// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.iam.admin.v1;
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/options.proto";
import "google/iam/v1/policy.proto";
import "google/protobuf/any.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";
import "google/type/expr.proto";
import "google/api/annotations.proto";
option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Iam.Admin.V1";
option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin";
option java_multiple_files = true;
option java_outer_classname = "IamProto";
option java_package = "com.google.iam.admin.v1";
option php_namespace = "Google\\Cloud\\Iam\\Admin\\V1";
// Creates and manages Identity and Access Management (IAM) resources.
//
// You can use this service to work with all of the following resources:
//
// * **Service accounts**, which identify an application or a virtual machine
// (VM) instance rather than a person
// * **Service account keys**, which service accounts use to authenticate with
// Google APIs
// * **IAM policies for service accounts**, which specify the roles that a
// member has for the service account
// * **IAM custom roles**, which help you limit the number of permissions that
// you grant to members
//
// In addition, you can use this service to complete the following tasks, among
// others:
//
// * Test whether a service account can use specific permissions
// * Check which roles you can grant for a specific resource
// * Lint, or validate, condition expressions in an IAM policy
service IAM {
option (google.api.default_host) = "iam.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.
rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
option (google.api.http) = {
get: "/v1/{name=projects/*}/serviceAccounts"
};
option (google.api.method_signature) = "name";
}
// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = {
get: "/v1/{name=projects/*/serviceAccounts/*}"
};
option (google.api.method_signature) = "name";
}
// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = {
post: "/v1/{name=projects/*}/serviceAccounts"
body: "*"
};
option (google.api.method_signature) = "name,account_id,service_account";
}
// **Note:** We are in the process of deprecating this method. Use
// [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead.
//
// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
//
// You can update only the `display_name` and `description` fields.
rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
option (google.api.http) = {
put: "/v1/{name=projects/*/serviceAccounts/*}"
body: "*"
};
}
// Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc PatchServiceAccount(PatchServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = {
patch: "/v1/{service_account.name=projects/*/serviceAccounts/*}"
body: "*"
};
}
// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
//
// **Warning:** After you delete a service account, you might not be able to
// undelete it. If you know that you need to re-enable the service account in
// the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.
//
// If you delete a service account, IAM permanently removes the service
// account 30 days later. Google Cloud cannot recover the service account
// after it is permanently removed, even if you file a support request.
//
// To help avoid unplanned outages, we recommend that you disable the service
// account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the
// service account, then wait at least 24 hours and watch for unintended
// consequences. If there are no unintended consequences, you can delete the
// service account.
rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/v1/{name=projects/*/serviceAccounts/*}"
};
option (google.api.method_signature) = "name";
}
// Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].
//
// **Important:** It is not always possible to restore a deleted service
// account. Use this method only as a last resort.
//
// After you delete a service account, IAM permanently removes the service
// account 30 days later. There is no way to restore a deleted service account
// that has been permanently removed.
rpc UndeleteServiceAccount(UndeleteServiceAccountRequest) returns (UndeleteServiceAccountResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}:undelete"
body: "*"
};
}
// Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by
// [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].
//
// If the service account is already enabled, then this method has no effect.
//
// If the service account was disabled by other means—for example, if Google
// disabled the service account because it was compromised—you cannot use this
// method to enable the service account.
rpc EnableServiceAccount(EnableServiceAccountRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}:enable"
body: "*"
};
}
// Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.
//
// If an application uses the service account to authenticate, that
// application can no longer call Google APIs or access Google Cloud
// resources. Existing access tokens for the service account are rejected, and
// requests for new access tokens will fail.
//
// To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you
// re-enable the service account, its existing access tokens will be accepted,
// and you can request new access tokens.
//
// To help avoid unplanned outages, we recommend that you disable the service
// account before you delete it. Use this method to disable the service
// account, then wait at least 24 hours and watch for unintended consequences.
// If there are no unintended consequences, you can delete the service account
// with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].
rpc DisableServiceAccount(DisableServiceAccountRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}:disable"
body: "*"
};
}
// Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
option (google.api.http) = {
get: "/v1/{name=projects/*/serviceAccounts/*}/keys"
};
option (google.api.method_signature) = "name,key_types";
}
// Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = {
get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
};
option (google.api.method_signature) = "name,public_key_type";
}
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}/keys"
body: "*"
};
option (google.api.method_signature) = "name,private_key_type,key_algorithm";
}
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey], using a public key that you provide.
rpc UploadServiceAccountKey(UploadServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}/keys:upload"
body: "*"
};
}
// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not
// revoke short-lived credentials that have been issued based on the service
// account key.
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
};
option (google.api.method_signature) = "name";
}
// **Note:** This method is deprecated. Use the
// [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob)
// method in the IAM Service Account Credentials API instead. If you currently
// use this method, see the [migration
// guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
// instructions.
//
// Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
option deprecated = true;
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
body: "*"
};
option (google.api.method_signature) = "name,bytes_to_sign";
}
// **Note:** This method is deprecated. Use the
// [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt)
// method in the IAM Service Account Credentials API instead. If you currently
// use this method, see the [migration
// guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
// instructions.
//
// Signs a JSON Web Token (JWT) using the system-managed private key for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {
option deprecated = true;
option (google.api.http) = {
post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
body: "*"
};
option (google.api.method_signature) = "name,payload";
}
// Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM
// policy specifies which members have access to the service account.
//
// This method does not tell you whether the service account has been granted
// any roles on other resources. To check whether a service account has role
// grants on a resource, use the `getIamPolicy` method for that resource. For
// example, to view the role grants for a project, call the Resource Manager
// API's
// [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
// method.
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = {
post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
};
option (google.api.method_signature) = "resource";
}
// Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
//
// Use this method to grant or revoke access to the service account. For
// example, you could grant a member the ability to impersonate the service
// account.
//
// This method does not enable the service account to access other resources.
// To grant roles to a service account on a resource, follow these steps:
//
// 1. Call the resource's `getIamPolicy` method to get its current IAM policy.
// 2. Edit the policy so that it binds the service account to an IAM role for
// the resource.
// 3. Call the resource's `setIamPolicy` method to update its IAM policy.
//
// For detailed instructions, see
// [Granting roles to a service account for specific
// resources](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts).
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = {
post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
body: "*"
};
option (google.api.method_signature) = "resource,policy";
}
// Tests whether the caller has the specified permissions on a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
option (google.api.http) = {
post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
body: "*"
};
option (google.api.method_signature) = "resource,permissions";
}
// Lists roles that can be granted on a Google Cloud resource. A role is
// grantable if the IAM policy for the resource can contain bindings to the
// role.
rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
option (google.api.http) = {
post: "/v1/roles:queryGrantableRoles"
body: "*"
};
option (google.api.method_signature) = "full_resource_name";
}
// Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role
// that is defined for an organization or project.
rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
option (google.api.http) = {
get: "/v1/roles"
additional_bindings {
get: "/v1/{parent=organizations/*}/roles"
}
additional_bindings {
get: "/v1/{parent=projects/*}/roles"
}
};
}
// Gets the definition of a [Role][google.iam.admin.v1.Role].
rpc GetRole(GetRoleRequest) returns (Role) {
option (google.api.http) = {
get: "/v1/{name=roles/*}"
additional_bindings {
get: "/v1/{name=organizations/*/roles/*}"
}
additional_bindings {
get: "/v1/{name=projects/*/roles/*}"
}
};
}
// Creates a new custom [Role][google.iam.admin.v1.Role].
rpc CreateRole(CreateRoleRequest) returns (Role) {
option (google.api.http) = {
post: "/v1/{parent=organizations/*}/roles"
body: "*"
additional_bindings {
post: "/v1/{parent=projects/*}/roles"
body: "*"
}
};
}
// Updates the definition of a custom [Role][google.iam.admin.v1.Role].
rpc UpdateRole(UpdateRoleRequest) returns (Role) {
option (google.api.http) = {
patch: "/v1/{name=organizations/*/roles/*}"
body: "role"
additional_bindings {
patch: "/v1/{name=projects/*/roles/*}"
body: "role"
}
};
}
// Deletes a custom [Role][google.iam.admin.v1.Role].
//
// When you delete a custom role, the following changes occur immediately:
//
// * You cannot bind a member to the custom role in an IAM
// [Policy][google.iam.v1.Policy].
// * Existing bindings to the custom role are not changed, but they have no
// effect.
// * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom
// role.
//
// You have 7 days to undelete the custom role. After 7 days, the following
// changes occur:
//
// * The custom role is permanently deleted and cannot be recovered.
// * If an IAM policy contains a binding to the custom role, the binding is
// permanently removed.
rpc DeleteRole(DeleteRoleRequest) returns (Role) {
option (google.api.http) = {
delete: "/v1/{name=organizations/*/roles/*}"
additional_bindings {
delete: "/v1/{name=projects/*/roles/*}"
}
};
}
// Undeletes a custom [Role][google.iam.admin.v1.Role].
rpc UndeleteRole(UndeleteRoleRequest) returns (Role) {
option (google.api.http) = {
post: "/v1/{name=organizations/*/roles/*}:undelete"
body: "*"
additional_bindings {
post: "/v1/{name=projects/*/roles/*}:undelete"
body: "*"
}
};
}
// Lists every permission that you can test on a resource. A permission is
// testable if you can check whether a member has that permission on the
// resource.
rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) {
option (google.api.http) = {
post: "/v1/permissions:queryTestablePermissions"
body: "*"
};
}
// Returns a list of services that allow you to opt into audit logs that are
// not generated by default.
//
// To learn more about audit logs, see the [Logging
// documentation](https://cloud.google.com/logging/docs/audit).
rpc QueryAuditableServices(QueryAuditableServicesRequest) returns (QueryAuditableServicesResponse) {
option (google.api.http) = {
post: "/v1/iamPolicies:queryAuditableServices"
body: "*"
};
}
// Lints, or validates, an IAM policy. Currently checks the
// [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition
// expression for a role binding.
//
// Successful calls to this method always return an HTTP `200 OK` status code,
// even if the linter detects an issue in the IAM policy.
rpc LintPolicy(LintPolicyRequest) returns (LintPolicyResponse) {
option (google.api.http) = {
post: "/v1/iamPolicies:lintPolicy"
body: "*"
};
}
}
// An IAM service account.
//
// A service account is an account for an application or a virtual machine (VM)
// instance, not a person. You can use a service account to call Google APIs. To
// learn more, read the [overview of service
// accounts](https://cloud.google.com/iam/help/service-accounts/overview).
//
// When you create a service account, you specify the project ID that owns the
// service account, as well as a name that must be unique within the project.
// IAM uses these values to create an email address that identifies the service
// account.
message ServiceAccount {
option (google.api.resource) = {
type: "iam.googleapis.com/ServiceAccount"
pattern: "projects/{project}/serviceAccounts/{service_account}"
};
// The resource name of the service account.
//
// Use one of the following formats:
//
// * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
// * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
//
// As an alternative, you can use the `-` wildcard character instead of the
// project ID:
//
// * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
// * `projects/-/serviceAccounts/{UNIQUE_ID}`
//
// When possible, avoid using the `-` wildcard character, because it can cause
// response messages to contain misleading error codes. For example, if you
// try to get the service account
// `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
// response contains an HTTP `403 Forbidden` error instead of a `404 Not
// Found` error.
string name = 1;
// Output only. The ID of the project that owns the service account.
string project_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. The unique, stable numeric ID for the service account.
//
// Each service account retains its unique ID even if you delete the service
// account. For example, if you delete a service account, then create a new
// service account with the same name, the new service account has a different
// unique ID than the deleted service account.
string unique_id = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. The email address of the service account.
string email = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
// Optional. A user-specified, human-readable name for the service account. The maximum
// length is 100 UTF-8 bytes.
string display_name = 6 [(google.api.field_behavior) = OPTIONAL];
// Deprecated. Do not use.
bytes etag = 7 [deprecated = true];
// Optional. A user-specified, human-readable description of the service account. The
// maximum length is 256 UTF-8 bytes.
string description = 8 [(google.api.field_behavior) = OPTIONAL];
// Output only. The OAuth 2.0 client ID for the service account.
string oauth2_client_id = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. Whether the service account is disabled.
bool disabled = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
}
// The service account create request.
message CreateServiceAccountRequest {
// Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Required. The account id that is used to generate the service account
// email address and a stable unique id. It is unique within a project,
// must be 6-30 characters long, and match the regular expression
// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
string account_id = 2 [(google.api.field_behavior) = REQUIRED];
// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
// create. Currently, only the following values are user assignable:
// `display_name` and `description`.
ServiceAccount service_account = 3;
}
// The service account list request.
message ListServiceAccountsRequest {
// Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Optional limit on the number of service accounts to include in the
// response. Further accounts can subsequently be obtained by including the
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
// in a subsequent request.
//
// The default is 20, and the maximum is 100.
int32 page_size = 2;
// Optional pagination token returned in an earlier
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
string page_token = 3;
}
// The service account list response.
message ListServiceAccountsResponse {
// The list of matching service accounts.
repeated ServiceAccount accounts = 1;
// To retrieve the next page of results, set
// [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
// to this value.
string next_page_token = 2;
}
// The service account get request.
message GetServiceAccountRequest {
// Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
}
// The service account delete request.
message DeleteServiceAccountRequest {
// Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
}
// The request for
// [PatchServiceAccount][google.iam.admin.v1.PatchServiceAccount].
//
// You can patch only the `display_name` and `description` fields. You must use
// the `update_mask` field to specify which of these fields you want to patch.
//
// Only the fields specified in the request are guaranteed to be returned in
// the response. Other fields may be empty in the response.
message PatchServiceAccountRequest {
ServiceAccount service_account = 1;
google.protobuf.FieldMask update_mask = 2;
}
// The service account undelete request.
message UndeleteServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account.
string name = 1;
}
message UndeleteServiceAccountResponse {
// Metadata for the restored service account.
ServiceAccount restored_account = 1;
}
// The service account enable request.
message EnableServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account disable request.
message DisableServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account keys list request.
message ListServiceAccountKeysRequest {
// `KeyType` filters to selectively retrieve certain varieties
// of keys.
enum KeyType {
// Unspecified key type. The presence of this in the
// message will immediately result in an error.
KEY_TYPE_UNSPECIFIED = 0;
// User-managed keys (managed and rotated by the user).
USER_MANAGED = 1;
// System-managed keys (managed and rotated by Google).
SYSTEM_MANAGED = 2;
}
// Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
//
// Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
// Filters the types of keys the user wants to include in the list
// response. Duplicate key types are not allowed. If no key type
// is provided, all keys are returned.
repeated KeyType key_types = 2;
}
// The service account keys list response.
message ListServiceAccountKeysResponse {
// The public keys for the service account.
repeated ServiceAccountKey keys = 1;
}
// The service account key get by id request.
message GetServiceAccountKeyRequest {
// Required. The resource name of the service account key in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
//
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/Key"
}
];
// The output format of the public key requested.
// X509_PEM is the default output format.
ServiceAccountPublicKeyType public_key_type = 2;
}
// Represents a service account key.
//
// A service account has two sets of key-pairs: user-managed, and
// system-managed.
//
// User-managed key-pairs can be created and deleted by users. Users are
// responsible for rotating these keys periodically to ensure security of
// their service accounts. Users retain the private key of these key-pairs,
// and Google retains ONLY the public key.
//
// System-managed keys are automatically rotated by Google, and are used for
// signing for a maximum of two weeks. The rotation process is probabilistic,
// and usage of the new key will gradually ramp up and down over the key's
// lifetime.
//
// If you cache the public key set for a service account, we recommend that you
// update the cache every 15 minutes. User-managed keys can be added and removed
// at any time, so it is important to update the cache frequently. For
// Google-managed keys, Google will publish a key at least 6 hours before it is
// first used for signing and will keep publishing it for at least 6 hours after
// it was last used for signing.
//
// Public keys for all service accounts are also published at the OAuth2
// Service Account API.
message ServiceAccountKey {
option (google.api.resource) = {
type: "iam.googleapis.com/Key"
pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}"
};
// The resource name of the service account key in the following format
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
string name = 1;
// The output format for the private key.
// Only provided in `CreateServiceAccountKey` responses, not
// in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
//
// Google never exposes system-managed private keys, and never retains
// user-managed private keys.
ServiceAccountPrivateKeyType private_key_type = 2;
// Specifies the algorithm (and possibly key size) for the key.
ServiceAccountKeyAlgorithm key_algorithm = 8;
// The private key data. Only provided in `CreateServiceAccountKey`
// responses. Make sure to keep the private key data secure because it
// allows for the assertion of the service account identity.
// When base64 decoded, the private key data can be used to authenticate with
// Google API client libraries and with
// gcloud
// auth activate-service-account.
bytes private_key_data = 3;
// The public key data. Only provided in `GetServiceAccountKey` responses.
bytes public_key_data = 7;
// The key can be used after this timestamp.
google.protobuf.Timestamp valid_after_time = 4;
// The key can be used before this timestamp.
// For system-managed key pairs, this timestamp is the end time for the
// private key signing operation. The public key could still be used
// for verification for a few hours after this time.
google.protobuf.Timestamp valid_before_time = 5;
// The key origin.
ServiceAccountKeyOrigin key_origin = 9;
// The key type.
ListServiceAccountKeysRequest.KeyType key_type = 10;
}
// The service account key create request.
message CreateServiceAccountKeyRequest {
// Required. The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
// The output format of the private key. The default value is
// `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
// format.
ServiceAccountPrivateKeyType private_key_type = 2;
// Which type of key and algorithm to use for the key.
// The default is currently a 2K RSA key. However this may change in the
// future.
ServiceAccountKeyAlgorithm key_algorithm = 3;
}
// The service account key upload request.
message UploadServiceAccountKeyRequest {
// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// A field that allows clients to upload their own public key. If set,
// use this public key data to create a service account key for given
// service account.
// Please note, the expected format for this field is X509_PEM.
bytes public_key_data = 2;
}
// The service account key delete request.
message DeleteServiceAccountKeyRequest {
// Required. The resource name of the service account key in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/Key"
}
];
}
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The service account sign blob request.
message SignBlobRequest {
// Required. Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
deprecated = true,
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
// Required. Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The bytes to sign.
bytes bytes_to_sign = 2 [
deprecated = true,
(google.api.field_behavior) = REQUIRED
];
}
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The service account sign blob response.
message SignBlobResponse {
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The id of the key used to sign the blob.
string key_id = 1 [deprecated = true];
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The signed blob.
bytes signature = 2 [deprecated = true];
}
// Supported key algorithms.
enum ServiceAccountKeyAlgorithm {
// An unspecified key algorithm.
KEY_ALG_UNSPECIFIED = 0;
// 1k RSA Key.
KEY_ALG_RSA_1024 = 1;
// 2k RSA Key.
KEY_ALG_RSA_2048 = 2;
}
// Supported private key output formats.
enum ServiceAccountPrivateKeyType {
// Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
TYPE_UNSPECIFIED = 0;
// PKCS12 format.
// The password for the PKCS12 file is `notasecret`.
// For more information, see https://tools.ietf.org/html/rfc7292.
TYPE_PKCS12_FILE = 1;
// Google Credentials File format.
TYPE_GOOGLE_CREDENTIALS_FILE = 2;
}
// Supported public key output formats.
enum ServiceAccountPublicKeyType {
// Unspecified. Returns nothing here.
TYPE_NONE = 0;
// X509 PEM format.
TYPE_X509_PEM_FILE = 1;
// Raw public key.
TYPE_RAW_PUBLIC_KEY = 2;
}
// Service Account Key Origin.
enum ServiceAccountKeyOrigin {
// Unspecified key origin.
ORIGIN_UNSPECIFIED = 0;
// Key is provided by user.
USER_PROVIDED = 1;
// Key is provided by Google.
GOOGLE_PROVIDED = 2;
}
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The service account sign JWT request.
message SignJwtRequest {
// Required. Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1 [
deprecated = true,
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "iam.googleapis.com/ServiceAccount"
}
];
// Required. Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The JWT payload to sign. Must be a serialized JSON object that contains a
// JWT Claims Set. For example: `{"sub": "user@example.com", "iat": 313435}`
//
// If the JWT Claims Set contains an expiration time (`exp`) claim, it must be
// an integer timestamp that is not in the past and no more than 1 hour in the
// future.
//
// If the JWT Claims Set does not contain an expiration time (`exp`) claim,
// this claim is added automatically, with a timestamp that is 1 hour in the
// future.
string payload = 2 [
deprecated = true,
(google.api.field_behavior) = REQUIRED
];
}
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The service account sign JWT response.
message SignJwtResponse {
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The id of the key used to sign the JWT.
string key_id = 1 [deprecated = true];
// Deprecated. [Migrate to Service Account Credentials
// API](https://cloud.google.com/iam/help/credentials/migrate-api).
//
// The signed JWT.
string signed_jwt = 2 [deprecated = true];
}
// A role in the Identity and Access Management API.
message Role {
// A stage representing a role's lifecycle phase.
enum RoleLaunchStage {
// The user has indicated this role is currently in an Alpha phase. If this
// launch stage is selected, the `stage` field will not be included when
// requesting the definition for a given role.
ALPHA = 0;
// The user has indicated this role is currently in a Beta phase.
BETA = 1;
// The user has indicated this role is generally available.
GA = 2;
// The user has indicated this role is being deprecated.
DEPRECATED = 4;
// This role is disabled and will not contribute permissions to any members
// it is granted to in policies.
DISABLED = 5;
// The user has indicated this role is currently in an EAP phase.
EAP = 6;
}
// The name of the role.
//
// When Role is used in CreateRole, the role name must not be set.
//
// When Role is used in output and other input such as UpdateRole, the role
// name is the complete path, e.g., roles/logging.viewer for predefined roles
// and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
string name = 1;
// Optional. A human-readable title for the role. Typically this
// is limited to 100 UTF-8 bytes.
string title = 2;
// Optional. A human-readable description for the role.
string description = 3;
// The names of the permissions this role grants when bound in an IAM policy.
repeated string included_permissions = 7;
// The current launch stage of the role. If the `ALPHA` launch stage has been
// selected for a role, the `stage` field will not be included in the
// returned definition for the role.
RoleLaunchStage stage = 8;
// Used to perform a consistent read-modify-write.
bytes etag = 9;
// The current deleted state of the role. This field is read only.
// It will be ignored in calls to CreateRole and UpdateRole.
bool deleted = 11;
}
// The grantable role query request.
message QueryGrantableRolesRequest {
// Required. The full resource name to query from the list of grantable roles.
//
// The name follows the Google Cloud Platform resource format.
// For example, a Cloud Platform project with id `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
RoleView view = 2;
// Optional limit on the number of roles to include in the response.
//
// The default is 300, and the maximum is 1,000.
int32 page_size = 3;
// Optional pagination token returned in an earlier
// QueryGrantableRolesResponse.
string page_token = 4;
}
// The grantable role query response.
message QueryGrantableRolesResponse {
// The list of matching roles.
repeated Role roles = 1;
// To retrieve the next page of results, set
// `QueryGrantableRolesRequest.page_token` to this value.
string next_page_token = 2;
}
// The request to get all roles defined under a resource.
message ListRolesRequest {
// The `parent` parameter's value depends on the target resource for the
// request, namely
// [`roles`](/iam/reference/rest/v1/roles),
// [`projects`](/iam/reference/rest/v1/projects.roles), or
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `parent` value format is described below:
//
// * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string.
// This method doesn't require a resource; it simply returns all
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
// Cloud IAM. Example request URL:
// `https://iam.googleapis.com/v1/roles`
//
// * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list):
// `projects/{PROJECT_ID}`. This method lists all project-level
// [custom roles](/iam/docs/understanding-custom-roles).
// Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
//
// * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list):
// `organizations/{ORGANIZATION_ID}`. This method lists all
// organization-level [custom roles](/iam/docs/understanding-custom-roles).
// Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string parent = 1 [(google.api.resource_reference).type = "*"];
// Optional limit on the number of roles to include in the response.
//
// The default is 300, and the maximum is 1,000.
int32 page_size = 2;
// Optional pagination token returned in an earlier ListRolesResponse.
string page_token = 3;
// Optional view for the returned Role objects. When `FULL` is specified,
// the `includedPermissions` field is returned, which includes a list of all
// permissions in the role. The default value is `BASIC`, which does not
// return the `includedPermissions` field.
RoleView view = 4;
// Include Roles that have been deleted.
bool show_deleted = 6;
}
// The response containing the roles defined under a resource.
message ListRolesResponse {
// The Roles defined on this resource.
repeated Role roles = 1;
// To retrieve the next page of results, set
// `ListRolesRequest.page_token` to this value.
string next_page_token = 2;
}
// The request to get the definition of an existing role.
message GetRoleRequest {
// The `name` parameter's value depends on the target resource for the
// request, namely
// [`roles`](/iam/reference/rest/v1/roles),
// [`projects`](/iam/reference/rest/v1/projects.roles), or
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`.
// This method returns results from all
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
// Cloud IAM. Example request URL:
// `https://iam.googleapis.com/v1/roles/{ROLE_NAME}`
//
// * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only
// [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// returns only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
}
// The request to create a new role.
message CreateRoleRequest {
// The `parent` parameter's value depends on the target resource for the
// request, namely
// [`projects`](/iam/reference/rest/v1/projects.roles) or
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `parent` value format is described below:
//
// * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create):
// `projects/{PROJECT_ID}`. This method creates project-level
// [custom roles](/iam/docs/understanding-custom-roles).
// Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
//
// * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create):
// `organizations/{ORGANIZATION_ID}`. This method creates organization-level
// [custom roles](/iam/docs/understanding-custom-roles). Example request
// URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string parent = 1 [(google.api.resource_reference).type = "*"];
// The role ID to use for this role.
//
// A role ID may contain alphanumeric characters, underscores (`_`), and
// periods (`.`). It must contain a minimum of 3 characters and a maximum of
// 64 characters.
string role_id = 2;
// The Role resource to create.
Role role = 3;
}
// The request to update a role.
message UpdateRoleRequest {
// The `name` parameter's value depends on the target resource for the
// request, namely
// [`projects`](/iam/reference/rest/v1/projects.roles) or
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
// [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// updates only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
// The updated role.
Role role = 2;
// A mask describing which fields in the Role have changed.
google.protobuf.FieldMask update_mask = 3;
}
// The request to delete an existing role.
message DeleteRoleRequest {
// The `name` parameter's value depends on the target resource for the
// request, namely
// [`projects`](/iam/reference/rest/v1/projects.roles) or
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
// [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// deletes only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
// Used to perform a consistent read-modify-write.
bytes etag = 2;
}
// The request to undelete an existing role.
message UndeleteRoleRequest {
// The `name` parameter's value depends on the target resource for the
// request, namely
// [`projects`](/iam/reference/rest/v1/projects.roles) or
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
// resource type's `name` value format is described below:
//
// * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete):
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
// only [custom roles](/iam/docs/understanding-custom-roles) that have been
// created at the project level. Example request URL:
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
//
// * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete):
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
// undeletes only [custom roles](/iam/docs/understanding-custom-roles) that
// have been created at the organization level. Example request URL:
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
//
// Note: Wildcard (*) values are invalid; you must specify a complete project
// ID or organization ID.
string name = 1 [(google.api.resource_reference).type = "*"];
// Used to perform a consistent read-modify-write.
bytes etag = 2;
}
// A permission which can be included by a role.
message Permission {
// A stage representing a permission's lifecycle phase.
enum PermissionLaunchStage {
// The permission is currently in an alpha phase.
ALPHA = 0;
// The permission is currently in a beta phase.
BETA = 1;
// The permission is generally available.
GA = 2;
// The permission is being deprecated.
DEPRECATED = 3;
}
// The state of the permission with regards to custom roles.
enum CustomRolesSupportLevel {
// Permission is fully supported for custom role use.
SUPPORTED = 0;
// Permission is being tested to check custom role compatibility.
TESTING = 1;
// Permission is not supported for custom role use.
NOT_SUPPORTED = 2;
}
// The name of this Permission.
string name = 1;
// The title of this Permission.
string title = 2;
// A brief description of what this Permission is used for.
// This permission can ONLY be used in predefined roles.
string description = 3;
bool only_in_predefined_roles = 4 [deprecated = true];
// The current launch stage of the permission.
PermissionLaunchStage stage = 5;
// The current custom role support level.
CustomRolesSupportLevel custom_roles_support_level = 6;
// The service API associated with the permission is not enabled.
bool api_disabled = 7;
// The preferred name for this permission. If present, then this permission is
// an alias of, and equivalent to, the listed primary_permission.
string primary_permission = 8;
}
// A request to get permissions which can be tested on a resource.
message QueryTestablePermissionsRequest {
// Required. The full resource name to query from the list of testable
// permissions.
//
// The name follows the Google Cloud Platform resource format.
// For example, a Cloud Platform project with id `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
string full_resource_name = 1;
// Optional limit on the number of permissions to include in the response.
//
// The default is 100, and the maximum is 1,000.
int32 page_size = 2;
// Optional pagination token returned in an earlier
// QueryTestablePermissionsRequest.
string page_token = 3;
}
// The response containing permissions which can be tested on a resource.
message QueryTestablePermissionsResponse {
// The Permissions testable on the requested resource.
repeated Permission permissions = 1;
// To retrieve the next page of results, set
// `QueryTestableRolesRequest.page_token` to this value.
string next_page_token = 2;
}
// A request to get the list of auditable services for a resource.
message QueryAuditableServicesRequest {
// Required. The full resource name to query from the list of auditable
// services.
//
// The name follows the Google Cloud Platform resource format.
// For example, a Cloud Platform project with id `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
string full_resource_name = 1;
}
// A response containing a list of auditable services for a resource.
message QueryAuditableServicesResponse {
// Contains information about an auditable service.
message AuditableService {
// Public name of the service.
// For example, the service name for Cloud IAM is 'iam.googleapis.com'.
string name = 1;
}
// The auditable services for a resource.
repeated AuditableService services = 1;
}
// The request to lint a Cloud IAM policy object.
message LintPolicyRequest {
// The full resource name of the policy this lint request is about.
//
// The name follows the Google Cloud Platform (GCP) resource format.
// For example, a GCP project with ID `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
//
// The resource name is not used to read the policy instance from the Cloud
// IAM database. The candidate policy for lint has to be provided in the same
// request object.
string full_resource_name = 1;
// Required. The Cloud IAM object to be linted.
oneof lint_object {
// [google.iam.v1.Binding.condition] [google.iam.v1.Binding.condition] object to be linted.
google.type.Expr condition = 5;
}
}
// Structured response of a single validation unit.
message LintResult {
// Possible Level values of a validation unit corresponding to its domain
// of discourse.
enum Level {
// Level is unspecified.
LEVEL_UNSPECIFIED = 0;
// A validation unit which operates on an individual condition within a
// binding.
CONDITION = 3;
}
// Possible Severity values of an issued result.
enum Severity {
// Severity is unspecified.
SEVERITY_UNSPECIFIED = 0;
// A validation unit returns an error only for critical issues. If an
// attempt is made to set the problematic policy without rectifying the
// critical issue, it causes the `setPolicy` operation to fail.
ERROR = 1;
// Any issue which is severe enough but does not cause an error.
// For example, suspicious constructs in the input object will not
// necessarily fail `setPolicy`, but there is a high likelihood that they
// won't behave as expected during policy evaluation in `checkPolicy`.
// This includes the following common scenarios:
//
// - Unsatisfiable condition: Expired timestamp in date/time condition.
// - Ineffective condition: Condition on a pair which is
// granted unconditionally in another binding of the same policy.
WARNING = 2;
// Reserved for the issues that are not severe as `ERROR`/`WARNING`, but
// need special handling. For instance, messages about skipped validation
// units are issued as `NOTICE`.
NOTICE = 3;
// Any informative statement which is not severe enough to raise
// `ERROR`/`WARNING`/`NOTICE`, like auto-correction recommendations on the
// input content. Note that current version of the linter does not utilize
// `INFO`.
INFO = 4;
// Deprecated severity level.
DEPRECATED = 5;
}
// The validation unit level.
Level level = 1;
// The validation unit name, for instance
// "lintValidationUnits/ConditionComplexityCheck".
string validation_unit_name = 2;
// The validation unit severity.
Severity severity = 3;
// The name of the field for which this lint result is about.
//
// For nested messages `field_name` consists of names of the embedded fields
// separated by period character. The top-level qualifier is the input object
// to lint in the request. For example, the `field_name` value
// `condition.expression` identifies a lint result for the `expression` field
// of the provided condition.
string field_name = 5;
// 0-based character position of problematic construct within the object
// identified by `field_name`. Currently, this is populated only for condition
// expression.
int32 location_offset = 6;
// Human readable debug message associated with the issue.
string debug_message = 7;
}
// The response of a lint operation. An empty response indicates
// the operation was able to fully execute and no lint issue was found.
message LintPolicyResponse {
// List of lint results sorted by `severity` in descending order.
repeated LintResult lint_results = 1;
}
// A view for Role objects.
enum RoleView {
// Omits the `included_permissions` field.
// This is the default value.
BASIC = 0;
// Returns all fields.
FULL = 1;
}