Build Coastguard Worker ]; 928*d5c09012SAndroid Build Coastguard Worker} 929*d5c09012SAndroid Build Coastguard Worker 930*d5c09012SAndroid Build Coastguard Worker// The service account key disable request. 931*d5c09012SAndroid Build Coastguard Workermessage DisableServiceAccountKeyRequest { 932*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account key in the following format: 933*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 934*d5c09012SAndroid Build Coastguard Worker // 935*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 936*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 937*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 938*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 939*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 940*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 941*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/Key" 942*d5c09012SAndroid Build Coastguard Worker } 943*d5c09012SAndroid Build Coastguard Worker ]; 944*d5c09012SAndroid Build Coastguard Worker} 945*d5c09012SAndroid Build Coastguard Worker 946*d5c09012SAndroid Build Coastguard Worker// The service account key enable request. 947*d5c09012SAndroid Build Coastguard Workermessage EnableServiceAccountKeyRequest { 948*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the service account key in the following format: 949*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. 950*d5c09012SAndroid Build Coastguard Worker // 951*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 952*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 953*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 954*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 955*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 956*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 957*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/Key" 958*d5c09012SAndroid Build Coastguard Worker } 959*d5c09012SAndroid Build Coastguard Worker ]; 960*d5c09012SAndroid Build Coastguard Worker} 961*d5c09012SAndroid Build Coastguard Worker 962*d5c09012SAndroid Build Coastguard Worker// Deprecated. [Migrate to Service Account Credentials 963*d5c09012SAndroid Build Coastguard Worker// API](https://cloud.google.com/iam/help/credentials/migrate-api). 964*d5c09012SAndroid Build Coastguard Worker// 965*d5c09012SAndroid Build Coastguard Worker// The service account sign blob request. 966*d5c09012SAndroid Build Coastguard Workermessage SignBlobRequest { 967*d5c09012SAndroid Build Coastguard Worker // Required. Deprecated. [Migrate to Service Account Credentials 968*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 969*d5c09012SAndroid Build Coastguard Worker // 970*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account in the following format: 971*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 972*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 973*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 974*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 975*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 976*d5c09012SAndroid Build Coastguard Worker deprecated = true, 977*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 978*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 979*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 980*d5c09012SAndroid Build Coastguard Worker } 981*d5c09012SAndroid Build Coastguard Worker ]; 982*d5c09012SAndroid Build Coastguard Worker 983*d5c09012SAndroid Build Coastguard Worker // Required. Deprecated. [Migrate to Service Account Credentials 984*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 985*d5c09012SAndroid Build Coastguard Worker // 986*d5c09012SAndroid Build Coastguard Worker // The bytes to sign. 987*d5c09012SAndroid Build Coastguard Worker bytes bytes_to_sign = 2 [ 988*d5c09012SAndroid Build Coastguard Worker deprecated = true, 989*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED 990*d5c09012SAndroid Build Coastguard Worker ]; 991*d5c09012SAndroid Build Coastguard Worker} 992*d5c09012SAndroid Build Coastguard Worker 993*d5c09012SAndroid Build Coastguard Worker// Deprecated. [Migrate to Service Account Credentials 994*d5c09012SAndroid Build Coastguard Worker// API](https://cloud.google.com/iam/help/credentials/migrate-api). 995*d5c09012SAndroid Build Coastguard Worker// 996*d5c09012SAndroid Build Coastguard Worker// The service account sign blob response. 997*d5c09012SAndroid Build Coastguard Workermessage SignBlobResponse { 998*d5c09012SAndroid Build Coastguard Worker // Deprecated. [Migrate to Service Account Credentials 999*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1000*d5c09012SAndroid Build Coastguard Worker // 1001*d5c09012SAndroid Build Coastguard Worker // The id of the key used to sign the blob. 1002*d5c09012SAndroid Build Coastguard Worker string key_id = 1 [deprecated = true]; 1003*d5c09012SAndroid Build Coastguard Worker 1004*d5c09012SAndroid Build Coastguard Worker // Deprecated. [Migrate to Service Account Credentials 1005*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1006*d5c09012SAndroid Build Coastguard Worker // 1007*d5c09012SAndroid Build Coastguard Worker // The signed blob. 1008*d5c09012SAndroid Build Coastguard Worker bytes signature = 2 [deprecated = true]; 1009*d5c09012SAndroid Build Coastguard Worker} 1010*d5c09012SAndroid Build Coastguard Worker 1011*d5c09012SAndroid Build Coastguard Worker// Deprecated. [Migrate to Service Account Credentials 1012*d5c09012SAndroid Build Coastguard Worker// API](https://cloud.google.com/iam/help/credentials/migrate-api). 1013*d5c09012SAndroid Build Coastguard Worker// 1014*d5c09012SAndroid Build Coastguard Worker// The service account sign JWT request. 1015*d5c09012SAndroid Build Coastguard Workermessage SignJwtRequest { 1016*d5c09012SAndroid Build Coastguard Worker // Required. Deprecated. [Migrate to Service Account Credentials 1017*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1018*d5c09012SAndroid Build Coastguard Worker // 1019*d5c09012SAndroid Build Coastguard Worker // The resource name of the service account in the following format: 1020*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1021*d5c09012SAndroid Build Coastguard Worker // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1022*d5c09012SAndroid Build Coastguard Worker // the account. The `ACCOUNT` value can be the `email` address or the 1023*d5c09012SAndroid Build Coastguard Worker // `unique_id` of the service account. 1024*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 1025*d5c09012SAndroid Build Coastguard Worker deprecated = true, 1026*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 1027*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 1028*d5c09012SAndroid Build Coastguard Worker type: "iam.googleapis.com/ServiceAccount" 1029*d5c09012SAndroid Build Coastguard Worker } 1030*d5c09012SAndroid Build Coastguard Worker ]; 1031*d5c09012SAndroid Build Coastguard Worker 1032*d5c09012SAndroid Build Coastguard Worker // Required. Deprecated. [Migrate to Service Account Credentials 1033*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1034*d5c09012SAndroid Build Coastguard Worker // 1035*d5c09012SAndroid Build Coastguard Worker // The JWT payload to sign. Must be a serialized JSON object that contains a 1036*d5c09012SAndroid Build Coastguard Worker // JWT Claims Set. For example: `{"sub": "[email protected]", "iat": 313435}` 1037*d5c09012SAndroid Build Coastguard Worker // 1038*d5c09012SAndroid Build Coastguard Worker // If the JWT Claims Set contains an expiration time (`exp`) claim, it must be 1039*d5c09012SAndroid Build Coastguard Worker // an integer timestamp that is not in the past and no more than 12 hours in 1040*d5c09012SAndroid Build Coastguard Worker // the future. 1041*d5c09012SAndroid Build Coastguard Worker // 1042*d5c09012SAndroid Build Coastguard Worker // If the JWT Claims Set does not contain an expiration time (`exp`) claim, 1043*d5c09012SAndroid Build Coastguard Worker // this claim is added automatically, with a timestamp that is 1 hour in the 1044*d5c09012SAndroid Build Coastguard Worker // future. 1045*d5c09012SAndroid Build Coastguard Worker string payload = 2 [ 1046*d5c09012SAndroid Build Coastguard Worker deprecated = true, 1047*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED 1048*d5c09012SAndroid Build Coastguard Worker ]; 1049*d5c09012SAndroid Build Coastguard Worker} 1050*d5c09012SAndroid Build Coastguard Worker 1051*d5c09012SAndroid Build Coastguard Worker// Deprecated. [Migrate to Service Account Credentials 1052*d5c09012SAndroid Build Coastguard Worker// API](https://cloud.google.com/iam/help/credentials/migrate-api). 1053*d5c09012SAndroid Build Coastguard Worker// 1054*d5c09012SAndroid Build Coastguard Worker// The service account sign JWT response. 1055*d5c09012SAndroid Build Coastguard Workermessage SignJwtResponse { 1056*d5c09012SAndroid Build Coastguard Worker // Deprecated. [Migrate to Service Account Credentials 1057*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1058*d5c09012SAndroid Build Coastguard Worker // 1059*d5c09012SAndroid Build Coastguard Worker // The id of the key used to sign the JWT. 1060*d5c09012SAndroid Build Coastguard Worker string key_id = 1 [deprecated = true]; 1061*d5c09012SAndroid Build Coastguard Worker 1062*d5c09012SAndroid Build Coastguard Worker // Deprecated. [Migrate to Service Account Credentials 1063*d5c09012SAndroid Build Coastguard Worker // API](https://cloud.google.com/iam/help/credentials/migrate-api). 1064*d5c09012SAndroid Build Coastguard Worker // 1065*d5c09012SAndroid Build Coastguard Worker // The signed JWT. 1066*d5c09012SAndroid Build Coastguard Worker string signed_jwt = 2 [deprecated = true]; 1067*d5c09012SAndroid Build Coastguard Worker} 1068*d5c09012SAndroid Build Coastguard Worker 1069*d5c09012SAndroid Build Coastguard Worker// A role in the Identity and Access Management API. 1070*d5c09012SAndroid Build Coastguard Workermessage Role { 1071*d5c09012SAndroid Build Coastguard Worker // A stage representing a role's lifecycle phase. 1072*d5c09012SAndroid Build Coastguard Worker enum RoleLaunchStage { 1073*d5c09012SAndroid Build Coastguard Worker // The user has indicated this role is currently in an Alpha phase. If this 1074*d5c09012SAndroid Build Coastguard Worker // launch stage is selected, the `stage` field will not be included when 1075*d5c09012SAndroid Build Coastguard Worker // requesting the definition for a given role. 1076*d5c09012SAndroid Build Coastguard Worker ALPHA = 0; 1077*d5c09012SAndroid Build Coastguard Worker 1078*d5c09012SAndroid Build Coastguard Worker // The user has indicated this role is currently in a Beta phase. 1079*d5c09012SAndroid Build Coastguard Worker BETA = 1; 1080*d5c09012SAndroid Build Coastguard Worker 1081*d5c09012SAndroid Build Coastguard Worker // The user has indicated this role is generally available. 1082*d5c09012SAndroid Build Coastguard Worker GA = 2; 1083*d5c09012SAndroid Build Coastguard Worker 1084*d5c09012SAndroid Build Coastguard Worker // The user has indicated this role is being deprecated. 1085*d5c09012SAndroid Build Coastguard Worker DEPRECATED = 4; 1086*d5c09012SAndroid Build Coastguard Worker 1087*d5c09012SAndroid Build Coastguard Worker // This role is disabled and will not contribute permissions to any 1088*d5c09012SAndroid Build Coastguard Worker // principals it is granted to in policies. 1089*d5c09012SAndroid Build Coastguard Worker DISABLED = 5; 1090*d5c09012SAndroid Build Coastguard Worker 1091*d5c09012SAndroid Build Coastguard Worker // The user has indicated this role is currently in an EAP phase. 1092*d5c09012SAndroid Build Coastguard Worker EAP = 6; 1093*d5c09012SAndroid Build Coastguard Worker } 1094*d5c09012SAndroid Build Coastguard Worker 1095*d5c09012SAndroid Build Coastguard Worker // The name of the role. 1096*d5c09012SAndroid Build Coastguard Worker // 1097*d5c09012SAndroid Build Coastguard Worker // When Role is used in CreateRole, the role name must not be set. 1098*d5c09012SAndroid Build Coastguard Worker // 1099*d5c09012SAndroid Build Coastguard Worker // When Role is used in output and other input such as UpdateRole, the role 1100*d5c09012SAndroid Build Coastguard Worker // name is the complete path, e.g., roles/logging.viewer for predefined roles 1101*d5c09012SAndroid Build Coastguard Worker // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles. 1102*d5c09012SAndroid Build Coastguard Worker string name = 1; 1103*d5c09012SAndroid Build Coastguard Worker 1104*d5c09012SAndroid Build Coastguard Worker // Optional. A human-readable title for the role. Typically this 1105*d5c09012SAndroid Build Coastguard Worker // is limited to 100 UTF-8 bytes. 1106*d5c09012SAndroid Build Coastguard Worker string title = 2; 1107*d5c09012SAndroid Build Coastguard Worker 1108*d5c09012SAndroid Build Coastguard Worker // Optional. A human-readable description for the role. 1109*d5c09012SAndroid Build Coastguard Worker string description = 3; 1110*d5c09012SAndroid Build Coastguard Worker 1111*d5c09012SAndroid Build Coastguard Worker // The names of the permissions this role grants when bound in an IAM policy. 1112*d5c09012SAndroid Build Coastguard Worker repeated string included_permissions = 7; 1113*d5c09012SAndroid Build Coastguard Worker 1114*d5c09012SAndroid Build Coastguard Worker // The current launch stage of the role. If the `ALPHA` launch stage has been 1115*d5c09012SAndroid Build Coastguard Worker // selected for a role, the `stage` field will not be included in the 1116*d5c09012SAndroid Build Coastguard Worker // returned definition for the role. 1117*d5c09012SAndroid Build Coastguard Worker RoleLaunchStage stage = 8; 1118*d5c09012SAndroid Build Coastguard Worker 1119*d5c09012SAndroid Build Coastguard Worker // Used to perform a consistent read-modify-write. 1120*d5c09012SAndroid Build Coastguard Worker bytes etag = 9; 1121*d5c09012SAndroid Build Coastguard Worker 1122*d5c09012SAndroid Build Coastguard Worker // The current deleted state of the role. This field is read only. 1123*d5c09012SAndroid Build Coastguard Worker // It will be ignored in calls to CreateRole and UpdateRole. 1124*d5c09012SAndroid Build Coastguard Worker bool deleted = 11; 1125*d5c09012SAndroid Build Coastguard Worker} 1126*d5c09012SAndroid Build Coastguard Worker 1127*d5c09012SAndroid Build Coastguard Worker// The grantable role query request. 1128*d5c09012SAndroid Build Coastguard Workermessage QueryGrantableRolesRequest { 1129*d5c09012SAndroid Build Coastguard Worker // Required. The full resource name to query from the list of grantable roles. 1130*d5c09012SAndroid Build Coastguard Worker // 1131*d5c09012SAndroid Build Coastguard Worker // The name follows the Google Cloud Platform resource format. 1132*d5c09012SAndroid Build Coastguard Worker // For example, a Cloud Platform project with id `my-project` will be named 1133*d5c09012SAndroid Build Coastguard Worker // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1134*d5c09012SAndroid Build Coastguard Worker string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; 1135*d5c09012SAndroid Build Coastguard Worker 1136*d5c09012SAndroid Build Coastguard Worker RoleView view = 2; 1137*d5c09012SAndroid Build Coastguard Worker 1138*d5c09012SAndroid Build Coastguard Worker // Optional limit on the number of roles to include in the response. 1139*d5c09012SAndroid Build Coastguard Worker // 1140*d5c09012SAndroid Build Coastguard Worker // The default is 300, and the maximum is 1,000. 1141*d5c09012SAndroid Build Coastguard Worker int32 page_size = 3; 1142*d5c09012SAndroid Build Coastguard Worker 1143*d5c09012SAndroid Build Coastguard Worker // Optional pagination token returned in an earlier 1144*d5c09012SAndroid Build Coastguard Worker // QueryGrantableRolesResponse. 1145*d5c09012SAndroid Build Coastguard Worker string page_token = 4; 1146*d5c09012SAndroid Build Coastguard Worker} 1147*d5c09012SAndroid Build Coastguard Worker 1148*d5c09012SAndroid Build Coastguard Worker// The grantable role query response. 1149*d5c09012SAndroid Build Coastguard Workermessage QueryGrantableRolesResponse { 1150*d5c09012SAndroid Build Coastguard Worker // The list of matching roles. 1151*d5c09012SAndroid Build Coastguard Worker repeated Role roles = 1; 1152*d5c09012SAndroid Build Coastguard Worker 1153*d5c09012SAndroid Build Coastguard Worker // To retrieve the next page of results, set 1154*d5c09012SAndroid Build Coastguard Worker // `QueryGrantableRolesRequest.page_token` to this value. 1155*d5c09012SAndroid Build Coastguard Worker string next_page_token = 2; 1156*d5c09012SAndroid Build Coastguard Worker} 1157*d5c09012SAndroid Build Coastguard Worker 1158*d5c09012SAndroid Build Coastguard Worker// A view for Role objects. 1159*d5c09012SAndroid Build Coastguard Workerenum RoleView { 1160*d5c09012SAndroid Build Coastguard Worker // Omits the `included_permissions` field. 1161*d5c09012SAndroid Build Coastguard Worker // This is the default value. 1162*d5c09012SAndroid Build Coastguard Worker BASIC = 0; 1163*d5c09012SAndroid Build Coastguard Worker 1164*d5c09012SAndroid Build Coastguard Worker // Returns all fields. 1165*d5c09012SAndroid Build Coastguard Worker FULL = 1; 1166*d5c09012SAndroid Build Coastguard Worker} 1167*d5c09012SAndroid Build Coastguard Worker 1168*d5c09012SAndroid Build Coastguard Worker// The request to get all roles defined under a resource. 1169*d5c09012SAndroid Build Coastguard Workermessage ListRolesRequest { 1170*d5c09012SAndroid Build Coastguard Worker // The `parent` parameter's value depends on the target resource for the 1171*d5c09012SAndroid Build Coastguard Worker // request, namely 1172*d5c09012SAndroid Build Coastguard Worker // [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), 1173*d5c09012SAndroid Build Coastguard Worker // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), 1174*d5c09012SAndroid Build Coastguard Worker // or 1175*d5c09012SAndroid Build Coastguard Worker // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1176*d5c09012SAndroid Build Coastguard Worker // Each resource type's `parent` value format is described below: 1177*d5c09012SAndroid Build Coastguard Worker // 1178*d5c09012SAndroid Build Coastguard Worker // * [`roles.list()`](https://cloud.google.com/iam/reference/rest/v1/roles/list): An empty string. 1179*d5c09012SAndroid Build Coastguard Worker // This method doesn't require a resource; it simply returns all 1180*d5c09012SAndroid Build Coastguard Worker // [predefined 1181*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) 1182*d5c09012SAndroid Build Coastguard Worker // in Cloud IAM. Example request URL: `https://iam.googleapis.com/v1/roles` 1183*d5c09012SAndroid Build Coastguard Worker // 1184*d5c09012SAndroid Build Coastguard Worker // * [`projects.roles.list()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/list): 1185*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}`. This method lists all project-level 1186*d5c09012SAndroid Build Coastguard Worker // [custom 1187*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1188*d5c09012SAndroid Build Coastguard Worker // Example request URL: 1189*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` 1190*d5c09012SAndroid Build Coastguard Worker // 1191*d5c09012SAndroid Build Coastguard Worker // * [`organizations.roles.list()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/list): 1192*d5c09012SAndroid Build Coastguard Worker // `organizations/{ORGANIZATION_ID}`. This method lists all 1193*d5c09012SAndroid Build Coastguard Worker // organization-level [custom 1194*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1195*d5c09012SAndroid Build Coastguard Worker // Example request URL: 1196*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` 1197*d5c09012SAndroid Build Coastguard Worker // 1198*d5c09012SAndroid Build Coastguard Worker // Note: Wildcard (*) values are invalid; you must specify a complete project 1199*d5c09012SAndroid Build Coastguard Worker // ID or organization ID. 1200*d5c09012SAndroid Build Coastguard Worker string parent = 1 [(google.api.resource_reference) = { 1201*d5c09012SAndroid Build Coastguard Worker type: "*" 1202*d5c09012SAndroid Build Coastguard Worker }]; 1203*d5c09012SAndroid Build Coastguard Worker 1204*d5c09012SAndroid Build Coastguard Worker // Optional limit on the number of roles to include in the response. 1205*d5c09012SAndroid Build Coastguard Worker // 1206*d5c09012SAndroid Build Coastguard Worker // The default is 300, and the maximum is 1,000. 1207*d5c09012SAndroid Build Coastguard Worker int32 page_size = 2; 1208*d5c09012SAndroid Build Coastguard Worker 1209*d5c09012SAndroid Build Coastguard Worker // Optional pagination token returned in an earlier ListRolesResponse. 1210*d5c09012SAndroid Build Coastguard Worker string page_token = 3; 1211*d5c09012SAndroid Build Coastguard Worker 1212*d5c09012SAndroid Build Coastguard Worker // Optional view for the returned Role objects. When `FULL` is specified, 1213*d5c09012SAndroid Build Coastguard Worker // the `includedPermissions` field is returned, which includes a list of all 1214*d5c09012SAndroid Build Coastguard Worker // permissions in the role. The default value is `BASIC`, which does not 1215*d5c09012SAndroid Build Coastguard Worker // return the `includedPermissions` field. 1216*d5c09012SAndroid Build Coastguard Worker RoleView view = 4; 1217*d5c09012SAndroid Build Coastguard Worker 1218*d5c09012SAndroid Build Coastguard Worker // Include Roles that have been deleted. 1219*d5c09012SAndroid Build Coastguard Worker bool show_deleted = 6; 1220*d5c09012SAndroid Build Coastguard Worker} 1221*d5c09012SAndroid Build Coastguard Worker 1222*d5c09012SAndroid Build Coastguard Worker// The response containing the roles defined under a resource. 1223*d5c09012SAndroid Build Coastguard Workermessage ListRolesResponse { 1224*d5c09012SAndroid Build Coastguard Worker // The Roles defined on this resource. 1225*d5c09012SAndroid Build Coastguard Worker repeated Role roles = 1; 1226*d5c09012SAndroid Build Coastguard Worker 1227*d5c09012SAndroid Build Coastguard Worker // To retrieve the next page of results, set 1228*d5c09012SAndroid Build Coastguard Worker // `ListRolesRequest.page_token` to this value. 1229*d5c09012SAndroid Build Coastguard Worker string next_page_token = 2; 1230*d5c09012SAndroid Build Coastguard Worker} 1231*d5c09012SAndroid Build Coastguard Worker 1232*d5c09012SAndroid Build Coastguard Worker// The request to get the definition of an existing role. 1233*d5c09012SAndroid Build Coastguard Workermessage GetRoleRequest { 1234*d5c09012SAndroid Build Coastguard Worker // The `name` parameter's value depends on the target resource for the 1235*d5c09012SAndroid Build Coastguard Worker // request, namely 1236*d5c09012SAndroid Build Coastguard Worker // [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), 1237*d5c09012SAndroid Build Coastguard Worker // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), 1238*d5c09012SAndroid Build Coastguard Worker // or 1239*d5c09012SAndroid Build Coastguard Worker // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1240*d5c09012SAndroid Build Coastguard Worker // Each resource type's `name` value format is described below: 1241*d5c09012SAndroid Build Coastguard Worker // 1242*d5c09012SAndroid Build Coastguard Worker // * [`roles.get()`](https://cloud.google.com/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`. 1243*d5c09012SAndroid Build Coastguard Worker // This method returns results from all 1244*d5c09012SAndroid Build Coastguard Worker // [predefined 1245*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) 1246*d5c09012SAndroid Build Coastguard Worker // in Cloud IAM. Example request URL: 1247*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` 1248*d5c09012SAndroid Build Coastguard Worker // 1249*d5c09012SAndroid Build Coastguard Worker // * [`projects.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/get): 1250*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only 1251*d5c09012SAndroid Build Coastguard Worker // [custom 1252*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1253*d5c09012SAndroid Build Coastguard Worker // have been created at the project level. Example request URL: 1254*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1255*d5c09012SAndroid Build Coastguard Worker // 1256*d5c09012SAndroid Build Coastguard Worker // * [`organizations.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/get): 1257*d5c09012SAndroid Build Coastguard Worker // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1258*d5c09012SAndroid Build Coastguard Worker // returns only [custom 1259*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1260*d5c09012SAndroid Build Coastguard Worker // have been created at the organization level. Example request URL: 1261*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1262*d5c09012SAndroid Build Coastguard Worker // 1263*d5c09012SAndroid Build Coastguard Worker // Note: Wildcard (*) values are invalid; you must specify a complete project 1264*d5c09012SAndroid Build Coastguard Worker // ID or organization ID. 1265*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.resource_reference) = { 1266*d5c09012SAndroid Build Coastguard Worker type: "*" 1267*d5c09012SAndroid Build Coastguard Worker }]; 1268*d5c09012SAndroid Build Coastguard Worker} 1269*d5c09012SAndroid Build Coastguard Worker 1270*d5c09012SAndroid Build Coastguard Worker// The request to create a new role. 1271*d5c09012SAndroid Build Coastguard Workermessage CreateRoleRequest { 1272*d5c09012SAndroid Build Coastguard Worker // The `parent` parameter's value depends on the target resource for the 1273*d5c09012SAndroid Build Coastguard Worker // request, namely 1274*d5c09012SAndroid Build Coastguard Worker // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1275*d5c09012SAndroid Build Coastguard Worker // or 1276*d5c09012SAndroid Build Coastguard Worker // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1277*d5c09012SAndroid Build Coastguard Worker // Each resource type's `parent` value format is described below: 1278*d5c09012SAndroid Build Coastguard Worker // 1279*d5c09012SAndroid Build Coastguard Worker // * [`projects.roles.create()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/create): 1280*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}`. This method creates project-level 1281*d5c09012SAndroid Build Coastguard Worker // [custom 1282*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1283*d5c09012SAndroid Build Coastguard Worker // Example request URL: 1284*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` 1285*d5c09012SAndroid Build Coastguard Worker // 1286*d5c09012SAndroid Build Coastguard Worker // * [`organizations.roles.create()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/create): 1287*d5c09012SAndroid Build Coastguard Worker // `organizations/{ORGANIZATION_ID}`. This method creates organization-level 1288*d5c09012SAndroid Build Coastguard Worker // [custom 1289*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles). 1290*d5c09012SAndroid Build Coastguard Worker // Example request URL: 1291*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` 1292*d5c09012SAndroid Build Coastguard Worker // 1293*d5c09012SAndroid Build Coastguard Worker // Note: Wildcard (*) values are invalid; you must specify a complete project 1294*d5c09012SAndroid Build Coastguard Worker // ID or organization ID. 1295*d5c09012SAndroid Build Coastguard Worker string parent = 1 [(google.api.resource_reference) = { 1296*d5c09012SAndroid Build Coastguard Worker type: "*" 1297*d5c09012SAndroid Build Coastguard Worker }]; 1298*d5c09012SAndroid Build Coastguard Worker 1299*d5c09012SAndroid Build Coastguard Worker // The role ID to use for this role. 1300*d5c09012SAndroid Build Coastguard Worker // 1301*d5c09012SAndroid Build Coastguard Worker // A role ID may contain alphanumeric characters, underscores (`_`), and 1302*d5c09012SAndroid Build Coastguard Worker // periods (`.`). It must contain a minimum of 3 characters and a maximum of 1303*d5c09012SAndroid Build Coastguard Worker // 64 characters. 1304*d5c09012SAndroid Build Coastguard Worker string role_id = 2; 1305*d5c09012SAndroid Build Coastguard Worker 1306*d5c09012SAndroid Build Coastguard Worker // The Role resource to create. 1307*d5c09012SAndroid Build Coastguard Worker Role role = 3; 1308*d5c09012SAndroid Build Coastguard Worker} 1309*d5c09012SAndroid Build Coastguard Worker 1310*d5c09012SAndroid Build Coastguard Worker// The request to update a role. 1311*d5c09012SAndroid Build Coastguard Workermessage UpdateRoleRequest { 1312*d5c09012SAndroid Build Coastguard Worker // The `name` parameter's value depends on the target resource for the 1313*d5c09012SAndroid Build Coastguard Worker // request, namely 1314*d5c09012SAndroid Build Coastguard Worker // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1315*d5c09012SAndroid Build Coastguard Worker // or 1316*d5c09012SAndroid Build Coastguard Worker // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1317*d5c09012SAndroid Build Coastguard Worker // Each resource type's `name` value format is described below: 1318*d5c09012SAndroid Build Coastguard Worker // 1319*d5c09012SAndroid Build Coastguard Worker // * [`projects.roles.patch()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/patch): 1320*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only 1321*d5c09012SAndroid Build Coastguard Worker // [custom 1322*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1323*d5c09012SAndroid Build Coastguard Worker // have been created at the project level. Example request URL: 1324*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1325*d5c09012SAndroid Build Coastguard Worker // 1326*d5c09012SAndroid Build Coastguard Worker // * [`organizations.roles.patch()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/patch): 1327*d5c09012SAndroid Build Coastguard Worker // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1328*d5c09012SAndroid Build Coastguard Worker // updates only [custom 1329*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1330*d5c09012SAndroid Build Coastguard Worker // have been created at the organization level. Example request URL: 1331*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1332*d5c09012SAndroid Build Coastguard Worker // 1333*d5c09012SAndroid Build Coastguard Worker // Note: Wildcard (*) values are invalid; you must specify a complete project 1334*d5c09012SAndroid Build Coastguard Worker // ID or organization ID. 1335*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.resource_reference) = { 1336*d5c09012SAndroid Build Coastguard Worker type: "*" 1337*d5c09012SAndroid Build Coastguard Worker }]; 1338*d5c09012SAndroid Build Coastguard Worker 1339*d5c09012SAndroid Build Coastguard Worker // The updated role. 1340*d5c09012SAndroid Build Coastguard Worker Role role = 2; 1341*d5c09012SAndroid Build Coastguard Worker 1342*d5c09012SAndroid Build Coastguard Worker // A mask describing which fields in the Role have changed. 1343*d5c09012SAndroid Build Coastguard Worker google.protobuf.FieldMask update_mask = 3; 1344*d5c09012SAndroid Build Coastguard Worker} 1345*d5c09012SAndroid Build Coastguard Worker 1346*d5c09012SAndroid Build Coastguard Worker// The request to delete an existing role. 1347*d5c09012SAndroid Build Coastguard Workermessage DeleteRoleRequest { 1348*d5c09012SAndroid Build Coastguard Worker // The `name` parameter's value depends on the target resource for the 1349*d5c09012SAndroid Build Coastguard Worker // request, namely 1350*d5c09012SAndroid Build Coastguard Worker // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1351*d5c09012SAndroid Build Coastguard Worker // or 1352*d5c09012SAndroid Build Coastguard Worker // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1353*d5c09012SAndroid Build Coastguard Worker // Each resource type's `name` value format is described below: 1354*d5c09012SAndroid Build Coastguard Worker // 1355*d5c09012SAndroid Build Coastguard Worker // * [`projects.roles.delete()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/delete): 1356*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only 1357*d5c09012SAndroid Build Coastguard Worker // [custom 1358*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1359*d5c09012SAndroid Build Coastguard Worker // have been created at the project level. Example request URL: 1360*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1361*d5c09012SAndroid Build Coastguard Worker // 1362*d5c09012SAndroid Build Coastguard Worker // * [`organizations.roles.delete()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/delete): 1363*d5c09012SAndroid Build Coastguard Worker // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1364*d5c09012SAndroid Build Coastguard Worker // deletes only [custom 1365*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1366*d5c09012SAndroid Build Coastguard Worker // have been created at the organization level. Example request URL: 1367*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1368*d5c09012SAndroid Build Coastguard Worker // 1369*d5c09012SAndroid Build Coastguard Worker // Note: Wildcard (*) values are invalid; you must specify a complete project 1370*d5c09012SAndroid Build Coastguard Worker // ID or organization ID. 1371*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.resource_reference) = { 1372*d5c09012SAndroid Build Coastguard Worker type: "*" 1373*d5c09012SAndroid Build Coastguard Worker }]; 1374*d5c09012SAndroid Build Coastguard Worker 1375*d5c09012SAndroid Build Coastguard Worker // Used to perform a consistent read-modify-write. 1376*d5c09012SAndroid Build Coastguard Worker bytes etag = 2; 1377*d5c09012SAndroid Build Coastguard Worker} 1378*d5c09012SAndroid Build Coastguard Worker 1379*d5c09012SAndroid Build Coastguard Worker// The request to undelete an existing role. 1380*d5c09012SAndroid Build Coastguard Workermessage UndeleteRoleRequest { 1381*d5c09012SAndroid Build Coastguard Worker // The `name` parameter's value depends on the target resource for the 1382*d5c09012SAndroid Build Coastguard Worker // request, namely 1383*d5c09012SAndroid Build Coastguard Worker // [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles) 1384*d5c09012SAndroid Build Coastguard Worker // or 1385*d5c09012SAndroid Build Coastguard Worker // [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles). 1386*d5c09012SAndroid Build Coastguard Worker // Each resource type's `name` value format is described below: 1387*d5c09012SAndroid Build Coastguard Worker // 1388*d5c09012SAndroid Build Coastguard Worker // * [`projects.roles.undelete()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/undelete): 1389*d5c09012SAndroid Build Coastguard Worker // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes 1390*d5c09012SAndroid Build Coastguard Worker // only [custom 1391*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1392*d5c09012SAndroid Build Coastguard Worker // have been created at the project level. Example request URL: 1393*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` 1394*d5c09012SAndroid Build Coastguard Worker // 1395*d5c09012SAndroid Build Coastguard Worker // * [`organizations.roles.undelete()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/undelete): 1396*d5c09012SAndroid Build Coastguard Worker // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method 1397*d5c09012SAndroid Build Coastguard Worker // undeletes only [custom 1398*d5c09012SAndroid Build Coastguard Worker // roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that 1399*d5c09012SAndroid Build Coastguard Worker // have been created at the organization level. Example request URL: 1400*d5c09012SAndroid Build Coastguard Worker // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` 1401*d5c09012SAndroid Build Coastguard Worker // 1402*d5c09012SAndroid Build Coastguard Worker // Note: Wildcard (*) values are invalid; you must specify a complete project 1403*d5c09012SAndroid Build Coastguard Worker // ID or organization ID. 1404*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.resource_reference) = { 1405*d5c09012SAndroid Build Coastguard Worker type: "*" 1406*d5c09012SAndroid Build Coastguard Worker }]; 1407*d5c09012SAndroid Build Coastguard Worker 1408*d5c09012SAndroid Build Coastguard Worker // Used to perform a consistent read-modify-write. 1409*d5c09012SAndroid Build Coastguard Worker bytes etag = 2; 1410*d5c09012SAndroid Build Coastguard Worker} 1411*d5c09012SAndroid Build Coastguard Worker 1412*d5c09012SAndroid Build Coastguard Worker// A permission which can be included by a role. 1413*d5c09012SAndroid Build Coastguard Workermessage Permission { 1414*d5c09012SAndroid Build Coastguard Worker // A stage representing a permission's lifecycle phase. 1415*d5c09012SAndroid Build Coastguard Worker enum PermissionLaunchStage { 1416*d5c09012SAndroid Build Coastguard Worker // The permission is currently in an alpha phase. 1417*d5c09012SAndroid Build Coastguard Worker ALPHA = 0; 1418*d5c09012SAndroid Build Coastguard Worker 1419*d5c09012SAndroid Build Coastguard Worker // The permission is currently in a beta phase. 1420*d5c09012SAndroid Build Coastguard Worker BETA = 1; 1421*d5c09012SAndroid Build Coastguard Worker 1422*d5c09012SAndroid Build Coastguard Worker // The permission is generally available. 1423*d5c09012SAndroid Build Coastguard Worker GA = 2; 1424*d5c09012SAndroid Build Coastguard Worker 1425*d5c09012SAndroid Build Coastguard Worker // The permission is being deprecated. 1426*d5c09012SAndroid Build Coastguard Worker DEPRECATED = 3; 1427*d5c09012SAndroid Build Coastguard Worker } 1428*d5c09012SAndroid Build Coastguard Worker 1429*d5c09012SAndroid Build Coastguard Worker // The state of the permission with regards to custom roles. 1430*d5c09012SAndroid Build Coastguard Worker enum CustomRolesSupportLevel { 1431*d5c09012SAndroid Build Coastguard Worker // Default state. Permission is fully supported for custom role use. 1432*d5c09012SAndroid Build Coastguard Worker SUPPORTED = 0; 1433*d5c09012SAndroid Build Coastguard Worker 1434*d5c09012SAndroid Build Coastguard Worker // Permission is being tested to check custom role compatibility. 1435*d5c09012SAndroid Build Coastguard Worker TESTING = 1; 1436*d5c09012SAndroid Build Coastguard Worker 1437*d5c09012SAndroid Build Coastguard Worker // Permission is not supported for custom role use. 1438*d5c09012SAndroid Build Coastguard Worker NOT_SUPPORTED = 2; 1439*d5c09012SAndroid Build Coastguard Worker } 1440*d5c09012SAndroid Build Coastguard Worker 1441*d5c09012SAndroid Build Coastguard Worker // The name of this Permission. 1442*d5c09012SAndroid Build Coastguard Worker string name = 1; 1443*d5c09012SAndroid Build Coastguard Worker 1444*d5c09012SAndroid Build Coastguard Worker // The title of this Permission. 1445*d5c09012SAndroid Build Coastguard Worker string title = 2; 1446*d5c09012SAndroid Build Coastguard Worker 1447*d5c09012SAndroid Build Coastguard Worker // A brief description of what this Permission is used for. 1448*d5c09012SAndroid Build Coastguard Worker // This permission can ONLY be used in predefined roles. 1449*d5c09012SAndroid Build Coastguard Worker string description = 3; 1450*d5c09012SAndroid Build Coastguard Worker 1451*d5c09012SAndroid Build Coastguard Worker bool only_in_predefined_roles = 4 [deprecated = true]; 1452*d5c09012SAndroid Build Coastguard Worker 1453*d5c09012SAndroid Build Coastguard Worker // The current launch stage of the permission. 1454*d5c09012SAndroid Build Coastguard Worker PermissionLaunchStage stage = 5; 1455*d5c09012SAndroid Build Coastguard Worker 1456*d5c09012SAndroid Build Coastguard Worker // The current custom role support level. 1457*d5c09012SAndroid Build Coastguard Worker CustomRolesSupportLevel custom_roles_support_level = 6; 1458*d5c09012SAndroid Build Coastguard Worker 1459*d5c09012SAndroid Build Coastguard Worker // The service API associated with the permission is not enabled. 1460*d5c09012SAndroid Build Coastguard Worker bool api_disabled = 7; 1461*d5c09012SAndroid Build Coastguard Worker 1462*d5c09012SAndroid Build Coastguard Worker // The preferred name for this permission. If present, then this permission is 1463*d5c09012SAndroid Build Coastguard Worker // an alias of, and equivalent to, the listed primary_permission. 1464*d5c09012SAndroid Build Coastguard Worker string primary_permission = 8; 1465*d5c09012SAndroid Build Coastguard Worker} 1466*d5c09012SAndroid Build Coastguard Worker 1467*d5c09012SAndroid Build Coastguard Worker// A request to get permissions which can be tested on a resource. 1468*d5c09012SAndroid Build Coastguard Workermessage QueryTestablePermissionsRequest { 1469*d5c09012SAndroid Build Coastguard Worker // Required. The full resource name to query from the list of testable 1470*d5c09012SAndroid Build Coastguard Worker // permissions. 1471*d5c09012SAndroid Build Coastguard Worker // 1472*d5c09012SAndroid Build Coastguard Worker // The name follows the Google Cloud Platform resource format. 1473*d5c09012SAndroid Build Coastguard Worker // For example, a Cloud Platform project with id `my-project` will be named 1474*d5c09012SAndroid Build Coastguard Worker // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1475*d5c09012SAndroid Build Coastguard Worker string full_resource_name = 1; 1476*d5c09012SAndroid Build Coastguard Worker 1477*d5c09012SAndroid Build Coastguard Worker // Optional limit on the number of permissions to include in the response. 1478*d5c09012SAndroid Build Coastguard Worker // 1479*d5c09012SAndroid Build Coastguard Worker // The default is 100, and the maximum is 1,000. 1480*d5c09012SAndroid Build Coastguard Worker int32 page_size = 2; 1481*d5c09012SAndroid Build Coastguard Worker 1482*d5c09012SAndroid Build Coastguard Worker // Optional pagination token returned in an earlier 1483*d5c09012SAndroid Build Coastguard Worker // QueryTestablePermissionsRequest. 1484*d5c09012SAndroid Build Coastguard Worker string page_token = 3; 1485*d5c09012SAndroid Build Coastguard Worker} 1486*d5c09012SAndroid Build Coastguard Worker 1487*d5c09012SAndroid Build Coastguard Worker// The response containing permissions which can be tested on a resource. 1488*d5c09012SAndroid Build Coastguard Workermessage QueryTestablePermissionsResponse { 1489*d5c09012SAndroid Build Coastguard Worker // The Permissions testable on the requested resource. 1490*d5c09012SAndroid Build Coastguard Worker repeated Permission permissions = 1; 1491*d5c09012SAndroid Build Coastguard Worker 1492*d5c09012SAndroid Build Coastguard Worker // To retrieve the next page of results, set 1493*d5c09012SAndroid Build Coastguard Worker // `QueryTestableRolesRequest.page_token` to this value. 1494*d5c09012SAndroid Build Coastguard Worker string next_page_token = 2; 1495*d5c09012SAndroid Build Coastguard Worker} 1496*d5c09012SAndroid Build Coastguard Worker 1497*d5c09012SAndroid Build Coastguard Worker// A request to get the list of auditable services for a resource. 1498*d5c09012SAndroid Build Coastguard Workermessage QueryAuditableServicesRequest { 1499*d5c09012SAndroid Build Coastguard Worker // Required. The full resource name to query from the list of auditable 1500*d5c09012SAndroid Build Coastguard Worker // services. 1501*d5c09012SAndroid Build Coastguard Worker // 1502*d5c09012SAndroid Build Coastguard Worker // The name follows the Google Cloud Platform resource format. 1503*d5c09012SAndroid Build Coastguard Worker // For example, a Cloud Platform project with id `my-project` will be named 1504*d5c09012SAndroid Build Coastguard Worker // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1505*d5c09012SAndroid Build Coastguard Worker string full_resource_name = 1; 1506*d5c09012SAndroid Build Coastguard Worker} 1507*d5c09012SAndroid Build Coastguard Worker 1508*d5c09012SAndroid Build Coastguard Worker// A response containing a list of auditable services for a resource. 1509*d5c09012SAndroid Build Coastguard Workermessage QueryAuditableServicesResponse { 1510*d5c09012SAndroid Build Coastguard Worker // Contains information about an auditable service. 1511*d5c09012SAndroid Build Coastguard Worker message AuditableService { 1512*d5c09012SAndroid Build Coastguard Worker // Public name of the service. 1513*d5c09012SAndroid Build Coastguard Worker // For example, the service name for Cloud IAM is 'iam.googleapis.com'. 1514*d5c09012SAndroid Build Coastguard Worker string name = 1; 1515*d5c09012SAndroid Build Coastguard Worker } 1516*d5c09012SAndroid Build Coastguard Worker 1517*d5c09012SAndroid Build Coastguard Worker // The auditable services for a resource. 1518*d5c09012SAndroid Build Coastguard Worker repeated AuditableService services = 1; 1519*d5c09012SAndroid Build Coastguard Worker} 1520*d5c09012SAndroid Build Coastguard Worker 1521*d5c09012SAndroid Build Coastguard Worker// The request to lint a Cloud IAM policy object. 1522*d5c09012SAndroid Build Coastguard Workermessage LintPolicyRequest { 1523*d5c09012SAndroid Build Coastguard Worker // The full resource name of the policy this lint request is about. 1524*d5c09012SAndroid Build Coastguard Worker // 1525*d5c09012SAndroid Build Coastguard Worker // The name follows the Google Cloud Platform (GCP) resource format. 1526*d5c09012SAndroid Build Coastguard Worker // For example, a GCP project with ID `my-project` will be named 1527*d5c09012SAndroid Build Coastguard Worker // `//cloudresourcemanager.googleapis.com/projects/my-project`. 1528*d5c09012SAndroid Build Coastguard Worker // 1529*d5c09012SAndroid Build Coastguard Worker // The resource name is not used to read the policy instance from the Cloud 1530*d5c09012SAndroid Build Coastguard Worker // IAM database. The candidate policy for lint has to be provided in the same 1531*d5c09012SAndroid Build Coastguard Worker // request object. 1532*d5c09012SAndroid Build Coastguard Worker string full_resource_name = 1; 1533*d5c09012SAndroid Build Coastguard Worker 1534*d5c09012SAndroid Build Coastguard Worker // Required. The Cloud IAM object to be linted. 1535*d5c09012SAndroid Build Coastguard Worker oneof lint_object { 1536*d5c09012SAndroid Build Coastguard Worker // [google.iam.v1.Binding.condition] [google.iam.v1.Binding.condition] object to be linted. 1537*d5c09012SAndroid Build Coastguard Worker google.type.Expr condition = 5; 1538*d5c09012SAndroid Build Coastguard Worker } 1539*d5c09012SAndroid Build Coastguard Worker} 1540*d5c09012SAndroid Build Coastguard Worker 1541*d5c09012SAndroid Build Coastguard Worker// Structured response of a single validation unit. 1542*d5c09012SAndroid Build Coastguard Workermessage LintResult { 1543*d5c09012SAndroid Build Coastguard Worker // Possible Level values of a validation unit corresponding to its domain 1544*d5c09012SAndroid Build Coastguard Worker // of discourse. 1545*d5c09012SAndroid Build Coastguard Worker enum Level { 1546*d5c09012SAndroid Build Coastguard Worker // Level is unspecified. 1547*d5c09012SAndroid Build Coastguard Worker LEVEL_UNSPECIFIED = 0; 1548*d5c09012SAndroid Build Coastguard Worker 1549*d5c09012SAndroid Build Coastguard Worker // A validation unit which operates on an individual condition within a 1550*d5c09012SAndroid Build Coastguard Worker // binding. 1551*d5c09012SAndroid Build Coastguard Worker CONDITION = 3; 1552*d5c09012SAndroid Build Coastguard Worker } 1553*d5c09012SAndroid Build Coastguard Worker 1554*d5c09012SAndroid Build Coastguard Worker // Possible Severity values of an issued result. 1555*d5c09012SAndroid Build Coastguard Worker enum Severity { 1556*d5c09012SAndroid Build Coastguard Worker // Severity is unspecified. 1557*d5c09012SAndroid Build Coastguard Worker SEVERITY_UNSPECIFIED = 0; 1558*d5c09012SAndroid Build Coastguard Worker 1559*d5c09012SAndroid Build Coastguard Worker // A validation unit returns an error only for critical issues. If an 1560*d5c09012SAndroid Build Coastguard Worker // attempt is made to set the problematic policy without rectifying the 1561*d5c09012SAndroid Build Coastguard Worker // critical issue, it causes the `setPolicy` operation to fail. 1562*d5c09012SAndroid Build Coastguard Worker ERROR = 1; 1563*d5c09012SAndroid Build Coastguard Worker 1564*d5c09012SAndroid Build Coastguard Worker // Any issue which is severe enough but does not cause an error. 1565*d5c09012SAndroid Build Coastguard Worker // For example, suspicious constructs in the input object will not 1566*d5c09012SAndroid Build Coastguard Worker // necessarily fail `setPolicy`, but there is a high likelihood that they 1567*d5c09012SAndroid Build Coastguard Worker // won't behave as expected during policy evaluation in `checkPolicy`. 1568*d5c09012SAndroid Build Coastguard Worker // This includes the following common scenarios: 1569*d5c09012SAndroid Build Coastguard Worker // 1570*d5c09012SAndroid Build Coastguard Worker // - Unsatisfiable condition: Expired timestamp in date/time condition. 1571*d5c09012SAndroid Build Coastguard Worker // - Ineffective condition: Condition on a <principal, role> pair which is 1572*d5c09012SAndroid Build Coastguard Worker // granted unconditionally in another binding of the same policy. 1573*d5c09012SAndroid Build Coastguard Worker WARNING = 2; 1574*d5c09012SAndroid Build Coastguard Worker 1575*d5c09012SAndroid Build Coastguard Worker // Reserved for the issues that are not severe as `ERROR`/`WARNING`, but 1576*d5c09012SAndroid Build Coastguard Worker // need special handling. For instance, messages about skipped validation 1577*d5c09012SAndroid Build Coastguard Worker // units are issued as `NOTICE`. 1578*d5c09012SAndroid Build Coastguard Worker NOTICE = 3; 1579*d5c09012SAndroid Build Coastguard Worker 1580*d5c09012SAndroid Build Coastguard Worker // Any informative statement which is not severe enough to raise 1581*d5c09012SAndroid Build Coastguard Worker // `ERROR`/`WARNING`/`NOTICE`, like auto-correction recommendations on the 1582*d5c09012SAndroid Build Coastguard Worker // input content. Note that current version of the linter does not utilize 1583*d5c09012SAndroid Build Coastguard Worker // `INFO`. 1584*d5c09012SAndroid Build Coastguard Worker INFO = 4; 1585*d5c09012SAndroid Build Coastguard Worker 1586*d5c09012SAndroid Build Coastguard Worker // Deprecated severity level. 1587*d5c09012SAndroid Build Coastguard Worker DEPRECATED = 5; 1588*d5c09012SAndroid Build Coastguard Worker } 1589*d5c09012SAndroid Build Coastguard Worker 1590*d5c09012SAndroid Build Coastguard Worker // The validation unit level. 1591*d5c09012SAndroid Build Coastguard Worker Level level = 1; 1592*d5c09012SAndroid Build Coastguard Worker 1593*d5c09012SAndroid Build Coastguard Worker // The validation unit name, for instance 1594*d5c09012SAndroid Build Coastguard Worker // "lintValidationUnits/ConditionComplexityCheck". 1595*d5c09012SAndroid Build Coastguard Worker string validation_unit_name = 2; 1596*d5c09012SAndroid Build Coastguard Worker 1597*d5c09012SAndroid Build Coastguard Worker // The validation unit severity. 1598*d5c09012SAndroid Build Coastguard Worker Severity severity = 3; 1599*d5c09012SAndroid Build Coastguard Worker 1600*d5c09012SAndroid Build Coastguard Worker // The name of the field for which this lint result is about. 1601*d5c09012SAndroid Build Coastguard Worker // 1602*d5c09012SAndroid Build Coastguard Worker // For nested messages `field_name` consists of names of the embedded fields 1603*d5c09012SAndroid Build Coastguard Worker // separated by period character. The top-level qualifier is the input object 1604*d5c09012SAndroid Build Coastguard Worker // to lint in the request. For example, the `field_name` value 1605*d5c09012SAndroid Build Coastguard Worker // `condition.expression` identifies a lint result for the `expression` field 1606*d5c09012SAndroid Build Coastguard Worker // of the provided condition. 1607*d5c09012SAndroid Build Coastguard Worker string field_name = 5; 1608*d5c09012SAndroid Build Coastguard Worker 1609*d5c09012SAndroid Build Coastguard Worker // 0-based character position of problematic construct within the object 1610*d5c09012SAndroid Build Coastguard Worker // identified by `field_name`. Currently, this is populated only for condition 1611*d5c09012SAndroid Build Coastguard Worker // expression. 1612*d5c09012SAndroid Build Coastguard Worker int32 location_offset = 6; 1613*d5c09012SAndroid Build Coastguard Worker 1614*d5c09012SAndroid Build Coastguard Worker // Human readable debug message associated with the issue. 1615*d5c09012SAndroid Build Coastguard Worker string debug_message = 7; 1616*d5c09012SAndroid Build Coastguard Worker} 1617*d5c09012SAndroid Build Coastguard Worker 1618*d5c09012SAndroid Build Coastguard Worker// The response of a lint operation. An empty response indicates 1619*d5c09012SAndroid Build Coastguard Worker// the operation was able to fully execute and no lint issue was found. 1620*d5c09012SAndroid Build Coastguard Workermessage LintPolicyResponse { 1621*d5c09012SAndroid Build Coastguard Worker // List of lint results sorted by `severity` in descending order. 1622*d5c09012SAndroid Build Coastguard Worker repeated LintResult lint_results = 1; 1623*d5c09012SAndroid Build Coastguard Worker} 1624