// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.iam.admin.v1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/iam/v1/iam_policy.proto"; import "google/iam/v1/policy.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/timestamp.proto"; option cc_enable_arenas = true; option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin"; option java_multiple_files = true; option java_outer_classname = "IamProto"; option java_package = "com.google.iam.admin.v1"; // Creates and manages service account objects. // // Service account is an account that belongs to your project instead // of to an individual end user. It is used to authenticate calls // to a Google API. // // To create a service account, specify the `project_id` and `account_id` // for the account. The `account_id` is unique within the project, and used // to generate the service account email address and a stable // `unique_id`. // // All other methods can identify accounts using the format // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. service IAM { option (google.api.default_host) = "iam.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project. rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) { option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" }; option (google.api.method_signature) = "name"; } // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) { option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" }; option (google.api.method_signature) = "name"; } // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] // and returns it. rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) { option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" }; option (google.api.method_signature) = "name,account_id,service_account"; } // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // // Currently, only the following fields are updatable: // `display_name` and `description`. rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" body: "*" }; } // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" }; option (google.api.method_signature) = "name"; } // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey]. rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) { option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" }; option (google.api.method_signature) = "name,key_types"; } // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] // by key id. rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) { option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; option (google.api.method_signature) = "name,public_key_type"; } // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] // and returns it. rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) { option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" }; option (google.api.method_signature) = "name,private_key_type,key_algorithm"; } // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; option (google.api.method_signature) = "name"; } // Signs a blob using a service account's system-managed private key. rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) { option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" }; option (google.api.method_signature) = "name,bytes_to_sign"; } // Signs a JWT using a service account's system-managed private key. // // If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an // an expiry time of one hour by default. If you request an expiry time of // more than one hour, the request will fail. rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) { option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt" body: "*" }; option (google.api.method_signature) = "name,payload"; } // Returns the Cloud IAM access control policy for a // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // // Note: Service accounts are both // [resources and // identities](/iam/docs/service-accounts#service_account_permissions). This // method treats the service account as a resource. It returns the Cloud IAM // policy that reflects what members have access to the service account. // // This method does not return what resources the service account has access // to. To see if a service account has access to a resource, call the // `getIamPolicy` method on the target resource. For example, to view grants // for a project, call the // [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy) // method. rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" }; option (google.api.method_signature) = "resource"; } // Sets the Cloud IAM access control policy for a // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. // // Note: Service accounts are both // [resources and // identities](/iam/docs/service-accounts#service_account_permissions). This // method treats the service account as a resource. Use it to grant members // access to the service account, such as when they need to impersonate it. // // This method does not grant the service account access to other resources, // such as projects. To grant a service account access to resources, include // the service account in the Cloud IAM policy for the desired resource, then // call the appropriate `setIamPolicy` method on the target resource. For // example, to grant a service account access to a project, call the // [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy) // method. rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" }; option (google.api.method_signature) = "resource,policy"; } // Tests the specified permissions against the IAM access control policy // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" }; option (google.api.method_signature) = "resource,permissions"; } // Queries roles that can be granted on a particular resource. // A role is grantable if it can be used as the role in a binding for a policy // for that resource. rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) { option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" }; option (google.api.method_signature) = "full_resource_name"; } // Lists the Roles defined on a resource. rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) { option (google.api.http) = { get: "/v1/roles" additional_bindings { get: "/v1/{parent=organizations/*}/roles" } additional_bindings { get: "/v1/{parent=projects/*}/roles" } }; } // Gets a Role definition. rpc GetRole(GetRoleRequest) returns (Role) { option (google.api.http) = { get: "/v1/{name=roles/*}" additional_bindings { get: "/v1/{name=organizations/*/roles/*}" } additional_bindings { get: "/v1/{name=projects/*/roles/*}" } }; } // Creates a new Role. rpc CreateRole(CreateRoleRequest) returns (Role) { option (google.api.http) = { post: "/v1/{parent=organizations/*}/roles" body: "*" additional_bindings { post: "/v1/{parent=projects/*}/roles" body: "*" } }; } // Updates a Role definition. rpc UpdateRole(UpdateRoleRequest) returns (Role) { option (google.api.http) = { patch: "/v1/{name=organizations/*/roles/*}" body: "role" additional_bindings { patch: "/v1/{name=projects/*/roles/*}" body: "role" } }; } // Soft deletes a role. The role is suspended and cannot be used to create new // IAM Policy Bindings. // The Role will not be included in `ListRoles()` unless `show_deleted` is set // in the `ListRolesRequest`. The Role contains the deleted boolean set. // Existing Bindings remains, but are inactive. The Role can be undeleted // within 7 days. After 7 days the Role is deleted and all Bindings associated // with the role are removed. rpc DeleteRole(DeleteRoleRequest) returns (Role) { option (google.api.http) = { delete: "/v1/{name=organizations/*/roles/*}" additional_bindings { delete: "/v1/{name=projects/*/roles/*}" } }; } // Undelete a Role, bringing it back in its previous state. rpc UndeleteRole(UndeleteRoleRequest) returns (Role) { option (google.api.http) = { post: "/v1/{name=organizations/*/roles/*}:undelete" body: "*" additional_bindings { post: "/v1/{name=projects/*/roles/*}:undelete" body: "*" } }; } // Lists the permissions testable on a resource. // A permission is testable if it can be tested for an identity on a resource. rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) { option (google.api.http) = { post: "/v1/permissions:queryTestablePermissions" body: "*" }; } } // A service account in the Identity and Access Management API. // // To create a service account, specify the `project_id` and the `account_id` // for the account. The `account_id` is unique within the project, and is used // to generate the service account email address and a stable // `unique_id`. // // If the account already exists, the account's resource name is returned // in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller // can use the name in other methods to access the account. // // All other methods can identify the service account using the format // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. message ServiceAccount { option (google.api.resource) = { type: "iam.googleapis.com/ServiceAccount" pattern: "projects/{project}/serviceAccounts/{service_account}" }; // The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // // Requests using `-` as a wildcard for the `PROJECT_ID` will infer the // project from the `account` and the `ACCOUNT` value can be the `email` // address or the `unique_id` of the service account. // // In responses the resource name will always be in the format // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. string name = 1; // @OutputOnly The id of the project that owns the service account. string project_id = 2; // @OutputOnly The unique and stable id of the service account. string unique_id = 4; // @OutputOnly The email address of the service account. string email = 5; // Optional. A user-specified name for the service account. // Must be less than or equal to 100 UTF-8 bytes. string display_name = 6; // Optional. Note: `etag` is an inoperable legacy field that is only returned // for backwards compatibility. bytes etag = 7; // @OutputOnly. The OAuth2 client id for the service account. // This is used in conjunction with the OAuth2 clientconfig API to make // three legged OAuth2 (3LO) flows to access the data of Google users. string oauth2_client_id = 9; } // The service account create request. message CreateServiceAccountRequest { // Required. The resource name of the project associated with the service // accounts, such as `projects/my-project-123`. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudresourcemanager.googleapis.com/Project" } ]; // Required. The account id that is used to generate the service account // email address and a stable unique id. It is unique within a project, // must be 6-30 characters long, and match the regular expression // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. string account_id = 2 [(google.api.field_behavior) = REQUIRED]; // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to // create. Currently, only the following values are user assignable: // `display_name` and `description`. ServiceAccount service_account = 3; } // The service account list request. message ListServiceAccountsRequest { // Required. The resource name of the project associated with the service // accounts, such as `projects/my-project-123`. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudresourcemanager.googleapis.com/Project" } ]; // Optional limit on the number of service accounts to include in the // response. Further accounts can subsequently be obtained by including the // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] // in a subsequent request. int32 page_size = 2; // Optional pagination token returned in an earlier // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]. string page_token = 3; } // The service account list response. message ListServiceAccountsResponse { // The list of matching service accounts. repeated ServiceAccount accounts = 1; // To retrieve the next page of results, set // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] // to this value. string next_page_token = 2; } // The service account get request. message GetServiceAccountRequest { // Required. The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/ServiceAccount" } ]; } // The service account delete request. message DeleteServiceAccountRequest { // Required. The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/ServiceAccount" } ]; } // The service account keys list request. message ListServiceAccountKeysRequest { // `KeyType` filters to selectively retrieve certain varieties // of keys. enum KeyType { // Unspecified key type. The presence of this in the // message will immediately result in an error. KEY_TYPE_UNSPECIFIED = 0; // User-managed keys (managed and rotated by the user). USER_MANAGED = 1; // System-managed keys (managed and rotated by Google). SYSTEM_MANAGED = 2; } // Required. The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // // Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/ServiceAccount" } ]; // Filters the types of keys the user wants to include in the list // response. Duplicate key types are not allowed. If no key type // is provided, all keys are returned. repeated KeyType key_types = 2; } // The service account keys list response. message ListServiceAccountKeysResponse { // The public keys for the service account. repeated ServiceAccountKey keys = 1; } // The service account key get by id request. message GetServiceAccountKeyRequest { // Required. The resource name of the service account key in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. // // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/Key" } ]; // The output format of the public key requested. // X509_PEM is the default output format. ServiceAccountPublicKeyType public_key_type = 2; } // Represents a service account key. // // A service account has two sets of key-pairs: user-managed, and // system-managed. // // User-managed key-pairs can be created and deleted by users. Users are // responsible for rotating these keys periodically to ensure security of // their service accounts. Users retain the private key of these key-pairs, // and Google retains ONLY the public key. // // System-managed keys are automatically rotated by Google, and are used for // signing for a maximum of two weeks. The rotation process is probabilistic, // and usage of the new key will gradually ramp up and down over the key's // lifetime. We recommend caching the public key set for a service account for // no more than 24 hours to ensure you have access to the latest keys. // // Public keys for all service accounts are also published at the OAuth2 // Service Account API. message ServiceAccountKey { option (google.api.resource) = { type: "iam.googleapis.com/Key" pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}" }; // The resource name of the service account key in the following format // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. string name = 1; // The output format for the private key. // Only provided in `CreateServiceAccountKey` responses, not // in `GetServiceAccountKey` or `ListServiceAccountKey` responses. // // Google never exposes system-managed private keys, and never retains // user-managed private keys. ServiceAccountPrivateKeyType private_key_type = 2; // Specifies the algorithm (and possibly key size) for the key. ServiceAccountKeyAlgorithm key_algorithm = 8; // The private key data. Only provided in `CreateServiceAccountKey` // responses. Make sure to keep the private key data secure because it // allows for the assertion of the service account identity. // When base64 decoded, the private key data can be used to authenticate with // Google API client libraries and with // gcloud // auth activate-service-account. bytes private_key_data = 3; // The public key data. Only provided in `GetServiceAccountKey` responses. bytes public_key_data = 7; // The key can be used after this timestamp. google.protobuf.Timestamp valid_after_time = 4; // The key can be used before this timestamp. // For system-managed key pairs, this timestamp is the end time for the // private key signing operation. The public key could still be used // for verification for a few hours after this time. google.protobuf.Timestamp valid_before_time = 5; } // The service account key create request. message CreateServiceAccountKeyRequest { // Required. The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/ServiceAccount" } ]; // The output format of the private key. The default value is // `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File // format. ServiceAccountPrivateKeyType private_key_type = 2; // Which type of key and algorithm to use for the key. // The default is currently a 2K RSA key. However this may change in the // future. ServiceAccountKeyAlgorithm key_algorithm = 3; } // The service account key delete request. message DeleteServiceAccountKeyRequest { // Required. The resource name of the service account key in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/Key" } ]; } // The service account sign blob request. message SignBlobRequest { // Required. The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/ServiceAccount" } ]; // Required. The bytes to sign. bytes bytes_to_sign = 2 [(google.api.field_behavior) = REQUIRED]; } // The service account sign blob response. message SignBlobResponse { // The id of the key used to sign the blob. string key_id = 1; // The signed blob. bytes signature = 2; } // The service account sign JWT request. message SignJwtRequest { // Required. The resource name of the service account in the following format: // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from // the account. The `ACCOUNT` value can be the `email` address or the // `unique_id` of the service account. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "iam.googleapis.com/ServiceAccount" } ]; // Required. The JWT payload to sign, a JSON JWT Claim set. string payload = 2 [(google.api.field_behavior) = REQUIRED]; } // The service account sign JWT response. message SignJwtResponse { // The id of the key used to sign the JWT. string key_id = 1; // The signed JWT. string signed_jwt = 2; } // A role in the Identity and Access Management API. message Role { // A stage representing a role's lifecycle phase. enum RoleLaunchStage { // The user has indicated this role is currently in an Alpha phase. If this // launch stage is selected, the `stage` field will not be included when // requesting the definition for a given role. ALPHA = 0; // The user has indicated this role is currently in a Beta phase. BETA = 1; // The user has indicated this role is generally available. GA = 2; // The user has indicated this role is being deprecated. DEPRECATED = 4; // This role is disabled and will not contribute permissions to any members // it is granted to in policies. DISABLED = 5; // The user has indicated this role is currently in an EAP phase. EAP = 6; } // The name of the role. // // When Role is used in CreateRole, the role name must not be set. // // When Role is used in output and other input such as UpdateRole, the role // name is the complete path, e.g., roles/logging.viewer for predefined roles // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles. string name = 1; // Optional. A human-readable title for the role. Typically this // is limited to 100 UTF-8 bytes. string title = 2; // Optional. A human-readable description for the role. string description = 3; // The names of the permissions this role grants when bound in an IAM policy. repeated string included_permissions = 7; // The current launch stage of the role. If the `ALPHA` launch stage has been // selected for a role, the `stage` field will not be included in the // returned definition for the role. RoleLaunchStage stage = 8; // Used to perform a consistent read-modify-write. bytes etag = 9; // The current deleted state of the role. This field is read only. // It will be ignored in calls to CreateRole and UpdateRole. bool deleted = 11; } // The grantable role query request. message QueryGrantableRolesRequest { // Required. The full resource name to query from the list of grantable roles. // // The name follows the Google Cloud Platform resource format. // For example, a Cloud Platform project with id `my-project` will be named // `//cloudresourcemanager.googleapis.com/projects/my-project`. string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; RoleView view = 2; // Optional limit on the number of roles to include in the response. int32 page_size = 3; // Optional pagination token returned in an earlier // QueryGrantableRolesResponse. string page_token = 4; } // The grantable role query response. message QueryGrantableRolesResponse { // The list of matching roles. repeated Role roles = 1; // To retrieve the next page of results, set // `QueryGrantableRolesRequest.page_token` to this value. string next_page_token = 2; } // The request to get all roles defined under a resource. message ListRolesRequest { // The `parent` parameter's value depends on the target resource for the // request, namely // [`roles`](/iam/reference/rest/v1/roles), // [`projects`](/iam/reference/rest/v1/projects.roles), or // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each // resource type's `parent` value format is described below: // // * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string. // This method doesn't require a resource; it simply returns all // [predefined roles](/iam/docs/understanding-roles#predefined_roles) in // Cloud IAM. Example request URL: // `https://iam.googleapis.com/v1/roles` // // * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list): // `projects/{PROJECT_ID}`. This method lists all project-level // [custom roles](/iam/docs/understanding-custom-roles). // Example request URL: // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` // // * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list): // `organizations/{ORGANIZATION_ID}`. This method lists all // organization-level [custom roles](/iam/docs/understanding-custom-roles). // Example request URL: // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` // // Note: Wildcard (*) values are invalid; you must specify a complete project // ID or organization ID. string parent = 1 [(google.api.resource_reference).type = "*"]; // Optional limit on the number of roles to include in the response. int32 page_size = 2; // Optional pagination token returned in an earlier ListRolesResponse. string page_token = 3; // Optional view for the returned Role objects. When `FULL` is specified, // the `includedPermissions` field is returned, which includes a list of all // permissions in the role. The default value is `BASIC`, which does not // return the `includedPermissions` field. RoleView view = 4; // Include Roles that have been deleted. bool show_deleted = 6; } // The response containing the roles defined under a resource. message ListRolesResponse { // The Roles defined on this resource. repeated Role roles = 1; // To retrieve the next page of results, set // `ListRolesRequest.page_token` to this value. string next_page_token = 2; } // The request to get the definition of an existing role. message GetRoleRequest { // The `name` parameter's value depends on the target resource for the // request, namely // [`roles`](/iam/reference/rest/v1/roles), // [`projects`](/iam/reference/rest/v1/projects.roles), or // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each // resource type's `name` value format is described below: // // * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`. // This method returns results from all // [predefined roles](/iam/docs/understanding-roles#predefined_roles) in // Cloud IAM. Example request URL: // `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` // // * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get): // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only // [custom roles](/iam/docs/understanding-custom-roles) that have been // created at the project level. Example request URL: // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` // // * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get): // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method // returns only [custom roles](/iam/docs/understanding-custom-roles) that // have been created at the organization level. Example request URL: // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` // // Note: Wildcard (*) values are invalid; you must specify a complete project // ID or organization ID. string name = 1 [(google.api.resource_reference).type = "*"]; } // The request to create a new role. message CreateRoleRequest { // The `parent` parameter's value depends on the target resource for the // request, namely // [`projects`](/iam/reference/rest/v1/projects.roles) or // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each // resource type's `parent` value format is described below: // // * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create): // `projects/{PROJECT_ID}`. This method creates project-level // [custom roles](/iam/docs/understanding-custom-roles). // Example request URL: // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` // // * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create): // `organizations/{ORGANIZATION_ID}`. This method creates organization-level // [custom roles](/iam/docs/understanding-custom-roles). Example request // URL: // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` // // Note: Wildcard (*) values are invalid; you must specify a complete project // ID or organization ID. string parent = 1 [(google.api.resource_reference).type = "*"]; // The role ID to use for this role. string role_id = 2; // The Role resource to create. Role role = 3; } // The request to update a role. message UpdateRoleRequest { // The `name` parameter's value depends on the target resource for the // request, namely // [`projects`](/iam/reference/rest/v1/projects.roles) or // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each // resource type's `name` value format is described below: // // * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch): // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only // [custom roles](/iam/docs/understanding-custom-roles) that have been // created at the project level. Example request URL: // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` // // * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch): // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method // updates only [custom roles](/iam/docs/understanding-custom-roles) that // have been created at the organization level. Example request URL: // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` // // Note: Wildcard (*) values are invalid; you must specify a complete project // ID or organization ID. string name = 1 [(google.api.resource_reference).type = "*"]; // The updated role. Role role = 2; // A mask describing which fields in the Role have changed. google.protobuf.FieldMask update_mask = 3; } // The request to delete an existing role. message DeleteRoleRequest { // The `name` parameter's value depends on the target resource for the // request, namely // [`projects`](/iam/reference/rest/v1/projects.roles) or // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each // resource type's `name` value format is described below: // // * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete): // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only // [custom roles](/iam/docs/understanding-custom-roles) that have been // created at the project level. Example request URL: // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` // // * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete): // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method // deletes only [custom roles](/iam/docs/understanding-custom-roles) that // have been created at the organization level. Example request URL: // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` // // Note: Wildcard (*) values are invalid; you must specify a complete project // ID or organization ID. string name = 1 [(google.api.resource_reference).type = "*"]; // Used to perform a consistent read-modify-write. bytes etag = 2; } // The request to undelete an existing role. message UndeleteRoleRequest { // The `name` parameter's value depends on the target resource for the // request, namely // [`projects`](/iam/reference/rest/v1/projects.roles) or // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each // resource type's `name` value format is described below: // // * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete): // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes // only [custom roles](/iam/docs/understanding-custom-roles) that have been // created at the project level. Example request URL: // `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` // // * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete): // `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method // undeletes only [custom roles](/iam/docs/understanding-custom-roles) that // have been created at the organization level. Example request URL: // `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` // // Note: Wildcard (*) values are invalid; you must specify a complete project // ID or organization ID. string name = 1 [(google.api.resource_reference).type = "*"]; // Used to perform a consistent read-modify-write. bytes etag = 2; } // A permission which can be included by a role. message Permission { // A stage representing a permission's lifecycle phase. enum PermissionLaunchStage { // The permission is currently in an alpha phase. ALPHA = 0; // The permission is currently in a beta phase. BETA = 1; // The permission is generally available. GA = 2; // The permission is being deprecated. DEPRECATED = 3; } // The state of the permission with regards to custom roles. enum CustomRolesSupportLevel { // Permission is fully supported for custom role use. SUPPORTED = 0; // Permission is being tested to check custom role compatibility. TESTING = 1; // Permission is not supported for custom role use. NOT_SUPPORTED = 2; } // The name of this Permission. string name = 1; // The title of this Permission. string title = 2; // A brief description of what this Permission is used for. // This permission can ONLY be used in predefined roles. string description = 3; // This permission can ONLY be used in predefined roles. bool only_in_predefined_roles = 4; // The current launch stage of the permission. PermissionLaunchStage stage = 5; // The current custom role support level. CustomRolesSupportLevel custom_roles_support_level = 6; } // A request to get permissions which can be tested on a resource. message QueryTestablePermissionsRequest { // Required. The full resource name to query from the list of testable // permissions. // // The name follows the Google Cloud Platform resource format. // For example, a Cloud Platform project with id `my-project` will be named // `//cloudresourcemanager.googleapis.com/projects/my-project`. string full_resource_name = 1; // Optional limit on the number of permissions to include in the response. int32 page_size = 2; // Optional pagination token returned in an earlier // QueryTestablePermissionsRequest. string page_token = 3; } // The response containing permissions which can be tested on a resource. message QueryTestablePermissionsResponse { // The Permissions testable on the requested resource. repeated Permission permissions = 1; // To retrieve the next page of results, set // `QueryTestableRolesRequest.page_token` to this value. string next_page_token = 2; } // Supported key algorithms. enum ServiceAccountKeyAlgorithm { // An unspecified key algorithm. KEY_ALG_UNSPECIFIED = 0; // 1k RSA Key. KEY_ALG_RSA_1024 = 1; // 2k RSA Key. KEY_ALG_RSA_2048 = 2; } // Supported private key output formats. enum ServiceAccountPrivateKeyType { // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`. TYPE_UNSPECIFIED = 0; // PKCS12 format. // The password for the PKCS12 file is `notasecret`. // For more information, see https://tools.ietf.org/html/rfc7292. TYPE_PKCS12_FILE = 1; // Google Credentials File format. TYPE_GOOGLE_CREDENTIALS_FILE = 2; } // Supported public key output formats. enum ServiceAccountPublicKeyType { // Unspecified. Returns nothing here. TYPE_NONE = 0; // X509 PEM format. TYPE_X509_PEM_FILE = 1; // Raw public key. TYPE_RAW_PUBLIC_KEY = 2; } // A view for Role objects. enum RoleView { // Omits the `included_permissions` field. // This is the default value. BASIC = 0; // Returns all fields. FULL = 1; }