|
|
|
|
@ -1,4 +1,4 @@
|
|
|
|
|
// Copyright 2017 Google Inc.
|
|
|
|
|
// Copyright 2019 Google LLC.
|
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
@ -17,6 +17,9 @@ syntax = "proto3";
|
|
|
|
|
package google.iam.admin.v1;
|
|
|
|
|
|
|
|
|
|
import "google/api/annotations.proto";
|
|
|
|
|
import "google/api/client.proto";
|
|
|
|
|
import "google/api/field_behavior.proto";
|
|
|
|
|
import "google/api/resource.proto";
|
|
|
|
|
import "google/iam/v1/iam_policy.proto";
|
|
|
|
|
import "google/iam/v1/policy.proto";
|
|
|
|
|
import "google/protobuf/empty.proto";
|
|
|
|
|
@ -41,17 +44,20 @@ option java_package = "com.google.iam.admin.v1";
|
|
|
|
|
// `unique_id`.
|
|
|
|
|
//
|
|
|
|
|
// All other methods can identify accounts using the format
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
service IAM {
|
|
|
|
|
option (google.api.default_host) = "iam.googleapis.com";
|
|
|
|
|
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
|
|
|
|
|
|
|
|
|
|
// Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
|
|
|
|
|
rpc ListServiceAccounts(ListServiceAccountsRequest)
|
|
|
|
|
returns (ListServiceAccountsResponse) {
|
|
|
|
|
rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
get: "/v1/{name=projects/*}/serviceAccounts"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
|
|
|
|
@ -59,23 +65,23 @@ service IAM {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
get: "/v1/{name=projects/*/serviceAccounts/*}"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
|
|
|
|
|
// and returns it.
|
|
|
|
|
rpc CreateServiceAccount(CreateServiceAccountRequest)
|
|
|
|
|
returns (ServiceAccount) {
|
|
|
|
|
rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{name=projects/*}/serviceAccounts"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name,account_id,service_account";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
|
|
|
|
//
|
|
|
|
|
// Currently, only the following fields are updatable:
|
|
|
|
|
// `display_name` .
|
|
|
|
|
// The `etag` is mandatory.
|
|
|
|
|
// `display_name` and `description`.
|
|
|
|
|
rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
put: "/v1/{name=projects/*/serviceAccounts/*}"
|
|
|
|
|
@ -84,46 +90,46 @@ service IAM {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
|
|
|
|
rpc DeleteServiceAccount(DeleteServiceAccountRequest)
|
|
|
|
|
returns (google.protobuf.Empty) {
|
|
|
|
|
rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
delete: "/v1/{name=projects/*/serviceAccounts/*}"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
|
|
|
|
|
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest)
|
|
|
|
|
returns (ListServiceAccountKeysResponse) {
|
|
|
|
|
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
get: "/v1/{name=projects/*/serviceAccounts/*}/keys"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name,key_types";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
|
|
|
|
|
// by key id.
|
|
|
|
|
rpc GetServiceAccountKey(GetServiceAccountKeyRequest)
|
|
|
|
|
returns (ServiceAccountKey) {
|
|
|
|
|
rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name,public_key_type";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
|
|
|
|
|
// and returns it.
|
|
|
|
|
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest)
|
|
|
|
|
returns (ServiceAccountKey) {
|
|
|
|
|
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{name=projects/*/serviceAccounts/*}/keys"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name,private_key_type,key_algorithm";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
|
|
|
|
|
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest)
|
|
|
|
|
returns (google.protobuf.Empty) {
|
|
|
|
|
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Signs a blob using a service account's system-managed private key.
|
|
|
|
|
@ -132,6 +138,7 @@ service IAM {
|
|
|
|
|
post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name,bytes_to_sign";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Signs a JWT using a service account's system-managed private key.
|
|
|
|
|
@ -144,53 +151,86 @@ service IAM {
|
|
|
|
|
post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "name,payload";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Returns the IAM access control policy for a
|
|
|
|
|
// Returns the Cloud IAM access control policy for a
|
|
|
|
|
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
|
|
|
|
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest)
|
|
|
|
|
returns (google.iam.v1.Policy) {
|
|
|
|
|
//
|
|
|
|
|
// Note: Service accounts are both
|
|
|
|
|
// [resources and
|
|
|
|
|
// identities](/iam/docs/service-accounts#service_account_permissions). This
|
|
|
|
|
// method treats the service account as a resource. It returns the Cloud IAM
|
|
|
|
|
// policy that reflects what members have access to the service account.
|
|
|
|
|
//
|
|
|
|
|
// This method does not return what resources the service account has access
|
|
|
|
|
// to. To see if a service account has access to a resource, call the
|
|
|
|
|
// `getIamPolicy` method on the target resource. For example, to view grants
|
|
|
|
|
// for a project, call the
|
|
|
|
|
// [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy)
|
|
|
|
|
// method.
|
|
|
|
|
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
|
|
|
|
|
body: ""
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "resource";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Sets the IAM access control policy for a
|
|
|
|
|
// Sets the Cloud IAM access control policy for a
|
|
|
|
|
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
|
|
|
|
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest)
|
|
|
|
|
returns (google.iam.v1.Policy) {
|
|
|
|
|
//
|
|
|
|
|
// Note: Service accounts are both
|
|
|
|
|
// [resources and
|
|
|
|
|
// identities](/iam/docs/service-accounts#service_account_permissions). This
|
|
|
|
|
// method treats the service account as a resource. Use it to grant members
|
|
|
|
|
// access to the service account, such as when they need to impersonate it.
|
|
|
|
|
//
|
|
|
|
|
// This method does not grant the service account access to other resources,
|
|
|
|
|
// such as projects. To grant a service account access to resources, include
|
|
|
|
|
// the service account in the Cloud IAM policy for the desired resource, then
|
|
|
|
|
// call the appropriate `setIamPolicy` method on the target resource. For
|
|
|
|
|
// example, to grant a service account access to a project, call the
|
|
|
|
|
// [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy)
|
|
|
|
|
// method.
|
|
|
|
|
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "resource,policy";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Tests the specified permissions against the IAM access control policy
|
|
|
|
|
// for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
|
|
|
|
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest)
|
|
|
|
|
returns (google.iam.v1.TestIamPermissionsResponse) {
|
|
|
|
|
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "resource,permissions";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Queries roles that can be granted on a particular resource.
|
|
|
|
|
// A role is grantable if it can be used as the role in a binding for a policy
|
|
|
|
|
// for that resource.
|
|
|
|
|
rpc QueryGrantableRoles(QueryGrantableRolesRequest)
|
|
|
|
|
returns (QueryGrantableRolesResponse) {
|
|
|
|
|
rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/roles:queryGrantableRoles"
|
|
|
|
|
body: "*"
|
|
|
|
|
};
|
|
|
|
|
option (google.api.method_signature) = "full_resource_name";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lists the Roles defined on a resource.
|
|
|
|
|
rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
get: "/v1/roles"
|
|
|
|
|
additional_bindings {
|
|
|
|
|
get: "/v1/{parent=organizations/*}/roles"
|
|
|
|
|
}
|
|
|
|
|
additional_bindings {
|
|
|
|
|
get: "/v1/{parent=projects/*}/roles"
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -198,6 +238,12 @@ service IAM {
|
|
|
|
|
rpc GetRole(GetRoleRequest) returns (Role) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
get: "/v1/{name=roles/*}"
|
|
|
|
|
additional_bindings {
|
|
|
|
|
get: "/v1/{name=organizations/*/roles/*}"
|
|
|
|
|
}
|
|
|
|
|
additional_bindings {
|
|
|
|
|
get: "/v1/{name=projects/*/roles/*}"
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -206,6 +252,10 @@ service IAM {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{parent=organizations/*}/roles"
|
|
|
|
|
body: "*"
|
|
|
|
|
additional_bindings {
|
|
|
|
|
post: "/v1/{parent=projects/*}/roles"
|
|
|
|
|
body: "*"
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -214,6 +264,10 @@ service IAM {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
patch: "/v1/{name=organizations/*/roles/*}"
|
|
|
|
|
body: "role"
|
|
|
|
|
additional_bindings {
|
|
|
|
|
patch: "/v1/{name=projects/*/roles/*}"
|
|
|
|
|
body: "role"
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -227,6 +281,9 @@ service IAM {
|
|
|
|
|
rpc DeleteRole(DeleteRoleRequest) returns (Role) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
delete: "/v1/{name=organizations/*/roles/*}"
|
|
|
|
|
additional_bindings {
|
|
|
|
|
delete: "/v1/{name=projects/*/roles/*}"
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -235,13 +292,16 @@ service IAM {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/{name=organizations/*/roles/*}:undelete"
|
|
|
|
|
body: "*"
|
|
|
|
|
additional_bindings {
|
|
|
|
|
post: "/v1/{name=projects/*/roles/*}:undelete"
|
|
|
|
|
body: "*"
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lists the permissions testable on a resource.
|
|
|
|
|
// A permission is testable if it can be tested for an identity on a resource.
|
|
|
|
|
rpc QueryTestablePermissions(QueryTestablePermissionsRequest)
|
|
|
|
|
returns (QueryTestablePermissionsResponse) {
|
|
|
|
|
rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) {
|
|
|
|
|
option (google.api.http) = {
|
|
|
|
|
post: "/v1/permissions:queryTestablePermissions"
|
|
|
|
|
body: "*"
|
|
|
|
|
@ -257,25 +317,29 @@ service IAM {
|
|
|
|
|
// `unique_id`.
|
|
|
|
|
//
|
|
|
|
|
// If the account already exists, the account's resource name is returned
|
|
|
|
|
// in util::Status's ResourceInfo.resource_name in the format of
|
|
|
|
|
// projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can
|
|
|
|
|
// use the name in other methods to access the account.
|
|
|
|
|
// in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
|
|
|
|
|
// can use the name in other methods to access the account.
|
|
|
|
|
//
|
|
|
|
|
// All other methods can identify the service account using the format
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
message ServiceAccount {
|
|
|
|
|
option (google.api.resource) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
pattern: "projects/{project}/serviceAccounts/{service_account}"
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
//
|
|
|
|
|
// Requests using `-` as a wildcard for the project will infer the project
|
|
|
|
|
// from the `account` and the `account` value can be the `email` address or
|
|
|
|
|
// the `unique_id` of the service account.
|
|
|
|
|
// Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
|
|
|
|
|
// project from the `account` and the `ACCOUNT` value can be the `email`
|
|
|
|
|
// address or the `unique_id` of the service account.
|
|
|
|
|
//
|
|
|
|
|
// In responses the resource name will always be in the format
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
string name = 1;
|
|
|
|
|
|
|
|
|
|
// @OutputOnly The id of the project that owns the service account.
|
|
|
|
|
@ -287,11 +351,12 @@ message ServiceAccount {
|
|
|
|
|
// @OutputOnly The email address of the service account.
|
|
|
|
|
string email = 5;
|
|
|
|
|
|
|
|
|
|
// Optional. A user-specified description of the service account. Must be
|
|
|
|
|
// fewer than 100 UTF-8 bytes.
|
|
|
|
|
// Optional. A user-specified name for the service account.
|
|
|
|
|
// Must be less than or equal to 100 UTF-8 bytes.
|
|
|
|
|
string display_name = 6;
|
|
|
|
|
|
|
|
|
|
// Used to perform a consistent read-modify-write.
|
|
|
|
|
// Optional. Note: `etag` is an inoperable legacy field that is only returned
|
|
|
|
|
// for backwards compatibility.
|
|
|
|
|
bytes etag = 7;
|
|
|
|
|
|
|
|
|
|
// @OutputOnly. The OAuth2 client id for the service account.
|
|
|
|
|
@ -304,17 +369,22 @@ message ServiceAccount {
|
|
|
|
|
message CreateServiceAccountRequest {
|
|
|
|
|
// Required. The resource name of the project associated with the service
|
|
|
|
|
// accounts, such as `projects/my-project-123`.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "cloudresourcemanager.googleapis.com/Project"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// Required. The account id that is used to generate the service account
|
|
|
|
|
// email address and a stable unique id. It is unique within a project,
|
|
|
|
|
// must be 6-30 characters long, and match the regular expression
|
|
|
|
|
// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
|
|
|
|
|
string account_id = 2;
|
|
|
|
|
string account_id = 2 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
|
|
|
|
|
|
// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
|
|
|
|
|
// create. Currently, only the following values are user assignable:
|
|
|
|
|
// `display_name` .
|
|
|
|
|
// `display_name` and `description`.
|
|
|
|
|
ServiceAccount service_account = 3;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -322,7 +392,12 @@ message CreateServiceAccountRequest {
|
|
|
|
|
message ListServiceAccountsRequest {
|
|
|
|
|
// Required. The resource name of the project associated with the service
|
|
|
|
|
// accounts, such as `projects/my-project-123`.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "cloudresourcemanager.googleapis.com/Project"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// Optional limit on the number of service accounts to include in the
|
|
|
|
|
// response. Further accounts can subsequently be obtained by including the
|
|
|
|
|
@ -348,22 +423,32 @@ message ListServiceAccountsResponse {
|
|
|
|
|
|
|
|
|
|
// The service account get request.
|
|
|
|
|
message GetServiceAccountRequest {
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Required. The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The service account delete request.
|
|
|
|
|
message DeleteServiceAccountRequest {
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Required. The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The service account keys list request.
|
|
|
|
|
@ -382,13 +467,18 @@ message ListServiceAccountKeysRequest {
|
|
|
|
|
SYSTEM_MANAGED = 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Required. The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
//
|
|
|
|
|
// Using `-` as a wildcard for the project, will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// Filters the types of keys the user wants to include in the list
|
|
|
|
|
// response. Duplicate key types are not allowed. If no key type
|
|
|
|
|
@ -404,13 +494,18 @@ message ListServiceAccountKeysResponse {
|
|
|
|
|
|
|
|
|
|
// The service account key get by id request.
|
|
|
|
|
message GetServiceAccountKeyRequest {
|
|
|
|
|
// The resource name of the service account key in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.
|
|
|
|
|
// Required. The resource name of the service account key in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
|
|
|
|
|
//
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/Key"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// The output format of the public key requested.
|
|
|
|
|
// X509_PEM is the default output format.
|
|
|
|
|
@ -427,15 +522,22 @@ message GetServiceAccountKeyRequest {
|
|
|
|
|
// their service accounts. Users retain the private key of these key-pairs,
|
|
|
|
|
// and Google retains ONLY the public key.
|
|
|
|
|
//
|
|
|
|
|
// System-managed key-pairs are managed automatically by Google, and rotated
|
|
|
|
|
// daily without user intervention. The private key never leaves Google's
|
|
|
|
|
// servers to maximize security.
|
|
|
|
|
// System-managed keys are automatically rotated by Google, and are used for
|
|
|
|
|
// signing for a maximum of two weeks. The rotation process is probabilistic,
|
|
|
|
|
// and usage of the new key will gradually ramp up and down over the key's
|
|
|
|
|
// lifetime. We recommend caching the public key set for a service account for
|
|
|
|
|
// no more than 24 hours to ensure you have access to the latest keys.
|
|
|
|
|
//
|
|
|
|
|
// Public keys for all service accounts are also published at the OAuth2
|
|
|
|
|
// Service Account API.
|
|
|
|
|
message ServiceAccountKey {
|
|
|
|
|
option (google.api.resource) = {
|
|
|
|
|
type: "iam.googleapis.com/Key"
|
|
|
|
|
pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}"
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// The resource name of the service account key in the following format
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
|
|
|
|
|
string name = 1;
|
|
|
|
|
|
|
|
|
|
// The output format for the private key.
|
|
|
|
|
@ -452,7 +554,7 @@ message ServiceAccountKey {
|
|
|
|
|
// The private key data. Only provided in `CreateServiceAccountKey`
|
|
|
|
|
// responses. Make sure to keep the private key data secure because it
|
|
|
|
|
// allows for the assertion of the service account identity.
|
|
|
|
|
// When decoded, the private key data can be used to authenticate with
|
|
|
|
|
// When base64 decoded, the private key data can be used to authenticate with
|
|
|
|
|
// Google API client libraries and with
|
|
|
|
|
// <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud
|
|
|
|
|
// auth activate-service-account</a>.
|
|
|
|
|
@ -465,20 +567,29 @@ message ServiceAccountKey {
|
|
|
|
|
google.protobuf.Timestamp valid_after_time = 4;
|
|
|
|
|
|
|
|
|
|
// The key can be used before this timestamp.
|
|
|
|
|
// For system-managed key pairs, this timestamp is the end time for the
|
|
|
|
|
// private key signing operation. The public key could still be used
|
|
|
|
|
// for verification for a few hours after this time.
|
|
|
|
|
google.protobuf.Timestamp valid_before_time = 5;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The service account key create request.
|
|
|
|
|
message CreateServiceAccountKeyRequest {
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Required. The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the
|
|
|
|
|
// default output format.
|
|
|
|
|
// The output format of the private key. The default value is
|
|
|
|
|
// `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
|
|
|
|
|
// format.
|
|
|
|
|
ServiceAccountPrivateKeyType private_key_type = 2;
|
|
|
|
|
|
|
|
|
|
// Which type of key and algorithm to use for the key.
|
|
|
|
|
@ -489,25 +600,35 @@ message CreateServiceAccountKeyRequest {
|
|
|
|
|
|
|
|
|
|
// The service account key delete request.
|
|
|
|
|
message DeleteServiceAccountKeyRequest {
|
|
|
|
|
// The resource name of the service account key in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Required. The resource name of the service account key in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/Key"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The service account sign blob request.
|
|
|
|
|
message SignBlobRequest {
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Required. The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// The bytes to sign.
|
|
|
|
|
bytes bytes_to_sign = 2;
|
|
|
|
|
// Required. The bytes to sign.
|
|
|
|
|
bytes bytes_to_sign = 2 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The service account sign blob response.
|
|
|
|
|
@ -521,15 +642,20 @@ message SignBlobResponse {
|
|
|
|
|
|
|
|
|
|
// The service account sign JWT request.
|
|
|
|
|
message SignJwtRequest {
|
|
|
|
|
// The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
|
|
|
|
|
// Using `-` as a wildcard for the project will infer the project from
|
|
|
|
|
// the account. The `account` value can be the `email` address or the
|
|
|
|
|
// Required. The resource name of the service account in the following format:
|
|
|
|
|
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
|
|
|
|
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
|
|
|
|
// the account. The `ACCOUNT` value can be the `email` address or the
|
|
|
|
|
// `unique_id` of the service account.
|
|
|
|
|
string name = 1;
|
|
|
|
|
string name = 1 [
|
|
|
|
|
(google.api.field_behavior) = REQUIRED,
|
|
|
|
|
(google.api.resource_reference) = {
|
|
|
|
|
type: "iam.googleapis.com/ServiceAccount"
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// The JWT payload to sign, a JSON JWT Claim set.
|
|
|
|
|
string payload = 2;
|
|
|
|
|
// Required. The JWT payload to sign, a JSON JWT Claim set.
|
|
|
|
|
string payload = 2 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The service account sign JWT response.
|
|
|
|
|
@ -545,10 +671,12 @@ message SignJwtResponse {
|
|
|
|
|
message Role {
|
|
|
|
|
// A stage representing a role's lifecycle phase.
|
|
|
|
|
enum RoleLaunchStage {
|
|
|
|
|
// The user has indicated this role is currently in an alpha phase.
|
|
|
|
|
// The user has indicated this role is currently in an Alpha phase. If this
|
|
|
|
|
// launch stage is selected, the `stage` field will not be included when
|
|
|
|
|
// requesting the definition for a given role.
|
|
|
|
|
ALPHA = 0;
|
|
|
|
|
|
|
|
|
|
// The user has indicated this role is currently in a beta phase.
|
|
|
|
|
// The user has indicated this role is currently in a Beta phase.
|
|
|
|
|
BETA = 1;
|
|
|
|
|
|
|
|
|
|
// The user has indicated this role is generally available.
|
|
|
|
|
@ -561,7 +689,7 @@ message Role {
|
|
|
|
|
// it is granted to in policies.
|
|
|
|
|
DISABLED = 5;
|
|
|
|
|
|
|
|
|
|
// The user has indicated this role is currently in an eap phase.
|
|
|
|
|
// The user has indicated this role is currently in an EAP phase.
|
|
|
|
|
EAP = 6;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -570,21 +698,23 @@ message Role {
|
|
|
|
|
// When Role is used in CreateRole, the role name must not be set.
|
|
|
|
|
//
|
|
|
|
|
// When Role is used in output and other input such as UpdateRole, the role
|
|
|
|
|
// name is the complete path, e.g., roles/logging.viewer for curated roles
|
|
|
|
|
// name is the complete path, e.g., roles/logging.viewer for predefined roles
|
|
|
|
|
// and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
|
|
|
|
|
string name = 1;
|
|
|
|
|
|
|
|
|
|
// Optional. A human-readable title for the role. Typically this
|
|
|
|
|
// Optional. A human-readable title for the role. Typically this
|
|
|
|
|
// is limited to 100 UTF-8 bytes.
|
|
|
|
|
string title = 2;
|
|
|
|
|
|
|
|
|
|
// Optional. A human-readable description for the role.
|
|
|
|
|
// Optional. A human-readable description for the role.
|
|
|
|
|
string description = 3;
|
|
|
|
|
|
|
|
|
|
// The names of the permissions this role grants when bound in an IAM policy.
|
|
|
|
|
repeated string included_permissions = 7;
|
|
|
|
|
|
|
|
|
|
// The current launch stage of the role.
|
|
|
|
|
// The current launch stage of the role. If the `ALPHA` launch stage has been
|
|
|
|
|
// selected for a role, the `stage` field will not be included in the
|
|
|
|
|
// returned definition for the role.
|
|
|
|
|
RoleLaunchStage stage = 8;
|
|
|
|
|
|
|
|
|
|
// Used to perform a consistent read-modify-write.
|
|
|
|
|
@ -602,7 +732,7 @@ message QueryGrantableRolesRequest {
|
|
|
|
|
// The name follows the Google Cloud Platform resource format.
|
|
|
|
|
// For example, a Cloud Platform project with id `my-project` will be named
|
|
|
|
|
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
|
|
|
|
|
string full_resource_name = 1;
|
|
|
|
|
string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
|
|
|
|
|
|
|
|
|
|
RoleView view = 2;
|
|
|
|
|
|
|
|
|
|
@ -626,11 +756,34 @@ message QueryGrantableRolesResponse {
|
|
|
|
|
|
|
|
|
|
// The request to get all roles defined under a resource.
|
|
|
|
|
message ListRolesRequest {
|
|
|
|
|
// The resource name of the parent resource in one of the following formats:
|
|
|
|
|
// `` (empty string) -- this refers to curated roles.
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}`
|
|
|
|
|
// `projects/{PROJECT_ID}`
|
|
|
|
|
string parent = 1;
|
|
|
|
|
// The `parent` parameter's value depends on the target resource for the
|
|
|
|
|
// request, namely
|
|
|
|
|
// [`roles`](/iam/reference/rest/v1/roles),
|
|
|
|
|
// [`projects`](/iam/reference/rest/v1/projects.roles), or
|
|
|
|
|
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
|
|
|
|
// resource type's `parent` value format is described below:
|
|
|
|
|
//
|
|
|
|
|
// * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string.
|
|
|
|
|
// This method doesn't require a resource; it simply returns all
|
|
|
|
|
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
|
|
|
|
|
// Cloud IAM. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/roles`
|
|
|
|
|
//
|
|
|
|
|
// * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list):
|
|
|
|
|
// `projects/{PROJECT_ID}`. This method lists all project-level
|
|
|
|
|
// [custom roles](/iam/docs/understanding-custom-roles).
|
|
|
|
|
// Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
|
|
|
|
|
//
|
|
|
|
|
// * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list):
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}`. This method lists all
|
|
|
|
|
// organization-level [custom roles](/iam/docs/understanding-custom-roles).
|
|
|
|
|
// Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
|
|
|
|
|
//
|
|
|
|
|
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
|
|
|
|
// ID or organization ID.
|
|
|
|
|
string parent = 1 [(google.api.resource_reference).type = "*"];
|
|
|
|
|
|
|
|
|
|
// Optional limit on the number of roles to include in the response.
|
|
|
|
|
int32 page_size = 2;
|
|
|
|
|
@ -638,7 +791,10 @@ message ListRolesRequest {
|
|
|
|
|
// Optional pagination token returned in an earlier ListRolesResponse.
|
|
|
|
|
string page_token = 3;
|
|
|
|
|
|
|
|
|
|
// Optional view for the returned Role objects.
|
|
|
|
|
// Optional view for the returned Role objects. When `FULL` is specified,
|
|
|
|
|
// the `includedPermissions` field is returned, which includes a list of all
|
|
|
|
|
// permissions in the role. The default value is `BASIC`, which does not
|
|
|
|
|
// return the `includedPermissions` field.
|
|
|
|
|
RoleView view = 4;
|
|
|
|
|
|
|
|
|
|
// Include Roles that have been deleted.
|
|
|
|
|
@ -657,21 +813,61 @@ message ListRolesResponse {
|
|
|
|
|
|
|
|
|
|
// The request to get the definition of an existing role.
|
|
|
|
|
message GetRoleRequest {
|
|
|
|
|
// The resource name of the role in one of the following formats:
|
|
|
|
|
// `roles/{ROLE_NAME}`
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
string name = 1;
|
|
|
|
|
// The `name` parameter's value depends on the target resource for the
|
|
|
|
|
// request, namely
|
|
|
|
|
// [`roles`](/iam/reference/rest/v1/roles),
|
|
|
|
|
// [`projects`](/iam/reference/rest/v1/projects.roles), or
|
|
|
|
|
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
|
|
|
|
// resource type's `name` value format is described below:
|
|
|
|
|
//
|
|
|
|
|
// * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`.
|
|
|
|
|
// This method returns results from all
|
|
|
|
|
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
|
|
|
|
|
// Cloud IAM. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/roles/{ROLE_NAME}`
|
|
|
|
|
//
|
|
|
|
|
// * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get):
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only
|
|
|
|
|
// [custom roles](/iam/docs/understanding-custom-roles) that have been
|
|
|
|
|
// created at the project level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get):
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
|
|
|
|
// returns only [custom roles](/iam/docs/understanding-custom-roles) that
|
|
|
|
|
// have been created at the organization level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
|
|
|
|
// ID or organization ID.
|
|
|
|
|
string name = 1 [(google.api.resource_reference).type = "*"];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The request to create a new role.
|
|
|
|
|
message CreateRoleRequest {
|
|
|
|
|
// The resource name of the parent resource in one of the following formats:
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}`
|
|
|
|
|
// `projects/{PROJECT_ID}`
|
|
|
|
|
string parent = 1;
|
|
|
|
|
// The `parent` parameter's value depends on the target resource for the
|
|
|
|
|
// request, namely
|
|
|
|
|
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
|
|
|
|
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
|
|
|
|
// resource type's `parent` value format is described below:
|
|
|
|
|
//
|
|
|
|
|
// * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create):
|
|
|
|
|
// `projects/{PROJECT_ID}`. This method creates project-level
|
|
|
|
|
// [custom roles](/iam/docs/understanding-custom-roles).
|
|
|
|
|
// Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
|
|
|
|
|
//
|
|
|
|
|
// * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create):
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}`. This method creates organization-level
|
|
|
|
|
// [custom roles](/iam/docs/understanding-custom-roles). Example request
|
|
|
|
|
// URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
|
|
|
|
|
//
|
|
|
|
|
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
|
|
|
|
// ID or organization ID.
|
|
|
|
|
string parent = 1 [(google.api.resource_reference).type = "*"];
|
|
|
|
|
|
|
|
|
|
// The role id to use for this role.
|
|
|
|
|
// The role ID to use for this role.
|
|
|
|
|
string role_id = 2;
|
|
|
|
|
|
|
|
|
|
// The Role resource to create.
|
|
|
|
|
@ -680,11 +876,27 @@ message CreateRoleRequest {
|
|
|
|
|
|
|
|
|
|
// The request to update a role.
|
|
|
|
|
message UpdateRoleRequest {
|
|
|
|
|
// The resource name of the role in one of the following formats:
|
|
|
|
|
// `roles/{ROLE_NAME}`
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
string name = 1;
|
|
|
|
|
// The `name` parameter's value depends on the target resource for the
|
|
|
|
|
// request, namely
|
|
|
|
|
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
|
|
|
|
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
|
|
|
|
// resource type's `name` value format is described below:
|
|
|
|
|
//
|
|
|
|
|
// * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch):
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
|
|
|
|
|
// [custom roles](/iam/docs/understanding-custom-roles) that have been
|
|
|
|
|
// created at the project level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch):
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
|
|
|
|
// updates only [custom roles](/iam/docs/understanding-custom-roles) that
|
|
|
|
|
// have been created at the organization level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
|
|
|
|
// ID or organization ID.
|
|
|
|
|
string name = 1 [(google.api.resource_reference).type = "*"];
|
|
|
|
|
|
|
|
|
|
// The updated role.
|
|
|
|
|
Role role = 2;
|
|
|
|
|
@ -695,10 +907,27 @@ message UpdateRoleRequest {
|
|
|
|
|
|
|
|
|
|
// The request to delete an existing role.
|
|
|
|
|
message DeleteRoleRequest {
|
|
|
|
|
// The resource name of the role in one of the following formats:
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
string name = 1;
|
|
|
|
|
// The `name` parameter's value depends on the target resource for the
|
|
|
|
|
// request, namely
|
|
|
|
|
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
|
|
|
|
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
|
|
|
|
// resource type's `name` value format is described below:
|
|
|
|
|
//
|
|
|
|
|
// * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete):
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
|
|
|
|
|
// [custom roles](/iam/docs/understanding-custom-roles) that have been
|
|
|
|
|
// created at the project level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete):
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
|
|
|
|
// deletes only [custom roles](/iam/docs/understanding-custom-roles) that
|
|
|
|
|
// have been created at the organization level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
|
|
|
|
// ID or organization ID.
|
|
|
|
|
string name = 1 [(google.api.resource_reference).type = "*"];
|
|
|
|
|
|
|
|
|
|
// Used to perform a consistent read-modify-write.
|
|
|
|
|
bytes etag = 2;
|
|
|
|
|
@ -706,10 +935,27 @@ message DeleteRoleRequest {
|
|
|
|
|
|
|
|
|
|
// The request to undelete an existing role.
|
|
|
|
|
message UndeleteRoleRequest {
|
|
|
|
|
// The resource name of the role in one of the following formats:
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
|
|
|
|
|
string name = 1;
|
|
|
|
|
// The `name` parameter's value depends on the target resource for the
|
|
|
|
|
// request, namely
|
|
|
|
|
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
|
|
|
|
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
|
|
|
|
// resource type's `name` value format is described below:
|
|
|
|
|
//
|
|
|
|
|
// * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete):
|
|
|
|
|
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
|
|
|
|
|
// only [custom roles](/iam/docs/understanding-custom-roles) that have been
|
|
|
|
|
// created at the project level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete):
|
|
|
|
|
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
|
|
|
|
// undeletes only [custom roles](/iam/docs/understanding-custom-roles) that
|
|
|
|
|
// have been created at the organization level. Example request URL:
|
|
|
|
|
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
|
|
|
|
//
|
|
|
|
|
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
|
|
|
|
// ID or organization ID.
|
|
|
|
|
string name = 1 [(google.api.resource_reference).type = "*"];
|
|
|
|
|
|
|
|
|
|
// Used to perform a consistent read-modify-write.
|
|
|
|
|
bytes etag = 2;
|
|
|
|
|
@ -751,6 +997,7 @@ message Permission {
|
|
|
|
|
string title = 2;
|
|
|
|
|
|
|
|
|
|
// A brief description of what this Permission is used for.
|
|
|
|
|
// This permission can ONLY be used in predefined roles.
|
|
|
|
|
string description = 3;
|
|
|
|
|
|
|
|
|
|
// This permission can ONLY be used in predefined roles.
|
|
|
|
|
|
Google APIs
Copybara-Service