Identity and Access Management (IAM) API

Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.

Service: iam.googleapis.com

We recommend that you call this service using Google-provided client libraries. If your application needs to call this service using your own libraries, you should use the following information when making the API requests.

Discovery document

A Discovery Document is a machine-readable specification for describing and consuming REST APIs. It is used to build client libraries, IDE plugins, and other tools that interact with Google APIs. One service may provide multiple discovery documents. This service provides the following discovery document:

Service endpoint

A service endpoint is a base URL that specifies the network address of an API service. One service may have multiple service endpoints. This service has the following service endpoint and all URIs below are relative to this service endpoint:

  • https://iam.googleapis.com

REST Resource: v1.iamPolicies

Methods
lintPolicy POST /v1/iamPolicies:lintPolicy
Lints, or validates, an IAM policy.
queryAuditableServices POST /v1/iamPolicies:queryAuditableServices
Returns a list of services that allow you to opt into audit logs that are not generated by default.

REST Resource: v1.organizations.roles

Methods
create POST /v1/{parent=organizations/*}/roles
Creates a new custom Role.
delete DELETE /v1/{name=organizations/*/roles/*}
Deletes a custom Role.
get GET /v1/{name=organizations/*/roles/*}
Gets the definition of a Role.
list GET /v1/{parent=organizations/*}/roles
Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.
patch PATCH /v1/{name=organizations/*/roles/*}
Updates the definition of a custom Role.
undelete POST /v1/{name=organizations/*/roles/*}:undelete
Undeletes a custom Role.

REST Resource: v1.permissions

Methods
queryTestablePermissions POST /v1/permissions:queryTestablePermissions
Lists every permission that you can test on a resource.

REST Resource: v1.projects.roles

Methods
create POST /v1/{parent=projects/*}/roles
Creates a new custom Role.
delete DELETE /v1/{name=projects/*/roles/*}
Deletes a custom Role.
get GET /v1/{name=projects/*/roles/*}
Gets the definition of a Role.
list GET /v1/{parent=projects/*}/roles
Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.
patch PATCH /v1/{name=projects/*/roles/*}
Updates the definition of a custom Role.
undelete POST /v1/{name=projects/*/roles/*}:undelete
Undeletes a custom Role.

REST Resource: v1.projects.serviceAccounts

Methods
create POST /v1/{name=projects/*}/serviceAccounts
Creates a ServiceAccount.
delete DELETE /v1/{name=projects/*/serviceAccounts/*}
Deletes a ServiceAccount.
disable POST /v1/{name=projects/*/serviceAccounts/*}:disable
Disables a ServiceAccount immediately.
enable POST /v1/{name=projects/*/serviceAccounts/*}:enable
Enables a ServiceAccount that was disabled by DisableServiceAccount.
get GET /v1/{name=projects/*/serviceAccounts/*}
Gets a ServiceAccount.
getIamPolicy POST /v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy
Gets the IAM policy that is attached to a ServiceAccount.
list GET /v1/{name=projects/*}/serviceAccounts
Lists every ServiceAccount that belongs to a specific project.
patch PATCH /v1/{serviceAccount.name=projects/*/serviceAccounts/*}
Patches a ServiceAccount.
setIamPolicy POST /v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy
Sets the IAM policy that is attached to a ServiceAccount.
signBlob POST /v1/{name=projects/*/serviceAccounts/*}:signBlob
Note: We are in the process of deprecating this method.
signJwt POST /v1/{name=projects/*/serviceAccounts/*}:signJwt
Note: We are in the process of deprecating this method.
testIamPermissions POST /v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions
Tests whether the caller has the specified permissions on a ServiceAccount.
undelete POST /v1/{name=projects/*/serviceAccounts/*}:undelete
Restores a deleted ServiceAccount.
update PUT /v1/{name=projects/*/serviceAccounts/*}
Note: We are in the process of deprecating this method.

REST Resource: v1.projects.serviceAccounts.keys

Methods
create POST /v1/{name=projects/*/serviceAccounts/*}/keys
Creates a ServiceAccountKey.
delete DELETE /v1/{name=projects/*/serviceAccounts/*/keys/*}
Deletes a ServiceAccountKey.
get GET /v1/{name=projects/*/serviceAccounts/*/keys/*}
Gets a ServiceAccountKey.
list GET /v1/{name=projects/*/serviceAccounts/*}/keys
Lists every ServiceAccountKey for a service account.
upload POST /v1/{name=projects/*/serviceAccounts/*}/keys:upload
Creates a ServiceAccountKey, using a public key that you provide.

REST Resource: v1.roles

Methods
get GET /v1/{name=roles/*}
Gets the definition of a Role.
list GET /v1/roles
Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.
queryGrantableRoles POST /v1/roles:queryGrantableRoles
Lists roles that can be granted on a Google Cloud resource.