Package google.iam.admin.v1

Stay organized with collections Save and categorize content based on your preferences.

Index

IAM

Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

  • Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
  • Service account keys, which service accounts use to authenticate with Google APIs
  • IAM policies for service accounts, which specify the roles that a principal has for the service account
  • IAM custom roles, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

CreateRole

rpc CreateRole(CreateRoleRequest) returns (Role)

Creates a new custom Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateServiceAccount

rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount)

Creates a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateServiceAccountKey

rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey)

Creates a ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteRole

rpc DeleteRole(DeleteRoleRequest) returns (Role)

Deletes a custom Role.

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.
Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteServiceAccount

rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (Empty)

Deletes a ServiceAccount.

Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteServiceAccountKey

rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (Empty)

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DisableServiceAccount

rpc DisableServiceAccount(DisableServiceAccountRequest) returns (Empty)

Disables a ServiceAccount immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DisableServiceAccountKey

rpc DisableServiceAccountKey(DisableServiceAccountKeyRequest) returns (Empty)

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

EnableServiceAccount

rpc EnableServiceAccount(EnableServiceAccountRequest) returns (Empty)

Enables a ServiceAccount that was disabled by DisableServiceAccount.

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

EnableServiceAccountKey

rpc EnableServiceAccountKey(EnableServiceAccountKeyRequest) returns (Empty)

Enable a ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetIamPolicy

rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy)

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetRole

rpc GetRole(GetRoleRequest) returns (Role)

Gets the definition of a Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetServiceAccount

rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount)

Gets a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetServiceAccountKey

rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey)

Gets a ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

LintPolicy

rpc LintPolicy(LintPolicyRequest) returns (LintPolicyResponse)

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListRoles

rpc ListRoles(ListRolesRequest) returns (ListRolesResponse)

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListServiceAccountKeys

rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse)

Lists every ServiceAccountKey for a service account.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListServiceAccounts

rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse)

Lists every ServiceAccount that belongs to a specific project.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

PatchServiceAccount

rpc PatchServiceAccount(PatchServiceAccountRequest) returns (ServiceAccount)

Patches a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

QueryAuditableServices

rpc QueryAuditableServices(QueryAuditableServicesRequest) returns (QueryAuditableServicesResponse)

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

QueryGrantableRoles

rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse)

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

QueryTestablePermissions

rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse)

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SetIamPolicy

rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy)

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

  1. Call the resource's getIamPolicy method to get its current IAM policy.
  2. Edit the policy so that it binds the service account to an IAM role for the resource.
  3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SignBlob

rpc SignBlob(SignBlobRequest) returns (SignBlobResponse)

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SignJwt

rpc SignJwt(SignJwtRequest) returns (SignJwtResponse)

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

TestIamPermissions

rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse)

Tests whether the caller has the specified permissions on a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UndeleteRole

rpc UndeleteRole(UndeleteRoleRequest) returns (Role)

Undeletes a custom Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UndeleteServiceAccount

rpc UndeleteServiceAccount(UndeleteServiceAccountRequest) returns (UndeleteServiceAccountResponse)

Restores a deleted ServiceAccount.

Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateRole

rpc UpdateRole(UpdateRoleRequest) returns (Role)

Updates the definition of a custom Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateServiceAccount

rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount)

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead.

Updates a ServiceAccount.

You can update only the display_name field.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UploadServiceAccountKey

rpc UploadServiceAccountKey(UploadServiceAccountKeyRequest) returns (ServiceAccountKey)

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

WorkforcePools

Manages WorkforcePools.

CreateWorkforcePool

rpc CreateWorkforcePool(CreateWorkforcePoolRequest) returns (Operation)

Creates a new WorkforcePool.

You cannot reuse the name of a deleted pool until 30 days after deletion.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

CreateWorkforcePoolProvider

rpc CreateWorkforcePoolProvider(CreateWorkforcePoolProviderRequest) returns (Operation)

Creates a new WorkforcePoolProvider in a WorkforcePool.

You cannot reuse the name of a deleted provider until 30 days after deletion.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

DeleteWorkforcePool

rpc DeleteWorkforcePool(DeleteWorkforcePoolRequest) returns (Operation)

Deletes a WorkforcePool.

You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

DeleteWorkforcePoolProvider

rpc DeleteWorkforcePoolProvider(DeleteWorkforcePoolProviderRequest) returns (Operation)

Deletes a WorkforcePoolProvider.

Deleting a provider does not revoke credentials that have already been\ issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

DeleteWorkforcePoolSubject

rpc DeleteWorkforcePoolSubject(DeleteWorkforcePoolSubjectRequest) returns (Operation)

Deletes a WorkforcePoolSubject.

Subject must not already be in a deleted state.

A WorkforcePoolSubject is automatically created the first time an external credential is exchanged for a Google Cloud credential with a mapped google.subject attribute. There is no path to manually create WorkforcePoolSubjects.

Once deleted, the WorkforcePoolSubject may not be used for 30 days. After 30 days, the WorkforcePoolSubject will be deleted forever and can be reused in token exchanges with Google Cloud STS. This will automatically create a new WorkforcePoolSubject that is independent of the previously deleted WorkforcePoolSubject with the same google.subject value.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

GetIamPolicy

rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy)

Gets IAM policies on a WorkforcePool.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

GetWorkforcePool

rpc GetWorkforcePool(GetWorkforcePoolRequest) returns (WorkforcePool)

Gets an individual WorkforcePool.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

GetWorkforcePoolProvider

rpc GetWorkforcePoolProvider(GetWorkforcePoolProviderRequest) returns (WorkforcePoolProvider)

Gets an individual WorkforcePoolProvider.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

ListWorkforcePoolProviders

rpc ListWorkforcePoolProviders(ListWorkforcePoolProvidersRequest) returns (ListWorkforcePoolProvidersResponse)

Lists all non-deleted WorkforcePoolProviders in a WorkforcePool. If show_deleted is set to true, then deleted providers are also listed.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

ListWorkforcePools

rpc ListWorkforcePools(ListWorkforcePoolsRequest) returns (ListWorkforcePoolsResponse)

Lists all non-deleted WorkforcePools under the specified parent. If show_deleted is set to true, then deleted pools are also listed.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

SetIamPolicy

rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy)

Sets IAM policies on a WorkforcePool.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

TestIamPermissions

rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse)

Returns the caller's permissions on the WorkforcePool. If the pool does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

UndeleteWorkforcePool

rpc UndeleteWorkforcePool(UndeleteWorkforcePoolRequest) returns (Operation)

Undeletes a WorkforcePool, as long as it was deleted fewer than 30 days ago.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

UndeleteWorkforcePoolProvider

rpc UndeleteWorkforcePoolProvider(UndeleteWorkforcePoolProviderRequest) returns (Operation)

Undeletes a WorkforcePoolProvider, as long as it was deleted fewer than 30 days ago.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

UndeleteWorkforcePoolSubject

rpc UndeleteWorkforcePoolSubject(UndeleteWorkforcePoolSubjectRequest) returns (Operation)

Undeletes a WorkforcePoolSubject, as long as it was deleted fewer than 30 days ago.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

UpdateWorkforcePool

rpc UpdateWorkforcePool(UpdateWorkforcePoolRequest) returns (Operation)

Updates an existing WorkforcePool.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

UpdateWorkforcePoolProvider

rpc UpdateWorkforcePoolProvider(UpdateWorkforcePoolProviderRequest) returns (Operation)

Updates an existing WorkforcePoolProvider.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/iam

For more information, see the Authentication Overview.

AuditData

Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any type in the ServiceData message of an AuditLog message.

Fields
permission_delta

PermissionDelta

The permission_delta when when creating or updating a Role.

PermissionDelta

A PermissionDelta message to record the added_permissions and removed_permissions inside a role.

Fields
added_permissions[]

string

Added permissions.

removed_permissions[]

string

Removed permissions.

CreateRoleRequest

The request to create a new role.

Fields
parent

string

The parent parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's parent value format is described below:

  • projects.roles.create(): projects/{PROJECT_ID}. This method creates project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

  • organizations.roles.create(): organizations/{ORGANIZATION_ID}. This method creates organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource parent:

  • iam.roles.create
role_id

string

The role ID to use for this role.

A role ID may contain alphanumeric characters, underscores (_), and periods (.). It must contain a minimum of 3 characters and a maximum of 64 characters.

role

Role

The Role resource to create.

CreateServiceAccountKeyRequest

The service account key create request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create
private_key_type

ServiceAccountPrivateKeyType

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

key_algorithm

ServiceAccountKeyAlgorithm

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

CreateServiceAccountRequest

The service account create request.

Fields
name

string

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.create
account_id

string

Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.

service_account

ServiceAccount

The ServiceAccount resource to create. Currently, only the following values are user assignable: display_name and description.

CreateWorkforcePoolProviderRequest

Request message for CreateWorkforcePoolProvider.

Fields
parent

string

Required. The pool to create this provider in.

Format: locations/{location}/workforcePools/{workforce_pool_id}

workforce_pool_provider

WorkforcePoolProvider

Required. The provider to create.

workforce_pool_provider_id

string

Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

CreateWorkforcePoolRequest

Request message for CreateWorkforcePool.

Fields
workforce_pool

WorkforcePool

Required. The pool to create.

location

string

The location of the pool to create.

Format: locations/{location}.

workforce_pool_id

string

The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

DeleteRoleRequest

The request to delete an existing role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

  • projects.roles.delete(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method deletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.delete(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method deletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.delete
etag

bytes

Used to perform a consistent read-modify-write.

DeleteServiceAccountKeyRequest

The service account key delete request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.delete

DeleteServiceAccountRequest

The service account delete request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.delete

DeleteWorkforcePoolProviderRequest

Request message for DeleteWorkforcePoolProvider.

Fields
name

string

Required. The name of the provider to delete.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

DeleteWorkforcePoolRequest

Request message for DeleteWorkforcePool.

Fields
name

string

Required. The name of the pool to delete.

Format: locations/{location}/workforcePools/{workforce_pool_id}

DeleteWorkforcePoolSubjectRequest

Request message for DeleteWorkforcePoolSubject.

Fields
name

string

Required. The resource name of the WorkforcePoolSubject. Special characters, like '/' and ':', must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.

Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

DisableServiceAccountKeyRequest

The service account key disable request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.disable

DisableServiceAccountRequest

The service account disable request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.disable

EnableServiceAccountKeyRequest

The service account key enable request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.enable

EnableServiceAccountRequest

The service account enable request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.enable

GetRoleRequest

The request to get the definition of an existing role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's name value format is described below:

  • roles.get(): roles/{ROLE_NAME}. This method returns results from all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles/{ROLE_NAME}

  • projects.roles.get(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.get(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.get

GetServiceAccountKeyRequest

The service account key get by id request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.get
public_key_type

ServiceAccountPublicKeyType

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

GetServiceAccountRequest

The service account get request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.get

GetWorkforcePoolProviderRequest

Request message for GetWorkforcePoolProvider.

Fields
name

string

Required. The name of the provider to retrieve.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

GetWorkforcePoolRequest

Request message for GetWorkforcePool.

Fields
name

string

Required. The name of the pool to retrieve.

Format: locations/{location}/workforcePools/{workforce_pool_id}

LintPolicyRequest

The request to lint a Cloud IAM policy object.

Fields
full_resource_name

string

The full resource name of the policy this lint request is about.

The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object.

condition

Expr

google.iam.v1.Binding.condition object to be linted.

LintPolicyResponse

The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.

Fields
lint_results[]

LintResult

List of lint results sorted by severity in descending order.

LintResult

Structured response of a single validation unit.

Fields
level

Level

The validation unit level.

validation_unit_name

string

The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck".

severity

Severity

The validation unit severity.

field_name

string

The name of the field for which this lint result is about.

For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.

location_offset

int32

0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression.

debug_message

string

Human readable debug message associated with the issue.

Level

Possible Level values of a validation unit corresponding to its domain of discourse.

Enums
LEVEL_UNSPECIFIED Level is unspecified.
CONDITION A validation unit which operates on an individual condition within a binding.

Severity

Possible Severity values of an issued result.

Enums
SEVERITY_UNSPECIFIED Severity is unspecified.
ERROR A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail.
WARNING

Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail setPolicy, but there is a high likelihood that they won't behave as expected during policy evaluation in checkPolicy. This includes the following common scenarios:

  • Unsatisfiable condition: Expired timestamp in date/time condition.
  • Ineffective condition: Condition on a <principal, role> pair which is granted unconditionally in another binding of the same policy.
NOTICE Reserved for the issues that are not severe as ERROR/WARNING, but need special handling. For instance, messages about skipped validation units are issued as NOTICE.
INFO Any informative statement which is not severe enough to raise ERROR/WARNING/NOTICE, like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO.
DEPRECATED Deprecated severity level.

ListRolesRequest

The request to get all roles defined under a resource.

Fields
parent

string

The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below:

  • roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles

  • projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

  • organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource parent:

  • iam.roles.list
page_size

int32

Optional limit on the number of roles to include in the response.

The default is 300, and the maximum is 1,000.

page_token

string

Optional pagination token returned in an earlier ListRolesResponse.

view

RoleView

Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.

show_deleted

bool

Include Roles that have been deleted.

ListRolesResponse

The response containing the roles defined under a resource.

Fields
roles[]

Role

The Roles defined on this resource.

next_page_token

string

To retrieve the next page of results, set ListRolesRequest.page_token to this value.

ListServiceAccountKeysRequest

The service account keys list request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}.

Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.list
key_types[]

KeyType

Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

KeyType

KeyType filters to selectively retrieve certain varieties of keys.

Enums
KEY_TYPE_UNSPECIFIED Unspecified key type. The presence of this in the message will immediately result in an error.
USER_MANAGED User-managed keys (managed and rotated by the user).
SYSTEM_MANAGED System-managed keys (managed and rotated by Google).

ListServiceAccountKeysResponse

The service account keys list response.

Fields
keys[]

ServiceAccountKey

The public keys for the service account.

ListServiceAccountsRequest

The service account list request.

Fields
name

string

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.list
page_size

int32

Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request.

The default is 20, and the maximum is 100.

page_token

string

Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token.

ListServiceAccountsResponse

The service account list response.

Fields
accounts[]

ServiceAccount

The list of matching service accounts.

next_page_token

string

To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value.

ListWorkforcePoolProvidersRequest

Request message for ListWorkforcePoolProviders.

Fields
parent

string

Required. The pool to list providers for.

Format: locations/{location}/workforcePools/{workforce_pool_id}

page_size

int32

The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100.

page_token

string

A page token, received from a previous ListWorkforcePoolProviders call. Provide this to retrieve the subsequent page.

show_deleted

bool

Whether to return soft-deleted providers.

ListWorkforcePoolProvidersResponse

Response message for ListWorkforcePoolProviders.

Fields
workforce_pool_providers[]

WorkforcePoolProvider

A list of providers.

next_page_token

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

ListWorkforcePoolsRequest

Request message for ListWorkforcePools.

Fields
parent

string

Required. The parent resource to list pools for.

Format: organizations/{org-id}.

page_size

int32

The maximum number of pools to return. If unspecified, at most 50 pools will be returned. The maximum value is 1000; values above 1000 are truncated to 1000.

page_token

string

A page token, received from a previous ListWorkforcePools call. Provide this to retrieve the subsequent page.

show_deleted

bool

Whether to return soft-deleted pools.

location

string

The location of the pool.

Format: locations/{location}.

ListWorkforcePoolsResponse

Response message for ListWorkforcePools.

Fields
workforce_pools[]

WorkforcePool

A list of pools.

next_page_token

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

PatchServiceAccountRequest

The service account patch request.

You can patch only the display_name and description fields. You must use the update_mask field to specify which of these fields you want to patch.

Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.

Fields
service_account

ServiceAccount

Authorization requires the following IAM permission on the specified resource serviceAccount:

  • iam.serviceAccounts.update
update_mask

FieldMask

Permission

A permission which can be included by a role.

Fields
name

string

The name of this Permission.

title

string

The title of this Permission.

description

string

A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.

only_in_predefined_roles
(deprecated)

bool

stage

PermissionLaunchStage

The current launch stage of the permission.

custom_roles_support_level

CustomRolesSupportLevel

The current custom role support level.

api_disabled

bool

The service API associated with the permission is not enabled.

primary_permission

string

The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.

CustomRolesSupportLevel

The state of the permission with regards to custom roles.

Enums
SUPPORTED Default state. Permission is fully supported for custom role use.
TESTING Permission is being tested to check custom role compatibility.
NOT_SUPPORTED Permission is not supported for custom role use.

PermissionLaunchStage

A stage representing a permission's lifecycle phase.

Enums
ALPHA The permission is currently in an alpha phase.
BETA The permission is currently in a beta phase.
GA The permission is generally available.
DEPRECATED The permission is being deprecated.

QueryAuditableServicesRequest

A request to get the list of auditable services for a resource.

Fields
full_resource_name

string

Required. The full resource name to query from the list of auditable services.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

QueryAuditableServicesResponse

A response containing a list of auditable services for a resource.

Fields
services[]

AuditableService

The auditable services for a resource.

AuditableService

Contains information about an auditable service.

Fields
name

string

Public name of the service. For example, the service name for Cloud IAM is 'iam.googleapis.com'.

QueryGrantableRolesRequest

The grantable role query request.

Fields
full_resource_name

string

Required. The full resource name to query from the list of grantable roles.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

view

RoleView

page_size

int32

Optional limit on the number of roles to include in the response.

The default is 300, and the maximum is 1,000.

page_token

string

Optional pagination token returned in an earlier QueryGrantableRolesResponse.

QueryGrantableRolesResponse

The grantable role query response.

Fields
roles[]

Role

The list of matching roles.

next_page_token

string

To retrieve the next page of results, set QueryGrantableRolesRequest.page_token to this value.

QueryTestablePermissionsRequest

A request to get permissions which can be tested on a resource.

Fields
full_resource_name

string

Required. The full resource name to query from the list of testable permissions.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

page_size

int32

Optional limit on the number of permissions to include in the response.

The default is 100, and the maximum is 1,000.

page_token

string

Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

QueryTestablePermissionsResponse

The response containing permissions which can be tested on a resource.

Fields
permissions[]

Permission

The Permissions testable on the requested resource.

next_page_token

string

To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.

Role

A role in the Identity and Access Management API.

Fields
name

string

The name of the role.

When Role is used in CreateRole, the role name must not be set.

When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

title

string

Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

description

string

Optional. A human-readable description for the role.

included_permissions[]

string

The names of the permissions this role grants when bound in an IAM policy.

stage

RoleLaunchStage

The current launch stage of the role. If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.

etag

bytes

Used to perform a consistent read-modify-write.

deleted

bool

The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

RoleLaunchStage

A stage representing a role's lifecycle phase.

Enums
ALPHA The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role.
BETA The user has indicated this role is currently in a Beta phase.
GA The user has indicated this role is generally available.
DEPRECATED The user has indicated this role is being deprecated.
DISABLED This role is disabled and will not contribute permissions to any principals it is granted to in policies.
EAP The user has indicated this role is currently in an EAP phase.

RoleView

A view for Role objects.

Enums
BASIC Omits the included_permissions field. This is the default value.
FULL Returns all fields.

ServiceAccount

An IAM service account.

A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts.

When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account.

Fields
name

string

The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

project_id

string

Output only. The ID of the project that owns the service account.

unique_id

string

Output only. The unique, stable numeric ID for the service account.

Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.

email

string

Output only. The email address of the service account.

display_name

string

Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.

etag
(deprecated)

bytes

Deprecated. Do not use.

description

string

Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.

oauth2_client_id

string

Output only. The OAuth 2.0 client ID for the service account.

disabled

bool

Output only. Whether the service account is disabled.

ServiceAccountKey

Represents a service account key.

A service account has two sets of key-pairs: user-managed, and system-managed.

User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.

System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.

If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.

Public keys for all service accounts are also published at the OAuth2 Service Account API.

Fields
name

string

The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

private_key_type

ServiceAccountPrivateKeyType

The output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses.

Google never exposes system-managed private keys, and never retains user-managed private keys.

key_algorithm

ServiceAccountKeyAlgorithm

Specifies the algorithm (and possibly key size) for the key.

private_key_data

bytes

The private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.

public_key_data

bytes

The public key data. Only provided in GetServiceAccountKey responses.

valid_after_time

Timestamp

The key can be used after this timestamp.

valid_before_time

Timestamp

The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

key_origin

ServiceAccountKeyOrigin

The key origin.

key_type

KeyType

The key type.

disabled

bool

The key status.

ServiceAccountKeyAlgorithm

Supported key algorithms.

Enums
KEY_ALG_UNSPECIFIED An unspecified key algorithm.
KEY_ALG_RSA_1024 1k RSA Key.
KEY_ALG_RSA_2048 2k RSA Key.

ServiceAccountKeyOrigin

Service Account Key Origin.

Enums
ORIGIN_UNSPECIFIED Unspecified key origin.
USER_PROVIDED Key is provided by user.
GOOGLE_PROVIDED Key is provided by Google.

ServiceAccountPrivateKeyType

Supported private key output formats.

Enums
TYPE_UNSPECIFIED Unspecified. Equivalent to TYPE_GOOGLE_CREDENTIALS_FILE.
TYPE_PKCS12_FILE PKCS12 format. The password for the PKCS12 file is notasecret. For more information, see https://tools.ietf.org/html/rfc7292.
TYPE_GOOGLE_CREDENTIALS_FILE Google Credentials File format.

ServiceAccountPublicKeyType

Supported public key output formats.

Enums
TYPE_NONE Do not return the public key.
TYPE_X509_PEM_FILE X509 PEM format.
TYPE_RAW_PUBLIC_KEY Raw public key.

SignBlobRequest

Deprecated. Migrate to Service Account Credentials API.

The service account sign blob request.

Fields
name
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.signBlob
bytes_to_sign
(deprecated)

bytes

Required. Deprecated. Migrate to Service Account Credentials API.

The bytes to sign.

SignBlobResponse

Deprecated. Migrate to Service Account Credentials API.

The service account sign blob response.

Fields
key_id
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the blob.

signature
(deprecated)

bytes

Deprecated. Migrate to Service Account Credentials API.

The signed blob.

SignJwtRequest

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT request.

Fields
name
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.signJwt
payload
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

SignJwtResponse

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT response.

Fields
key_id
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the JWT.

signed_jwt
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The signed JWT.

UndeleteRoleRequest

The request to undelete an existing role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

  • projects.roles.undelete(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method undeletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.undelete(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method undeletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.undelete
etag

bytes

Used to perform a consistent read-modify-write.

UndeleteServiceAccountRequest

The service account undelete request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}. Using - as a wildcard for the PROJECT_ID will infer the project from the account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.undelete

UndeleteServiceAccountResponse

Fields
restored_account

ServiceAccount

Metadata for the restored service account.

UndeleteWorkforcePoolProviderRequest

Request message for UndeleteWorkforcePoolProvider.

Fields
name

string

Required. The name of the provider to undelete.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

UndeleteWorkforcePoolRequest

Request message for UndeleteWorkforcePool.

Fields
name

string

Required. The name of the pool to undelete.

Format: locations/{location}/workforcePools/{workforce_pool_id}

UndeleteWorkforcePoolSubjectRequest

Request message for UndeleteWorkforcePoolSubject.

Fields
name

string

Required. The resource name of the WorkforcePoolSubject. Special characters, like '/' and ':', must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.

Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

UpdateRoleRequest

The request to update a role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

  • projects.roles.patch(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method updates only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.patch(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method updates only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.update
role

Role

The updated role.

update_mask

FieldMask

A mask describing which fields in the Role have changed.

UpdateWorkforcePoolProviderRequest

Request message for UpdateWorkforcePoolProvider.

Fields
workforce_pool_provider

WorkforcePoolProvider

Required. The provider to update.

update_mask

FieldMask

Required. The list of fields to update.

UpdateWorkforcePoolRequest

Request message for UpdateWorkforcePool.

Fields
workforce_pool

WorkforcePool

Required. The pool to update. The name field is used to identify the pool.

update_mask

FieldMask

Required. The list of fields to update.

UploadServiceAccountKeyRequest

The service account key upload request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create
public_key_data

bytes

The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE-----, and the last line, -----END CERTIFICATE-----.

WorkforcePool

Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.

Fields
name

string

Output only. The resource name of the pool.

Format: locations/{location}/workforcePools/{workforce_pool_id}

parent

string

Immutable. The resource name of the parent.

Format: organizations/{org-id}.

display_name

string

A user-specified display name of the pool in Google Cloud Console.

Cannot exceed 32 characters.

description

string

A user-specified description of the pool.

Cannot exceed 256 characters.

state

State

Output only. The state of the pool.

disabled

bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

session_duration

Duration

Duration that the Google Cloud access tokens, console sign-in sessions, and gcloud sign-in sessions from this pool are valid.

Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session_duration is not configured, minted credentials have a default duration of one hour (3600s).

State

The current state of the pool.

Enums
STATE_UNSPECIFIED State unspecified.
ACTIVE The pool is active and may be used in Google Cloud policies.
DELETED

The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkforcePool.

You cannot reuse the ID of a soft-deleted pool until it is permanently deleted.

While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

WorkforcePoolProvider

A configuration for an external identity provider.

Fields
name

string

Output only. The resource name of the provider.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

display_name

string

A user-specified display name for the provider.

Cannot exceed 32 characters.

description

string

A user-specified description of the provider. Cannot exceed 256 characters.

state

State

Output only. The state of the provider.

disabled

bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

attribute_mapping

map<string, string>

Required. Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment.

Each key must be a string specifying the Google Cloud IAM attribute to map to.

The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.

  • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.

  • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.

  • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings.

You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_].

You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:

  • google.subject: principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}

  • google.groups: principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}

  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}

Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key.

You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider.

The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB.

For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}
attribute_condition

string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.

The expression must output a boolean representing whether to allow the federation.

The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings. google.profile_photo and google.display_name are not supported.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings.

The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted.

The following example shows how to only allow credentials with a mapped google.groups value of admins:

"'admins' in google.groups"

Union field provider_config.

provider_config can be only one of the following:

saml

Saml

A SAML identity provider configuration.

oidc

Oidc

An OpenId Connect 1.0 identity provider configuration.

Oidc

Represents an OpenId Connect 1.0 identity provider.

Fields
issuer_uri

string

Required. The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

client_id

string

Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.

Saml

Represents a SAML identity provider.

Fields
idp_metadata_xml

string

Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters.

The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml.

When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

State

The current state of the provider.

Enums
STATE_UNSPECIFIED State unspecified.
ACTIVE The provider is active and may be used to validate authentication credentials.
DELETED The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkforcePoolProvider.