Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
Lints a Cloud IAM policy object or its sub fields. Currently supports google.iam.v1.Binding.condition.
Each lint operation consists of multiple lint validation units. Each unit inspects the input object in regard to a particular linting aspect and issues a google.iam.admin.v1.LintResult disclosing the result.
The set of applicable validation units is determined by the Cloud IAM server and is not configurable.
Regardless of any lint issues or their severities, successful calls to
lintPolicy
return an HTTP 200 OK status code.
Name | Data Type | Description | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
LintPolicyRequest | ||||||||||||||||||||||||||||||
Properties
|
Name | Data Type | Description | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
LintPolicyResponse | |||||||||||||||||||||||||||||||||
Properties
|
Returns a list of services that support service level audit logging configuration for the given resource.
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
QueryAuditableServicesRequest | ||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
QueryAuditableServicesResponse | ||||||||||||||||||
Properties
|
Undelete a Role, bringing it back in its previous state.
Name | Data Type | Description |
---|---|---|
name
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
UndeleteRoleRequest | ||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Role | ||||||||||||||||||||||||||
Properties
|
Soft deletes a role. The role is suspended and cannot be used to create new
IAM Policy Bindings.
The Role will not be included in ListRoles()
unless show_deleted
is set
in the ListRolesRequest
. The Role contains the deleted boolean set.
Existing Bindings remains, but are inactive. The Role can be undeleted
within 7 days. After 7 days the Role is deleted and all Bindings associated
with the role are removed.
Name | Data Type | Description |
---|---|---|
name
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
Name | Data Type | Description |
---|---|---|
etag
|
string |
Used to perform a consistent read-modify-write. |
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Role | ||||||||||||||||||||||||||
Properties
|
Gets a Role definition.
Name | Data Type | Description |
---|---|---|
name
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
Name | Data Type | Description |
---|---|---|
publicKeyType
|
string Allowed values: - TYPE_NONE - TYPE_X509_PEM_FILE - TYPE_RAW_PUBLIC_KEY |
The output format of the public key requested. X509_PEM is the default output format. |
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Role | ||||||||||||||||||||||||||
Properties
|
Updates a Role definition.
Name | Data Type | Description |
---|---|---|
name
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
Name | Data Type | Description |
---|---|---|
updateMask
|
string |
A mask describing which fields in the Role have changed. |
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Role | ||||||||||||||||||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Role | ||||||||||||||||||||||||||
Properties
|
Lists the Roles defined on a resource.
Name | Data Type | Description |
---|---|---|
parent
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
Name | Data Type | Description |
---|---|---|
view
|
string Allowed values: - BASIC - FULL |
Optional view for the returned Role objects. When |
showDeleted
|
boolean |
Include Roles that have been deleted. |
pageToken
|
string |
Optional pagination token returned in an earlier ListRolesResponse. |
pageSize
|
integer |
Optional limit on the number of roles to include in the response. |
Name | Data Type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ListRolesResponse | |||||||||||||||||||||||||||||||||||||||
Properties
|
Creates a new Role.
Name | Data Type | Description |
---|---|---|
parent
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
Name | Data Type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
CreateRoleRequest | |||||||||||||||||||||||||||||||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Role | ||||||||||||||||||||||||||
Properties
|
Lists the permissions testable on a resource. A permission is testable if it can be tested for an identity on a resource.
Name | Data Type | Description | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
QueryTestablePermissionsRequest | ||||||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
QueryTestablePermissionsResponse | ||||||||||||||||||||||||||||||||||||||||||
Properties
|
Upload public key for a given service account. This rpc will create a ServiceAccountKey that has the provided public key and returns it.
Name | Data Type | Description |
---|---|---|
name
|
string |
The resource name of the service account in the following format:
|
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
UploadServiceAccountKeyRequest | ||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ServiceAccountKey | ||||||||||||||||||||||||||||||||
Properties
|
Lists ServiceAccountKeys.
Name | Data Type | Description |
---|---|---|
name
|
string |
Required. The resource name of the service account in the following format:
Using |
Name | Data Type | Description |
---|---|---|
keyTypes
|
array |
Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. |
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ListServiceAccountKeysResponse | ||||||||||||||||||||||||||||||||||||||||||
Properties
|
Creates a ServiceAccountKey and returns it.
Name | Data Type | Description |
---|---|---|
name
|
string |
Required. The resource name of the service account in the following format:
|
Name | Data Type | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
CreateServiceAccountKeyRequest | |||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ServiceAccountKey | ||||||||||||||||||||||||||||||||
Properties
|
Lists ServiceAccounts for a project.
Name | Data Type | Description |
---|---|---|
name
|
string |
Required. The resource name of the project associated with the service
accounts, such as |
Name | Data Type | Description |
---|---|---|
pageToken
|
string |
Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token. |
pageSize
|
integer |
Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request. |
Name | Data Type | Description | ||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ListServiceAccountsResponse | |||||||||||||||||||||||||||||||||||||||||||||
Properties
|
Creates a ServiceAccount and returns it.
Name | Data Type | Description |
---|---|---|
name
|
string |
Required. The resource name of the project associated with the service
accounts, such as |
Name | Data Type | Description | ||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
CreateServiceAccountRequest | |||||||||||||||||||||||||||||||||||||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ServiceAccount | ||||||||||||||||||||||||||||||||
Properties
|
DisableServiceAccount is currently in the alpha launch stage.
Disables a ServiceAccount, which immediately prevents the service account from authenticating and gaining access to APIs.
Disabled service accounts can be safely restored by using EnableServiceAccount at any point. Deleted service accounts cannot be restored using this method.
Disabling a service account that is bound to VMs, Apps, Functions, or other jobs will cause those jobs to lose access to resources if they are using the disabled service account.
To improve reliability of your services and avoid unexpected outages, it is recommended to first disable a service account rather than delete it. After disabling the service account, wait at least 24 hours to verify there are no unintended consequences, and then delete the service account.
Name | Data Type | Description |
---|---|---|
name
|
string |
The resource name of the service account in the following format:
|
Name | Data Type | Description | ||||
---|---|---|---|---|---|---|
|
DisableServiceAccountRequest | |||||
|
Name | Data Type | Description | ||||
---|---|---|---|---|---|---|
|
Empty | |||||
|
EnableServiceAccount is currently in the alpha launch stage.
Restores a disabled ServiceAccount that has been manually disabled by using DisableServiceAccount. Service accounts that have been disabled by other means or for other reasons, such as abuse, cannot be restored using this method.
EnableServiceAccount will have no effect on a service account that is not disabled. Enabling an already enabled service account will have no effect.
Name | Data Type | Description |
---|---|---|
name
|
string |
The resource name of the service account in the following format:
|
Name | Data Type | Description | ||||
---|---|---|---|---|---|---|
|
EnableServiceAccountRequest | |||||
|
Name | Data Type | Description | ||||
---|---|---|---|---|---|---|
|
Empty | |||||
|
Note: This method is in the process of being deprecated. Call the
signBlob()
method of the Cloud IAM Service Account Credentials API instead.
Signs a blob using a service account's system-managed private key.
Name | Data Type | Description |
---|---|---|
name
|
string |
Required. The resource name of the service account in the following format:
|
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
SignBlobRequest | ||||||||
Properties
|
Name | Data Type | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SignBlobResponse | |||||||||||
Properties
|
Note: This method is in the process of being deprecated. Call the
signJwt()
method of the Cloud IAM Service Account Credentials API instead.
Signs a JWT using a service account's system-managed private key.
If no expiry time (exp
) is provided in the SignJwtRequest
, IAM sets an
an expiry time of one hour by default. If you request an expiry time of
more than one hour, the request will fail.
Name | Data Type | Description |
---|---|---|
name
|
string |
Required. The resource name of the service account in the following format:
|
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
SignJwtRequest | ||||||||
Properties
|
Name | Data Type | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SignJwtResponse | |||||||||||
Properties
|
Note: This method is in the process of being deprecated. Use PatchServiceAccount instead.
Updates a ServiceAccount.
Currently, only the following fields are updatable:
display_name
and description
.
Name | Data Type | Description |
---|---|---|
name
|
string |
The resource name of the service account in the following format:
Requests using In responses the resource name will always be in the format
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ServiceAccount | ||||||||||||||||||||||||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ServiceAccount | ||||||||||||||||||||||||||||||||
Properties
|
Returns the Cloud IAM access control policy for a ServiceAccount.
Note: Service accounts are both resources and identities. This method treats the service account as a resource. It returns the Cloud IAM policy that reflects what members have access to the service account.
This method does not return what resources the service account has access
to. To see if a service account has access to a resource, call the
getIamPolicy
method on the target resource. For example, to view grants
for a project, call the
projects.getIamPolicy
method.
Name | Data Type | Description |
---|---|---|
resource
|
string |
REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field. |
Name | Data Type | Description |
---|---|---|
options.requestedPolicyVersion
|
integer |
Optional. The policy format version to be returned. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional bindings must specify version 3. Policies without any conditional bindings may specify any valid value or leave the field unset. |
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Policy | ||||||||||||||||||||||||||||||||||||||||||||||
Properties
|
Sets the Cloud IAM access control policy for a ServiceAccount.
Note: Service accounts are both resources and identities. This method treats the service account as a resource. Use it to grant members access to the service account, such as when they need to impersonate it.
This method does not grant the service account access to other resources,
such as projects. To grant a service account access to resources, include
the service account in the Cloud IAM policy for the desired resource, then
call the appropriate setIamPolicy
method on the target resource. For
example, to grant a service account access to a project, call the
projects.setIamPolicy
method.
Name | Data Type | Description |
---|---|---|
resource
|
string |
REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field. |
Name | Data Type | Description | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SetIamPolicyRequest | ||||||||||||||||||||||||||||||
Properties
|
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Policy | ||||||||||||||||||||||||||||||||||||||||||||||
Properties
|
Tests the specified permissions against the IAM access control policy for a ServiceAccount.
Name | Data Type | Description |
---|---|---|
resource
|
string |
REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field. |
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
TestIamPermissionsRequest | ||||||||
Properties
|
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
|
TestIamPermissionsResponse | ||||||||
Properties
|
Queries roles that can be granted on a particular resource. A role is grantable if it can be used as the role in a binding for a policy for that resource.
Name | Data Type | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
QueryGrantableRolesRequest | |||||||||||||||||
Properties
|
Name | Data Type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
QueryGrantableRolesResponse | |||||||||||||||||||||||||||||||||||||||
Properties
|
Lists the Roles defined on a resource.
Name | Data Type | Description |
---|---|---|
view
|
string Allowed values: - BASIC - FULL |
Optional view for the returned Role objects. When |
showDeleted
|
boolean |
Include Roles that have been deleted. |
parent
|
string |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. |
pageToken
|
string |
Optional pagination token returned in an earlier ListRolesResponse. |
pageSize
|
integer |
Optional limit on the number of roles to include in the response. |
Name | Data Type | Description | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ListRolesResponse | |||||||||||||||||||||||||||||||||||||||
Properties
|
Audit log information specific to Cloud IAM admin APIs. This message is
serialized as an Any
type in the ServiceData
message of an
AuditLog
message.
Name | Data Type | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
permissionDelta
|
PermissionDelta |
The permission_delta when when creating or updating a Role. |
||||||||||
Properties
|
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service,
the union of the two AuditConfigs is used for that service: the log_types
specified in each AuditConfig are enabled, and the exempted_members in each
AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"audit_configs": [
{
"service": "allServices"
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE",
},
{
"log_type": "ADMIN_READ",
}
]
},
{
"service": "sampleservice.googleapis.com"
"audit_log_configs": [
{
"log_type": "DATA_READ",
},
{
"log_type": "DATA_WRITE",
"exempted_members": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Name | Data Type | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
service
|
string |
Specifies a service that will be enabled for audit logging.
For example, |
||||||||||
auditLogConfigs
|
array [AuditLogConfig] |
The configuration for logging of each type of permission. |
||||||||||
Properties
|
Audit log information specific to Cloud IAM. This message is serialized
as an Any
type in the ServiceData
message of an
AuditLog
message.
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
policyDelta
|
PolicyDelta |
Policy delta between the original policy and the newly set policy. |
|||||||||||||||||||||||||||||||||||||||||||||
Properties
|
Provides the configuration for logging a type of permissions. Example:
{
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE",
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
Name | Data Type | Description |
---|---|---|
logType
|
string Allowed values: - LOG_TYPE_UNSPECIFIED - ADMIN_READ - DATA_WRITE - DATA_READ |
The log type that this config enables. |
exemptedMembers
|
array [string] |
Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members. |
Contains information about an auditable service.
Name | Data Type | Description |
---|---|---|
name
|
string |
Public name of the service. For example, the service name for Cloud IAM is 'iam.googleapis.com'. |
Associates members
with a role
.
Name | Data Type | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
role
|
string |
Role that is assigned to |
||||||||||||||||
members
|
array [string] |
Specifies the identities requesting access for a Cloud Platform resource.
|
||||||||||||||||
condition
|
Expr |
The condition that is associated with this binding. NOTE: An unsatisfied condition will not allow user access via current binding. Different bindings, including their conditions, are examined independently. |
||||||||||||||||
Properties
|
One delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry.
Name | Data Type | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
role
|
string |
Role that is assigned to |
||||||||||||||||
member
|
string |
A single identity requesting access for a Cloud Platform resource. Follows the same format of Binding.members. Required |
||||||||||||||||
condition
|
Expr |
The condition that is associated with this binding. |
||||||||||||||||
Properties
|
||||||||||||||||||
action
|
string Allowed values: - ACTION_UNSPECIFIED - ADD - REMOVE |
The action that was performed on a Binding. Required |
The request to create a new role.
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
roleId
|
string |
The role ID to use for this role. |
|||||||||||||||||||||||||
role
|
Role |
The Role resource to create. |
|||||||||||||||||||||||||
Properties
|
The service account key create request.
Name | Data Type | Description |
---|---|---|
privateKeyType
|
string Allowed values: - TYPE_UNSPECIFIED - TYPE_PKCS12_FILE - TYPE_GOOGLE_CREDENTIALS_FILE |
The output format of the private key. The default value is
|
keyAlgorithm
|
string Allowed values: - KEY_ALG_UNSPECIFIED - KEY_ALG_RSA_1024 - KEY_ALG_RSA_2048 |
Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. |
The service account create request.
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
serviceAccount
|
ServiceAccount |
The ServiceAccount resource to
create. Currently, only the following values are user assignable:
|
|||||||||||||||||||||||||||||||
Properties
|
|||||||||||||||||||||||||||||||||
accountId
|
string |
Required. The account id that is used to generate the service account
email address and a stable unique id. It is unique within a project,
must be 6-30 characters long, and match the regular expression
|
The service account disable request.
Name | Data Type | Description |
---|---|---|
DisableServiceAccountRequest
|
object |
The service account disable request. |
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:
service Foo {
rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}
The JSON representation for Empty
is empty JSON object {}
.
Name | Data Type | Description |
---|---|---|
Empty
|
object |
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:
The JSON representation for |
The service account enable request.
Name | Data Type | Description |
---|---|---|
EnableServiceAccountRequest
|
object |
The service account enable request. |
Represents an expression text. Example:
title: "User account presence"
description: "Determines whether the request has a user account"
expression: "size(request.user) > 0"
Name | Data Type | Description |
---|---|---|
title
|
string |
An optional title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. |
location
|
string |
An optional string indicating the location of the expression for error reporting, e.g. a file name and a position in the file. |
expression
|
string |
Textual representation of an expression in Common Expression Language syntax. The application context of the containing message determines which well-known feature set of CEL is supported. |
description
|
string |
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
The request to lint a Cloud IAM policy object.
Name | Data Type | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
fullResourceName
|
string |
The full resource name of the policy this lint request is about. The name follows the Google Cloud Platform (GCP) resource format.
For example, a GCP project with ID The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object. |
||||||||||||||||
condition
|
Expr |
google.iam.v1.Binding.condition object to be linted. |
||||||||||||||||
Properties
|
The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.
Name | Data Type | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
lintResults
|
array [LintResult] |
List of lint results sorted by |
||||||||||||||||||||||
Properties
|
Structured response of a single validation unit.
Name | Data Type | Description |
---|---|---|
validationUnitName
|
string |
The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck". |
severity
|
string Allowed values: - SEVERITY_UNSPECIFIED - ERROR - WARNING - NOTICE - INFO - DEPRECATED |
The validation unit severity. |
locationOffset
|
integer |
0-based character position of problematic construct within the object
identified by |
level
|
string Allowed values: - LEVEL_UNSPECIFIED - CONDITION |
The validation unit level. |
fieldName
|
string |
The name of the field for which this lint result is about. For nested messages |
debugMessage
|
string |
Human readable debug message associated with the issue. |
The response containing the roles defined under a resource.
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
roles
|
array [Role] |
The Roles defined on this resource. |
|||||||||||||||||||||||||
Properties
|
|||||||||||||||||||||||||||
nextPageToken
|
string |
To retrieve the next page of results, set
|
The service account keys list response.
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
keys
|
array [ServiceAccountKey] |
The public keys for the service account. |
|||||||||||||||||||||||||||||||
Properties
|
The service account list response.
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
nextPageToken
|
string |
To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value. |
|||||||||||||||||||||||||||||||
accounts
|
array [ServiceAccount] |
The list of matching service accounts. |
|||||||||||||||||||||||||||||||
Properties
|
The patch service account request.
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
updateMask
|
string | ||||||||||||||||||||||||||||||||
serviceAccount
|
ServiceAccount | ||||||||||||||||||||||||||||||||
Properties
|
A permission which can be included by a role.
Name | Data Type | Description |
---|---|---|
title
|
string |
The title of this Permission. |
stage
|
string Allowed values: - ALPHA - BETA - GA - DEPRECATED |
The current launch stage of the permission. |
primaryPermission
|
string |
The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission. |
onlyInPredefinedRoles
|
boolean | |
name
|
string |
The name of this Permission. |
description
|
string |
A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles. |
customRolesSupportLevel
|
string Allowed values: - SUPPORTED - TESTING - NOT_SUPPORTED |
The current custom role support level. |
apiDisabled
|
boolean |
The service API associated with the permission is not enabled. |
A PermissionDelta message to record the added_permissions and removed_permissions inside a role.
Name | Data Type | Description |
---|---|---|
removedPermissions
|
array [string] |
Removed permissions. |
addedPermissions
|
array [string] |
Added permissions. |
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more
members
to a single role
. Members can be user accounts, service accounts,
Google groups, and domains (such as G Suite). A role
is a named list of
permissions; each role
can be an IAM predefined role or a user-created
custom role.
Optionally, a binding
can specify a condition
, which is a logical
expression that allows access to a resource only if the expression evaluates
to true
. A condition can add constraints based on attributes of the
request, the resource, or both.
JSON example:
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": ["user:eve@example.com"],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
- etag: BwWWja0YfJA=
- version: 3
For a description of IAM and its features, see the IAM documentation.
Name | Data Type | Description | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
version
|
integer |
Specifies the format of the policy. Valid values are Any operation that affects conditional role bindings must specify version
Important: If you use IAM Conditions, you must include the If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. |
||||||||||||||||||||||||||||||||
etag
|
byte |
Important: If you use IAM Conditions, you must include the |
||||||||||||||||||||||||||||||||
bindings
|
array [Binding] |
Associates a list of |
||||||||||||||||||||||||||||||||
Properties
|
||||||||||||||||||||||||||||||||||
auditConfigs
|
array [AuditConfig] |
Specifies cloud audit logging configuration for this policy. |
||||||||||||||||||||||||||||||||
Properties
|
The difference delta between two policies.
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
bindingDeltas
|
array [BindingDelta] |
The delta for Bindings between two policies. |
|||||||||||||||||||||||||||||||||||
Properties
|
A request to get the list of auditable services for a resource.
Name | Data Type | Description |
---|---|---|
fullResourceName
|
string |
Required. The full resource name to query from the list of auditable services. The name follows the Google Cloud Platform resource format.
For example, a Cloud Platform project with id |
A response containing a list of auditable services for a resource.
Name | Data Type | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
services
|
array [AuditableService] |
The auditable services for a resource. |
|||||||
Properties
|
The grantable role query request.
Name | Data Type | Description |
---|---|---|
view
|
string Allowed values: - BASIC - FULL |
|
pageToken
|
string |
Optional pagination token returned in an earlier QueryGrantableRolesResponse. |
pageSize
|
integer |
Optional limit on the number of roles to include in the response. |
fullResourceName
|
string |
Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format.
For example, a Cloud Platform project with id |
The grantable role query response.
Name | Data Type | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
roles
|
array [Role] |
The list of matching roles. |
|||||||||||||||||||||||||
Properties
|
|||||||||||||||||||||||||||
nextPageToken
|
string |
To retrieve the next page of results, set
|
A request to get permissions which can be tested on a resource.
Name | Data Type | Description |
---|---|---|
pageToken
|
string |
Optional pagination token returned in an earlier QueryTestablePermissionsRequest. |
pageSize
|
integer |
Optional limit on the number of permissions to include in the response. |
fullResourceName
|
string |
Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format.
For example, a Cloud Platform project with id |
The response containing permissions which can be tested on a resource.
Name | Data Type | Description | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
permissions
|
array [Permission] |
The Permissions testable on the requested resource. |
||||||||||||||||||||||||||||
Properties
|
||||||||||||||||||||||||||||||
nextPageToken
|
string |
To retrieve the next page of results, set
|
A role in the Identity and Access Management API.
Name | Data Type | Description |
---|---|---|
title
|
string |
Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. |
stage
|
string Allowed values: - ALPHA - BETA - GA - DEPRECATED - DISABLED - EAP |
The current launch stage of the role. If the |
name
|
string |
The name of the role. When Role is used in CreateRole, the role name must not be set. When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles. |
includedPermissions
|
array [string] |
The names of the permissions this role grants when bound in an IAM policy. |
etag
|
byte |
Used to perform a consistent read-modify-write. |
description
|
string |
Optional. A human-readable description for the role. |
deleted
|
boolean |
The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole. |
A service account in the Identity and Access Management API.
To create a service account, specify the project_id
and the account_id
for the account. The account_id
is unique within the project, and is used
to generate the service account email address and a stable
unique_id
.
If the account already exists, the account's resource name is returned in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller can use the name in other methods to access the account.
All other methods can identify the service account using the format
projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}
.
Using -
as a wildcard for the PROJECT_ID
will infer the project from
the account. The ACCOUNT
value can be the email
address or the
unique_id
of the service account.
Name | Data Type | Description |
---|---|---|
uniqueId
|
string |
@OutputOnly The unique and stable id of the service account. |
projectId
|
string |
@OutputOnly The id of the project that owns the service account. |
oauth2ClientId
|
string |
@OutputOnly The OAuth2 client id for the service account. This is used in conjunction with the OAuth2 clientconfig API to make three legged OAuth2 (3LO) flows to access the data of Google users. |
name
|
string |
The resource name of the service account in the following format:
Requests using In responses the resource name will always be in the format
|
etag
|
byte |
Optional. Note: |
email
|
string |
@OutputOnly The email address of the service account. |
displayName
|
string |
Optional. A user-specified name for the service account. Must be less than or equal to 100 UTF-8 bytes. |
disabled
|
boolean |
@OutputOnly A bool indicate if the service account is disabled. The field is currently in alpha phase. |
description
|
string |
Optional. A user-specified opaque description of the service account. Must be less than or equal to 256 UTF-8 bytes. |
Represents a service account key.
A service account has two sets of key-pairs: user-managed, and system-managed.
User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.
System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime. We recommend caching the public key set for a service account for no more than 24 hours to ensure you have access to the latest keys.
Public keys for all service accounts are also published at the OAuth2 Service Account API.
Name | Data Type | Description |
---|---|---|
validBeforeTime
|
string |
The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time. |
validAfterTime
|
string |
The key can be used after this timestamp. |
publicKeyData
|
byte |
The public key data. Only provided in |
privateKeyType
|
string Allowed values: - TYPE_UNSPECIFIED - TYPE_PKCS12_FILE - TYPE_GOOGLE_CREDENTIALS_FILE |
The output format for the private key.
Only provided in Google never exposes system-managed private keys, and never retains user-managed private keys. |
privateKeyData
|
byte |
The private key data. Only provided in |
name
|
string |
The resource name of the service account key in the following format
|
keyType
|
string Allowed values: - KEY_TYPE_UNSPECIFIED - USER_MANAGED - SYSTEM_MANAGED |
The key type. |
keyOrigin
|
string Allowed values: - ORIGIN_UNSPECIFIED - USER_PROVIDED - GOOGLE_PROVIDED |
The key origin. |
keyAlgorithm
|
string Allowed values: - KEY_ALG_UNSPECIFIED - KEY_ALG_RSA_1024 - KEY_ALG_RSA_2048 |
Specifies the algorithm (and possibly key size) for the key. |
Request message for SetIamPolicy
method.
Name | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
updateMask
|
string |
OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: paths: "bindings, etag" This field is only used by Cloud IAM. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
policy
|
Policy |
REQUIRED: The complete policy to be applied to the |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Properties
|
The service account sign blob request.
Name | Data Type | Description |
---|---|---|
bytesToSign
|
byte |
Required. The bytes to sign. |
The service account sign blob response.
Name | Data Type | Description |
---|---|---|
signature
|
byte |
The signed blob. |
keyId
|
string |
The id of the key used to sign the blob. |
The service account sign JWT request.
Name | Data Type | Description |
---|---|---|
payload
|
string |
Required. The JWT payload to sign, a JSON JWT Claim set. |
The service account sign JWT response.
Name | Data Type | Description |
---|---|---|
signedJwt
|
string |
The signed JWT. |
keyId
|
string |
The id of the key used to sign the JWT. |
Request message for TestIamPermissions
method.
Name | Data Type | Description |
---|---|---|
permissions
|
array [string] |
The set of permissions to check for the |
Response message for TestIamPermissions
method.
Name | Data Type | Description |
---|---|---|
permissions
|
array [string] |
A subset of |
The request to undelete an existing role.
Name | Data Type | Description |
---|---|---|
etag
|
byte |
Used to perform a consistent read-modify-write. |
The service account undelete request.
Name | Data Type | Description |
---|---|---|
UndeleteServiceAccountRequest
|
object |
The service account undelete request. |
Name | Data Type | Description | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
restoredAccount
|
ServiceAccount |
Metadata for the restored service account. |
|||||||||||||||||||||||||||||||
Properties
|
The service account key upload request.
Name | Data Type | Description |
---|---|---|
publicKeyData
|
byte |
A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is X509_PEM. |
'OAuth' Authentication Scheme
Reference: RFC5849, Section 3.5.1
Oauth 2.0 accessCode authentication
Flow:authorizationCode
https://accounts.google.com/o/oauth2/auth
https://accounts.google.com/o/oauth2/token
https://www.googleapis.com/auth/cloud-platform
: View and manage your data across Google Cloud Platform services
'OAuth' Authentication Scheme
Reference: RFC5849, Section 3.5.1
Oauth 2.0 implicit authentication
Flow:implicit
https://accounts.google.com/o/oauth2/auth
https://www.googleapis.com/auth/cloud-platform
: View and manage your data across Google Cloud Platform servicesName | Google |
External URL | https://google.com |
OAS (OpenAPI Specification) | v3.0.0 |