suguo
/
googleapis
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: Publish v1beta.WorkloadIdentityPools API. 

PiperOrigin-RevId: 329778334
This commit is contained in:
Google APIs 2020-09-02 13:37:24 -07:00 committed by Copybara-Service
parent 88d4f10bbe
commit b513a71293
5 changed files with 1158 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

378
google/iam/v1beta/BUILD.bazel Normal file
View File

@ -0,0 +1,378 @@
# This file was automatically generated by BuildFileGenerator
# https://github.com/googleapis/gapic-generator/tree/master/rules_gapic/bazel
# Most of the manual changes to this file will be overwritten.
# It's **only** allowed to change the following rule attribute values:
# - names of *_gapic_assembly_* rules
# - certain parameters of *_gapic_library rules, including but not limited to:
# * extra_protoc_parameters
# * extra_protoc_file_parameters
# The complete list of preserved parameters can be found in the source code.
# This is an API workspace, having public visibility by default makes perfect sense.
package(default_visibility = ["//visibility:public"])
##############################################################################
# Common
##############################################################################
load("@rules_proto//proto:defs.bzl", "proto_library")
load("@com_google_googleapis_imports//:imports.bzl", "proto_library_with_info")
proto_library(
name = "iam_proto",
srcs = [
"workload_identity_pool.proto",
],
deps = [
"//google/api:annotations_proto",
"//google/api:client_proto",
"//google/api:field_behavior_proto",
"//google/api:resource_proto",
"//google/longrunning:operations_proto",
"@com_google_protobuf//:field_mask_proto",
],
)
proto_library_with_info(
name = "iam_proto_with_info",
deps = [
":iam_proto",
"//google/cloud:common_resources_proto",
],
)
##############################################################################
# Java
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"java_gapic_assembly_gradle_pkg",
"java_gapic_library",
"java_gapic_test",
"java_grpc_library",
"java_proto_library",
)
java_proto_library(
name = "iam_java_proto",
deps = [":iam_proto"],
)
java_grpc_library(
name = "iam_java_grpc",
srcs = [":iam_proto"],
deps = [":iam_java_proto"],
)
java_gapic_library(
name = "iam_java_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
test_deps = [
":iam_java_grpc",
],
deps = [
":iam_java_proto",
],
)
java_gapic_test(
name = "iam_java_gapic_test_suite",
test_classes = [
"com.google.cloud.iam.v1beta.WorkloadIdentityPoolsClientTest",
],
runtime_deps = [":iam_java_gapic_test"],
)
# Open Source Packages
java_gapic_assembly_gradle_pkg(
name = "google-iam-v1beta-java",
deps = [
":iam_java_gapic",
":iam_java_grpc",
":iam_java_proto",
":iam_proto",
],
)
##############################################################################
# Go
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"go_gapic_assembly_pkg",
"go_gapic_library",
"go_proto_library",
"go_test",
)
go_proto_library(
name = "iam_go_proto",
compilers = ["@io_bazel_rules_go//proto:go_grpc"],
importpath = "google.golang.org/genproto/googleapis/iam/v1beta",
protos = [":iam_proto"],
deps = [
"//google/api:annotations_go_proto",
"//google/longrunning:longrunning_go_proto",
],
)
go_gapic_library(
name = "iam_go_gapic",
srcs = [":iam_proto_with_info"],
grpc_service_config = "iam_grpc_service_config.json",
importpath = "cloud.google.com/go/iam/apiv1beta;iam",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_go_proto",
"//google/longrunning:longrunning_go_gapic",
"//google/longrunning:longrunning_go_proto",
"@com_google_cloud_go//longrunning:go_default_library",
],
)
go_test(
name = "iam_go_gapic_test",
srcs = [":iam_go_gapic_srcjar_test"],
embed = [":iam_go_gapic"],
importpath = "cloud.google.com/go/iam/apiv1beta",
)
# Open Source Packages
go_gapic_assembly_pkg(
name = "gapi-cloud-iam-v1beta-go",
deps = [
":iam_go_gapic",
":iam_go_gapic_srcjar-test.srcjar",
":iam_go_proto",
],
)
##############################################################################
# Python
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"moved_proto_library",
"py_gapic_assembly_pkg",
"py_gapic_library",
"py_grpc_library",
"py_proto_library",
)
moved_proto_library(
name = "iam_moved_proto",
srcs = [":iam_proto"],
deps = [
"//google/api:annotations_proto",
"//google/api:client_proto",
"//google/api:field_behavior_proto",
"//google/api:resource_proto",
"//google/longrunning:operations_proto",
"@com_google_protobuf//:field_mask_proto",
],
)
py_proto_library(
name = "iam_py_proto",
plugin = "@protoc_docs_plugin//:docs_plugin",
deps = [":iam_moved_proto"],
)
py_grpc_library(
name = "iam_py_grpc",
srcs = [":iam_moved_proto"],
deps = [":iam_py_proto"],
)
py_gapic_library(
name = "iam_py_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_py_grpc",
":iam_py_proto",
],
)
# Open Source Packages
py_gapic_assembly_pkg(
name = "iam-v1beta-py",
deps = [
":iam_py_gapic",
":iam_py_grpc",
":iam_py_proto",
],
)
##############################################################################
# PHP
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"php_gapic_assembly_pkg",
"php_gapic_library",
"php_grpc_library",
"php_proto_library",
)
php_proto_library(
name = "iam_php_proto",
deps = [":iam_proto"],
)
php_grpc_library(
name = "iam_php_grpc",
srcs = [":iam_proto"],
deps = [":iam_php_proto"],
)
php_gapic_library(
name = "iam_php_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_php_grpc",
":iam_php_proto",
],
)
# Open Source Packages
php_gapic_assembly_pkg(
name = "google-iam-v1beta-php",
deps = [
":iam_php_gapic",
":iam_php_grpc",
":iam_php_proto",
],
)
##############################################################################
# Node.js
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"nodejs_gapic_assembly_pkg",
"nodejs_gapic_library",
)
nodejs_gapic_library(
name = "iam_nodejs_gapic",
src = ":iam_proto_with_info",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [],
)
nodejs_gapic_assembly_pkg(
name = "iam-v1beta-nodejs",
deps = [
":iam_nodejs_gapic",
":iam_proto",
],
)
##############################################################################
# Ruby
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"ruby_gapic_assembly_pkg",
"ruby_gapic_library",
"ruby_grpc_library",
"ruby_proto_library",
)
ruby_proto_library(
name = "iam_ruby_proto",
deps = [":iam_proto"],
)
ruby_grpc_library(
name = "iam_ruby_grpc",
srcs = [":iam_proto"],
deps = [":iam_ruby_proto"],
)
ruby_gapic_library(
name = "iam_ruby_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_ruby_grpc",
":iam_ruby_proto",
],
)
# Open Source Packages
ruby_gapic_assembly_pkg(
name = "google-iam-v1beta-ruby",
deps = [
":iam_ruby_gapic",
":iam_ruby_grpc",
":iam_ruby_proto",
],
)
##############################################################################
# C#
##############################################################################
load(
"@com_google_googleapis_imports//:imports.bzl",
"csharp_gapic_assembly_pkg",
"csharp_gapic_library",
"csharp_grpc_library",
"csharp_proto_library",
)
csharp_proto_library(
name = "iam_csharp_proto",
deps = [":iam_proto"],
)
csharp_grpc_library(
name = "iam_csharp_grpc",
srcs = [":iam_proto"],
deps = [":iam_csharp_proto"],
)
csharp_gapic_library(
name = "iam_csharp_gapic",
src = ":iam_proto_with_info",
gapic_yaml = "iam_gapic.yaml",
grpc_service_config = "iam_grpc_service_config.json",
package = "google.iam.v1beta",
service_yaml = "iam_v1beta.yaml",
deps = [
":iam_csharp_grpc",
":iam_csharp_proto",
],
)
# Open Source Packages
csharp_gapic_assembly_pkg(
name = "google-iam-v1beta-csharp",
deps = [
":iam_csharp_gapic",
":iam_csharp_grpc",
":iam_csharp_proto",
],
)
##############################################################################
# C++
##############################################################################
# Put your C++ rules here

23
google/iam/v1beta/iam_gapic.yaml Normal file
View File

@ -0,0 +1,23 @@
type: com.google.api.codegen.ConfigProto
config_schema_version: 2.0.0
# The settings of generated code in a specific language.
language_settings:
java:
package_name: com.google.cloud.iam.v1beta
python:
package_name: google.cloud.iam_v1beta.gapic
go:
package_name: cloud.google.com/go/iam/apiv1beta
csharp:
package_name: Google.Iam.V1Beta
ruby:
package_name: Google::Cloud::Iam::V1Beta
php:
package_name: Google\Cloud\Iam\V1Beta
nodejs:
package_name: iam.core.v1beta
domain_layer_location: google-cloud
# A list of API interface configurations.
interfaces:
# The fully qualified name of the API interface.
- name: google.iam.v1beta.WorkloadIdentityPools

67
google/iam/v1beta/iam_grpc_service_config.json Normal file
View File

@ -0,0 +1,67 @@
{
"methodConfig": [
{
"name": [
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "ListWorkloadIdentityPools"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "GetWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "CreateWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UpdateWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "DeleteWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UndeleteWorkloadIdentityPool"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "ListWorkloadIdentityPoolProviders"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "GetWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "CreateWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UpdateWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "DeleteWorkloadIdentityPoolProvider"
},
{
"service": "google.iam.v1beta.WorkloadIdentityPools",
"method": "UndeleteWorkloadIdentityPoolProvider"
}
],
"timeout": "60s",
"retryPolicy": {
"maxAttempts": 5,
"initialBackoff": "1s",
"maxBackoff": "10s",
"backoffMultiplier": 1.3,
"retryableStatusCodes": [
"UNAVAILABLE",
"DEADLINE_EXCEEDED"
]
}
}
]
}

50
google/iam/v1beta/iam_v1beta.yaml Normal file
View File

@ -0,0 +1,50 @@
type: google.api.Service
config_version: 2
name: iam.googleapis.com
title: Identity and Access Management (IAM) API
apis:
- name: google.iam.v1beta.WorkloadIdentityPools
documentation:
summary: |-
<p>Manages identity and access control for Google Cloud Platform resources,
including the creation of service accounts, which you can use to
authenticate to Google and make API calls.</p> <aside
class="note"><b>Note:</b> This API is tied to the <a
href="/iam/docs/reference/credentials/rest">IAM service account
credentials API</a> (<code>iamcredentials.googleapis.com</code>). Enabling
or disabling this API will also enable or disable the IAM service account
credentials API.</aside>
http:
rules:
- selector: google.longrunning.Operations.CancelOperation
post: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/operations/*}:cancel'
body: '*'
additional_bindings:
- post: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*/operations/*}:cancel'
body: '*'
- selector: google.longrunning.Operations.DeleteOperation
delete: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/operations/*}'
additional_bindings:
- delete: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*/operations/*}'
- selector: google.longrunning.Operations.GetOperation
get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/operations/*}'
additional_bindings:
- get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*/operations/*}'
- selector: google.longrunning.Operations.ListOperations
get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}/operations'
additional_bindings:
- get: '/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}/operations'
authentication:
rules:
- selector: 'google.iam.v1beta.WorkloadIdentityPools.*'
oauth:
canonical_scopes: |-
https://www.googleapis.com/auth/cloud-platform
- selector: 'google.longrunning.Operations.*'
oauth:
canonical_scopes: |-
https://www.googleapis.com/auth/cloud-platform

640
google/iam/v1beta/workload_identity_pool.proto Normal file
View File

@ -0,0 +1,640 @@
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.iam.v1beta;
import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/field_mask.proto";
option go_package = "google.golang.org/genproto/googleapis/iam/v1beta;iam";
option java_multiple_files = true;
option java_outer_classname = "WorkloadIdentityPoolProto";
option java_package = "com.google.iam.v1beta";
// Manages WorkloadIdentityPools.
service WorkloadIdentityPools {
option (google.api.default_host) = "iam.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Lists all non-deleted
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]s in a
// project. If `show_deleted` is set to `true`, then deleted pools are also
// listed.
rpc ListWorkloadIdentityPools(ListWorkloadIdentityPoolsRequest) returns (ListWorkloadIdentityPoolsResponse) {
option (google.api.http) = {
get: "/v1beta/{parent=projects/*/locations/*}/workloadIdentityPools"
};
option (google.api.method_signature) = "parent";
}
// Gets an individual
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
rpc GetWorkloadIdentityPool(GetWorkloadIdentityPoolRequest) returns (WorkloadIdentityPool) {
option (google.api.http) = {
get: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}"
};
option (google.api.method_signature) = "name";
}
// Creates a new
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
//
// You cannot reuse the name of a deleted pool until 30 days after deletion.
rpc CreateWorkloadIdentityPool(CreateWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{parent=projects/*/locations/*}/workloadIdentityPools"
body: "workload_identity_pool"
};
option (google.api.method_signature) = "parent,workload_identity_pool,workload_identity_pool_id";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Updates an existing
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
rpc UpdateWorkloadIdentityPool(UpdateWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
patch: "/v1beta/{workload_identity_pool.name=projects/*/locations/*/workloadIdentityPools/*}"
body: "workload_identity_pool"
};
option (google.api.method_signature) = "workload_identity_pool,update_mask";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Deletes a
// [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
//
// You cannot use a deleted pool to exchange external
// credentials for Google Cloud credentials. However, deletion does
// not revoke credentials that have already been issued.
// Credentials issued for a deleted pool do not grant access to resources.
// If the pool is undeleted, and the credentials are not expired, they
// grant access again.
// You can undelete a pool for 30 days. After 30 days, deletion is
// permanent.
// You cannot update deleted pools. However, you can view and list them.
rpc DeleteWorkloadIdentityPool(DeleteWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
delete: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Undeletes a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool],
// as long as it was deleted fewer than 30 days ago.
rpc UndeleteWorkloadIdentityPool(UndeleteWorkloadIdentityPoolRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*}:undelete"
body: "*"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPool"
metadata_type: "WorkloadIdentityPoolOperationMetadata"
};
}
// Lists all non-deleted
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider]s
// in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
// If `show_deleted` is set to `true`, then deleted providers are also listed.
rpc ListWorkloadIdentityPoolProviders(ListWorkloadIdentityPoolProvidersRequest) returns (ListWorkloadIdentityPoolProvidersResponse) {
option (google.api.http) = {
get: "/v1beta/{parent=projects/*/locations/*/workloadIdentityPools/*}/providers"
};
option (google.api.method_signature) = "parent";
}
// Gets an individual
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider].
rpc GetWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderRequest) returns (WorkloadIdentityPoolProvider) {
option (google.api.http) = {
get: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}"
};
option (google.api.method_signature) = "name";
}
// Creates a new
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider]
// in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].
//
// You cannot reuse the name of a deleted provider until 30 days after
// deletion.
rpc CreateWorkloadIdentityPoolProvider(CreateWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{parent=projects/*/locations/*/workloadIdentityPools/*}/providers"
body: "workload_identity_pool_provider"
};
option (google.api.method_signature) = "parent,workload_identity_pool_provider,workload_identity_pool_provider_id";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
// Updates an existing
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider].
rpc UpdateWorkloadIdentityPoolProvider(UpdateWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
patch: "/v1beta/{workload_identity_pool_provider.name=projects/*/locations/*/workloadIdentityPools/*/providers/*}"
body: "workload_identity_pool_provider"
};
option (google.api.method_signature) = "workload_identity_pool_provider,update_mask";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
// Deletes a
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider].
// Deleting a provider does not revoke credentials that have already been
// issued; they continue to grant access.
// You can undelete a provider for 30 days. After 30 days, deletion is
// permanent.
// You cannot update deleted providers. However, you can view and list them.
rpc DeleteWorkloadIdentityPoolProvider(DeleteWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
delete: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
// Undeletes a
// [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider],
// as long as it was deleted fewer than 30 days ago.
rpc UndeleteWorkloadIdentityPoolProvider(UndeleteWorkloadIdentityPoolProviderRequest) returns (google.longrunning.Operation) {
option (google.api.http) = {
post: "/v1beta/{name=projects/*/locations/*/workloadIdentityPools/*/providers/*}:undelete"
body: "*"
};
option (google.api.method_signature) = "name";
option (google.longrunning.operation_info) = {
response_type: "WorkloadIdentityPoolProvider"
metadata_type: "WorkloadIdentityPoolProviderOperationMetadata"
};
}
}
// Represents a collection of external workload identities. You can define IAM
// policies to grant these identities access to Google Cloud resources.
message WorkloadIdentityPool {
option (google.api.resource) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
pattern: "projects/{project}/locations/{location}/workloadIdentityPools/{workload_identity_pool}"
};
// The current state of the pool.
enum State {
// State unspecified.
STATE_UNSPECIFIED = 0;
// The pool is active, and may be used in Google Cloud policies.
ACTIVE = 1;
// The pool is soft-deleted. Soft-deleted pools are permanently deleted
// after approximately 30 days. You can restore a soft-deleted pool using
// [UndeleteWorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPool].
//
// You cannot reuse the ID of a soft-deleted pool until it is permanently
// deleted.
//
// While a pool is deleted, you cannot use it to exchange tokens, or use
// existing tokens to access resources. If the pool is undeleted, existing
// tokens grant access again.
DELETED = 2;
}
// Output only. The resource name of the pool.
string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
// A display name for the pool. Cannot exceed 32 characters.
string display_name = 2;
// A description of the pool. Cannot exceed 256 characters.
string description = 3;
// Output only. The state of the pool.
State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// Whether the pool is disabled. You cannot use a disabled pool to exchange
// tokens, or use existing tokens to access resources. If
// the pool is re-enabled, existing tokens grant access again.
bool disabled = 5;
}
// A configuration for an external identity provider.
message WorkloadIdentityPoolProvider {
option (google.api.resource) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
pattern: "projects/{project}/locations/{location}/workloadIdentityPools/{workload_identity_pool}/providers/{workload_identity_pool_provider}"
};
// Represents an Amazon Web Services identity provider.
message Aws {
// Required. The AWS account ID.
string account_id = 1 [(google.api.field_behavior) = REQUIRED];
}
// Represents an OpenId Connect 1.0 identity provider.
message Oidc {
// Required. The OIDC issuer URL.
string issuer_uri = 1 [(google.api.field_behavior) = REQUIRED];
// Acceptable values for the `aud` field (audience) in the OIDC token. Token
// exchange requests are rejected if the token audience does not match one
// of the configured values. Each audience may be at most 256 characters. A
// maximum of 10 audiences may be configured.
//
// If this list is empty, the OIDC token audience must be equal to
// the full canonical resource name of the WorkloadIdentityPoolProvider,
// with or without the HTTPS prefix. For example:
//
// ```
// //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
// https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
// ```
repeated string allowed_audiences = 2;
}
// The current state of the provider.
enum State {
// State unspecified.
STATE_UNSPECIFIED = 0;
// The provider is active, and may be used to validate authentication
// credentials.
ACTIVE = 1;
// The provider is soft-deleted. Soft-deleted providers are permanently
// deleted after approximately 30 days. You can restore a soft-deleted
// provider using
// [UndeleteWorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPoolProvider].
//
// You cannot reuse the ID of a soft-deleted provider until it is
// permanently deleted.
DELETED = 2;
}
// Output only. The resource name of the provider.
string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
// A display name for the provider. Cannot exceed 32 characters.
string display_name = 2;
// A description for the provider. Cannot exceed 256 characters.
string description = 3;
// Output only. The state of the provider.
State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// Whether the provider is disabled. You cannot use a disabled provider to
// exchange tokens. However, existing tokens still grant access.
bool disabled = 5;
// Maps attributes from authentication credentials issued by an external
// identity provider to Google Cloud attributes, such as `subject` and
// `segment`.
//
// Each key must be a string specifying the Google Cloud IAM attribute to
// map to.
//
// The following keys are supported:
//
// * `google.subject`: The principal IAM is authenticating. You can reference
// this value in IAM bindings. This is also the
// subject that appears in Cloud Logging logs.
// Cannot exceed 100 characters.
//
// * `google.groups`: Groups the external identity belongs to. You can grant
// groups access to resources using an IAM `principalSet`
// binding; access applies to all members of the group.
//
// You can also provide custom attributes by specifying
// `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of
// the custom attribute to be mapped. You can define a maximum of 50 custom
// attributes. The maximum length of a mapped attribute key is
// 100 characters, and the key may only contain the characters [a-z0-9-].
//
// You can reference these attributes in IAM policies to define fine-grained
// access for a workload to Google Cloud resources. For example:
//
// * `google.subject`:
// `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
//
// * `google.groups`:
// `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
//
// * `attribute.{custom_attribute}`:
// `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
//
// Each value must be a [Common Expression Language]
// (https://opensource.google/projects/cel) function that maps an
// identity provider credential to the normalized attribute specified by the
// corresponding map key.
//
// You can use the `assertion` keyword in the expression to access a JSON
// representation of the authentication credential issued by the provider.
//
// The maximum length of an attribute mapping expression is 2048 characters.
// When evaluated, the total size of all mapped attributes must not exceed
// 8KB.
//
// For AWS providers, the following rules apply:
//
// - If no attribute mapping is defined, the following default mapping
// applies:
//
// ```
// {
// "google.subject":"assertion.arn",
// "attribute.aws_role":
// "assertion.arn.contains('assumed-role')"
// " ? assertion.arn.extract('{account_arn}assumed-role/')"
// " + 'assumed-role/'"
// " + assertion.arn.extract('assumed-role/{role_name}/')"
// " : assertion.arn",
// }
// ```
//
// - If any custom attribute mappings are defined, they must include a mapping
// to the `google.subject` attribute.
//
//
// For OIDC providers, the following rules apply:
//
// - Custom attribute mappings must be defined, and must include a mapping to
// the `google.subject` attribute. For example, the following maps the
// `sub` claim of the incoming credential to the `subject` attribute on
// a Google token.
//
// ```
// {"google.subject": "assertion.sub"}
// ```
map<string, string> attribute_mapping = 6;
// [A Common Expression Language](https://opensource.google/projects/cel)
// expression, in plain text, to restrict what otherwise valid authentication
// credentials issued by the provider should not be accepted.
//
// The expression must output a boolean representing whether to allow the
// federation.
//
// The following keywords may be referenced in the expressions:
//
// * `assertion`: JSON representing the authentication credential issued by
// the provider.
// * `google`: The Google attributes mapped from the assertion in the
// `attribute_mappings`.
// * `attribute`: The custom attributes mapped from the assertion in the
// `attribute_mappings`.
//
// The maximum length of the attribute condition expression is 4096
// characters. If unspecified, all valid authentication credential are
// accepted.
//
// The following example shows how to only allow credentials with a mapped
// `google.groups` value of `admins`:
//
// ```
// "'admins' in google.groups"
// ```
string attribute_condition = 7;
// Identity provider configuration types.
oneof provider_config {
// An Amazon Web Services identity provider.
Aws aws = 8;
// An OpenId Connect 1.0 identity provider.
Oidc oidc = 9;
}
}
// Request message for ListWorkloadIdentityPools.
message ListWorkloadIdentityPoolsRequest {
// Required. The parent resource to list pools for.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// The maximum number of pools to return.
// If unspecified, at most 50 pools are returned.
// The maximum value is 1000; values above are 1000 truncated to 1000.
int32 page_size = 2;
// A page token, received from a previous `ListWorkloadIdentityPools`
// call. Provide this to retrieve the subsequent page.
string page_token = 3;
// Whether to return soft-deleted pools.
bool show_deleted = 4;
}
// Response message for ListWorkloadIdentityPools.
message ListWorkloadIdentityPoolsResponse {
// A list of pools.
repeated WorkloadIdentityPool workload_identity_pools = 1;
// A token, which can be sent as `page_token` to retrieve the next page.
// If this field is omitted, there are no subsequent pages.
string next_page_token = 2;
}
// Request message for GetWorkloadIdentityPool.
message GetWorkloadIdentityPoolRequest {
// Required. The name of the pool to retrieve.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
}
// Request message for CreateWorkloadIdentityPool.
message CreateWorkloadIdentityPoolRequest {
// Required. The parent resource to create the pool in. The only supported
// location is `global`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Required. The pool to create.
WorkloadIdentityPool workload_identity_pool = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The ID to use for the pool, which becomes the
// final component of the resource name. This value should be 4-32 characters,
// and may contain the characters [a-z0-9-]. The prefix `gcp-` is
// reserved for use by Google, and may not be specified.
string workload_identity_pool_id = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for UpdateWorkloadIdentityPool.
message UpdateWorkloadIdentityPoolRequest {
// Required. The pool to update. The `name` field is used to identify the pool.
WorkloadIdentityPool workload_identity_pool = 1 [(google.api.field_behavior) = REQUIRED];
// Required. The list of fields update.
google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
}
// Request message for DeleteWorkloadIdentityPool.
message DeleteWorkloadIdentityPoolRequest {
// Required. The name of the pool to delete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
}
// Request message for UndeleteWorkloadIdentityPool.
message UndeleteWorkloadIdentityPoolRequest {
// Required. The name of the pool to undelete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
}
// Request message for ListWorkloadIdentityPoolProviders.
message ListWorkloadIdentityPoolProvidersRequest {
// Required. The pool to list providers for.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
// The maximum number of providers to return.
// If unspecified, at most 50 providers are returned.
// The maximum value is 100; values above 100 are truncated to 100.
int32 page_size = 2;
// A page token, received from a previous
// `ListWorkloadIdentityPoolProviders` call. Provide this to retrieve the
// subsequent page.
string page_token = 3;
// Whether to return soft-deleted providers.
bool show_deleted = 4;
}
// Response message for ListWorkloadIdentityPoolProviders.
message ListWorkloadIdentityPoolProvidersResponse {
// A list of providers.
repeated WorkloadIdentityPoolProvider workload_identity_pool_providers = 1;
// A token, which can be sent as `page_token` to retrieve the next page.
// If this field is omitted, there are no subsequent pages.
string next_page_token = 2;
}
// Request message for GetWorkloadIdentityPoolProvider.
message GetWorkloadIdentityPoolProviderRequest {
// Required. The name of the provider to retrieve.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
}
];
}
// Request message for CreateWorkloadIdentityPoolProvider.
message CreateWorkloadIdentityPoolProviderRequest {
// Required. The pool to create this provider in.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPool"
}
];
// Required. The provider to create.
WorkloadIdentityPoolProvider workload_identity_pool_provider = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The ID for the provider, which becomes the
// final component of the resource name. This value must be 4-32 characters,
// and may contain the characters [a-z0-9-]. The prefix `gcp-` is
// reserved for use by Google, and may not be specified.
string workload_identity_pool_provider_id = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for UpdateWorkloadIdentityPoolProvider.
message UpdateWorkloadIdentityPoolProviderRequest {
// Required. The provider to update.
WorkloadIdentityPoolProvider workload_identity_pool_provider = 1 [(google.api.field_behavior) = REQUIRED];
// Required. The list of fields to update.
google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
}
// Request message for DeleteWorkloadIdentityPoolProvider.
message DeleteWorkloadIdentityPoolProviderRequest {
// Required. The name of the provider to delete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
}
];
}
// Request message for UndeleteWorkloadIdentityPoolProvider.
message UndeleteWorkloadIdentityPoolProviderRequest {
// Required. The name of the provider to undelete.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/WorkloadIdentityPoolProvider"
}
];
}
// Metadata for long-running WorkloadIdentityPool operations.
message WorkloadIdentityPoolOperationMetadata {}
// Metadata for long-running WorkloadIdentityPoolProvider operations.
message WorkloadIdentityPoolProviderOperationMetadata {}