iam credentials: publish v1 protos containing annotations

PiperOrigin-RevId: 286418383
2019-12-19 10:30:51 -08:00 · 2019-12-19 10:30:51 -08:00 · ade4803e8a
parent 03e5708e5f
commit ade4803e8a
4 changed files with 95 additions and 30 deletions
--- a/google/iam/credentials/v1/BUILD.bazel
+++ b/google/iam/credentials/v1/BUILD.bazel
@ -17,6 +17,9 @@ proto_library(
    ],
    deps = [
        "//google/api:annotations_proto",
+        "//google/api:client_proto",
+        "//google/api:field_behavior_proto",
+        "//google/api:resource_proto",
        "@com_google_protobuf//:duration_proto",
        "@com_google_protobuf//:timestamp_proto",
    ],
@ -155,6 +158,9 @@ moved_proto_library(
    srcs = [":credentials_proto"],
    deps = [
        "//google/api:annotations_proto",
+        "//google/api:client_proto",
+        "//google/api:field_behavior_proto",
+        "//google/api:resource_proto",
        "@com_google_protobuf//:duration_proto",
        "@com_google_protobuf//:timestamp_proto",
    ],
--- a/google/iam/credentials/v1/common.proto
+++ b/google/iam/credentials/v1/common.proto
@ -1,4 +1,4 @@
-// Copyright 2018 Google LLC
+// Copyright 2019 Google LLC.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -11,11 +11,14 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//

 syntax = "proto3";

 package google.iam.credentials.v1;

+import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/timestamp.proto";

@ -24,12 +27,22 @@ option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;cr
 option java_multiple_files = true;
 option java_outer_classname = "IAMCredentialsCommonProto";
 option java_package = "com.google.cloud.iam.credentials.v1";
+option (google.api.resource_definition) = {
+  type: "iam.googleapis.com/ServiceAccount"
+  pattern: "projects/{project}/serviceAccounts/{service_account}"
+};

 message GenerateAccessTokenRequest {
-  // The resource name of the service account for which the credentials
+  // Required. The resource name of the service account for which the credentials
  // are requested, in the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  string name = 1;
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];

  // The sequence of service accounts in a delegation chain. Each service
  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@ -39,14 +52,15 @@ message GenerateAccessTokenRequest {
  // request.
  //
  // The delegates must have the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
  repeated string delegates = 2;

-  // Code to identify the scopes to be included in the OAuth 2.0 access token.
+  // Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
  // See https://developers.google.com/identity/protocols/googlescopes for more
  // information.
  // At least one value required.
-  repeated string scope = 4;
+  repeated string scope = 4 [(google.api.field_behavior) = REQUIRED];

  // The desired lifetime duration of the access token in seconds.
  // Must be set to a value less than or equal to 3600 (1 hour). If a value is
@ -65,10 +79,16 @@ message GenerateAccessTokenResponse {
 }

 message SignBlobRequest {
-  // The resource name of the service account for which the credentials
+  // Required. The resource name of the service account for which the credentials
  // are requested, in the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  string name = 1;
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];

  // The sequence of service accounts in a delegation chain. Each service
  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@ -78,11 +98,12 @@ message SignBlobRequest {
  // request.
  //
  // The delegates must have the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
  repeated string delegates = 3;

-  // The bytes to sign.
-  bytes payload = 5;
+  // Required. The bytes to sign.
+  bytes payload = 5 [(google.api.field_behavior) = REQUIRED];
 }

 message SignBlobResponse {
@ -94,10 +115,16 @@ message SignBlobResponse {
 }

 message SignJwtRequest {
-  // The resource name of the service account for which the credentials
+  // Required. The resource name of the service account for which the credentials
  // are requested, in the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  string name = 1;
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];

  // The sequence of service accounts in a delegation chain. Each service
  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@ -107,11 +134,12 @@ message SignJwtRequest {
  // request.
  //
  // The delegates must have the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
  repeated string delegates = 3;

-  // The JWT payload to sign: a JSON object that contains a JWT Claims Set.
-  string payload = 5;
+  // Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
+  string payload = 5 [(google.api.field_behavior) = REQUIRED];
 }

 message SignJwtResponse {
@ -123,10 +151,16 @@ message SignJwtResponse {
 }

 message GenerateIdTokenRequest {
-  // The resource name of the service account for which the credentials
+  // Required. The resource name of the service account for which the credentials
  // are requested, in the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  string name = 1;
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];

  // The sequence of service accounts in a delegation chain. Each service
  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@ -136,12 +170,13 @@ message GenerateIdTokenRequest {
  // request.
  //
  // The delegates must have the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+  // character is required; replacing it with a project ID is invalid.
  repeated string delegates = 2;

-  // The audience for the token, such as the API or account that this token
+  // Required. The audience for the token, such as the API or account that this token
  // grants access to.
-  string audience = 3;
+  string audience = 3 [(google.api.field_behavior) = REQUIRED];

  // Include the service account email in the token. If set to `true`, the
  // token will contain `email` and `email_verified` claims.
--- a/google/iam/credentials/v1/iamcredentials.proto
+++ b/google/iam/credentials/v1/iamcredentials.proto
@ -1,4 +1,4 @@
-// Copyright 2018 Google LLC
+// Copyright 2019 Google LLC.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -11,12 +11,14 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//

 syntax = "proto3";

 package google.iam.credentials.v1;

 import "google/api/annotations.proto";
+import "google/api/client.proto";
 import "google/iam/credentials/v1/common.proto";

 option cc_enable_arenas = true;
@ -35,22 +37,25 @@ option java_package = "com.google.cloud.iam.credentials.v1";
 // tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and
 // more.
 service IAMCredentials {
+  option (google.api.default_host) = "iamcredentials.googleapis.com";
+  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+
  // Generates an OAuth 2.0 access token for a service account.
-  rpc GenerateAccessToken(GenerateAccessTokenRequest)
-      returns (GenerateAccessTokenResponse) {
+  rpc GenerateAccessToken(GenerateAccessTokenRequest) returns (GenerateAccessTokenResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken"
      body: "*"
    };
+    option (google.api.method_signature) = "name,delegates,scope,lifetime";
  }

  // Generates an OpenID Connect ID token for a service account.
-  rpc GenerateIdToken(GenerateIdTokenRequest)
-      returns (GenerateIdTokenResponse) {
+  rpc GenerateIdToken(GenerateIdTokenRequest) returns (GenerateIdTokenResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdToken"
      body: "*"
    };
+    option (google.api.method_signature) = "name,delegates,audience,include_email";
  }

  // Signs a blob using a service account's system-managed private key.
@ -59,6 +64,7 @@ service IAMCredentials {
      post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
      body: "*"
    };
+    option (google.api.method_signature) = "name,delegates,payload";
  }

  // Signs a JWT using a service account's system-managed private key.
@ -67,5 +73,6 @@ service IAMCredentials {
      post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
      body: "*"
    };
+    option (google.api.method_signature) = "name,delegates,payload";
  }
 }
--- a/google/iam/credentials/v1/iamcredentials_v1.yaml
+++ b/google/iam/credentials/v1/iamcredentials_v1.yaml
@ -0,0 +1,17 @@
+type: google.api.Service
+config_version: 3
+name: iamcredentials.googleapis.com
+title: IAM Service Account Credentials API
+
+apis:
+- name: google.iam.credentials.v1.IAMCredentials
+
+documentation:
+  summary: 'Creates short-lived, limited-privilege credentials for IAM service accounts.'
+
+authentication:
+  rules:
+  - selector: 'google.iam.credentials.v1.IAMCredentials.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform