From ade4803e8a1a9e3efd249c8c86895d2f12eb2aaa Mon Sep 17 00:00:00 2001 From: Google APIs Date: Thu, 19 Dec 2019 10:30:51 -0800 Subject: [PATCH] iam credentials: publish v1 protos containing annotations PiperOrigin-RevId: 286418383 --- google/iam/credentials/v1/BUILD.bazel | 6 ++ google/iam/credentials/v1/common.proto | 85 +++++++++++++------ .../iam/credentials/v1/iamcredentials.proto | 17 ++-- .../iam/credentials/v1/iamcredentials_v1.yaml | 17 ++++ 4 files changed, 95 insertions(+), 30 deletions(-) create mode 100644 google/iam/credentials/v1/iamcredentials_v1.yaml diff --git a/google/iam/credentials/v1/BUILD.bazel b/google/iam/credentials/v1/BUILD.bazel index 5a1bed41..2e6a1f6a 100644 --- a/google/iam/credentials/v1/BUILD.bazel +++ b/google/iam/credentials/v1/BUILD.bazel @@ -17,6 +17,9 @@ proto_library( ], deps = [ "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", "@com_google_protobuf//:duration_proto", "@com_google_protobuf//:timestamp_proto", ], @@ -155,6 +158,9 @@ moved_proto_library( srcs = [":credentials_proto"], deps = [ "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", "@com_google_protobuf//:duration_proto", "@com_google_protobuf//:timestamp_proto", ], diff --git a/google/iam/credentials/v1/common.proto b/google/iam/credentials/v1/common.proto index 6ba01019..361f2e90 100644 --- a/google/iam/credentials/v1/common.proto +++ b/google/iam/credentials/v1/common.proto @@ -1,4 +1,4 @@ -// Copyright 2018 Google LLC +// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -11,11 +11,14 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. +// syntax = "proto3"; package google.iam.credentials.v1; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/timestamp.proto"; @@ -24,12 +27,22 @@ option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;cr option java_multiple_files = true; option java_outer_classname = "IAMCredentialsCommonProto"; option java_package = "com.google.cloud.iam.credentials.v1"; +option (google.api.resource_definition) = { + type: "iam.googleapis.com/ServiceAccount" + pattern: "projects/{project}/serviceAccounts/{service_account}" +}; message GenerateAccessTokenRequest { - // The resource name of the service account for which the credentials + // Required. The resource name of the service account for which the credentials // are requested, in the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - string name = 1; + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role @@ -39,14 +52,15 @@ message GenerateAccessTokenRequest { // request. // // The delegates must have the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. repeated string delegates = 2; - // Code to identify the scopes to be included in the OAuth 2.0 access token. + // Required. Code to identify the scopes to be included in the OAuth 2.0 access token. // See https://developers.google.com/identity/protocols/googlescopes for more // information. // At least one value required. - repeated string scope = 4; + repeated string scope = 4 [(google.api.field_behavior) = REQUIRED]; // The desired lifetime duration of the access token in seconds. // Must be set to a value less than or equal to 3600 (1 hour). If a value is @@ -65,10 +79,16 @@ message GenerateAccessTokenResponse { } message SignBlobRequest { - // The resource name of the service account for which the credentials + // Required. The resource name of the service account for which the credentials // are requested, in the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - string name = 1; + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role @@ -78,11 +98,12 @@ message SignBlobRequest { // request. // // The delegates must have the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. repeated string delegates = 3; - // The bytes to sign. - bytes payload = 5; + // Required. The bytes to sign. + bytes payload = 5 [(google.api.field_behavior) = REQUIRED]; } message SignBlobResponse { @@ -94,10 +115,16 @@ message SignBlobResponse { } message SignJwtRequest { - // The resource name of the service account for which the credentials + // Required. The resource name of the service account for which the credentials // are requested, in the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - string name = 1; + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role @@ -107,11 +134,12 @@ message SignJwtRequest { // request. // // The delegates must have the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. repeated string delegates = 3; - // The JWT payload to sign: a JSON object that contains a JWT Claims Set. - string payload = 5; + // Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set. + string payload = 5 [(google.api.field_behavior) = REQUIRED]; } message SignJwtResponse { @@ -123,10 +151,16 @@ message SignJwtResponse { } message GenerateIdTokenRequest { - // The resource name of the service account for which the credentials + // Required. The resource name of the service account for which the credentials // are requested, in the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - string name = 1; + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "iam.googleapis.com/ServiceAccount" + } + ]; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role @@ -136,12 +170,13 @@ message GenerateIdTokenRequest { // request. // // The delegates must have the following format: - // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard + // character is required; replacing it with a project ID is invalid. repeated string delegates = 2; - // The audience for the token, such as the API or account that this token + // Required. The audience for the token, such as the API or account that this token // grants access to. - string audience = 3; + string audience = 3 [(google.api.field_behavior) = REQUIRED]; // Include the service account email in the token. If set to `true`, the // token will contain `email` and `email_verified` claims. diff --git a/google/iam/credentials/v1/iamcredentials.proto b/google/iam/credentials/v1/iamcredentials.proto index 3308d63a..29554c56 100644 --- a/google/iam/credentials/v1/iamcredentials.proto +++ b/google/iam/credentials/v1/iamcredentials.proto @@ -1,4 +1,4 @@ -// Copyright 2018 Google LLC +// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -11,12 +11,14 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. +// syntax = "proto3"; package google.iam.credentials.v1; import "google/api/annotations.proto"; +import "google/api/client.proto"; import "google/iam/credentials/v1/common.proto"; option cc_enable_arenas = true; @@ -35,22 +37,25 @@ option java_package = "com.google.cloud.iam.credentials.v1"; // tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and // more. service IAMCredentials { + option (google.api.default_host) = "iamcredentials.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + // Generates an OAuth 2.0 access token for a service account. - rpc GenerateAccessToken(GenerateAccessTokenRequest) - returns (GenerateAccessTokenResponse) { + rpc GenerateAccessToken(GenerateAccessTokenRequest) returns (GenerateAccessTokenResponse) { option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken" body: "*" }; + option (google.api.method_signature) = "name,delegates,scope,lifetime"; } // Generates an OpenID Connect ID token for a service account. - rpc GenerateIdToken(GenerateIdTokenRequest) - returns (GenerateIdTokenResponse) { + rpc GenerateIdToken(GenerateIdTokenRequest) returns (GenerateIdTokenResponse) { option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdToken" body: "*" }; + option (google.api.method_signature) = "name,delegates,audience,include_email"; } // Signs a blob using a service account's system-managed private key. @@ -59,6 +64,7 @@ service IAMCredentials { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" }; + option (google.api.method_signature) = "name,delegates,payload"; } // Signs a JWT using a service account's system-managed private key. @@ -67,5 +73,6 @@ service IAMCredentials { post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt" body: "*" }; + option (google.api.method_signature) = "name,delegates,payload"; } } diff --git a/google/iam/credentials/v1/iamcredentials_v1.yaml b/google/iam/credentials/v1/iamcredentials_v1.yaml new file mode 100644 index 00000000..51b504b7 --- /dev/null +++ b/google/iam/credentials/v1/iamcredentials_v1.yaml @@ -0,0 +1,17 @@ +type: google.api.Service +config_version: 3 +name: iamcredentials.googleapis.com +title: IAM Service Account Credentials API + +apis: +- name: google.iam.credentials.v1.IAMCredentials + +documentation: + summary: 'Creates short-lived, limited-privilege credentials for IAM service accounts.' + +authentication: + rules: + - selector: 'google.iam.credentials.v1.IAMCredentials.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform