Package google.iam.admin.v1

Index

IAM

Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

  • Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
  • Service account keys, which service accounts use to authenticate with Google APIs
  • IAM policies for service accounts, which specify the roles that a principal has for the service account
  • IAM custom roles, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

CreateRole

rpc CreateRole(CreateRoleRequest) returns (Role)

Creates a new custom Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateServiceAccount

rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount)

Creates a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateServiceAccountKey

rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey)

Creates a ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteRole

rpc DeleteRole(DeleteRoleRequest) returns (Role)

Deletes a custom Role.

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.
Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteServiceAccount

rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (Empty)

Deletes a ServiceAccount.

Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteServiceAccountKey

rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (Empty)

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DisableServiceAccount

rpc DisableServiceAccount(DisableServiceAccountRequest) returns (Empty)

Disables a ServiceAccount immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DisableServiceAccountKey

rpc DisableServiceAccountKey(DisableServiceAccountKeyRequest) returns (Empty)

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

EnableServiceAccount

rpc EnableServiceAccount(EnableServiceAccountRequest) returns (Empty)

Enables a ServiceAccount that was disabled by DisableServiceAccount.

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

EnableServiceAccountKey

rpc EnableServiceAccountKey(EnableServiceAccountKeyRequest) returns (Empty)

Enable a ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetIamPolicy

rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy)

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetRole

rpc GetRole(GetRoleRequest) returns (Role)

Gets the definition of a Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetServiceAccount

rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount)

Gets a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetServiceAccountKey

rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey)

Gets a ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

LintPolicy

rpc LintPolicy(LintPolicyRequest) returns (LintPolicyResponse)

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListRoles

rpc ListRoles(ListRolesRequest) returns (ListRolesResponse)

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListServiceAccountKeys

rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse)

Lists every ServiceAccountKey for a service account.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListServiceAccounts

rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse)

Lists every ServiceAccount that belongs to a specific project.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

PatchServiceAccount

rpc PatchServiceAccount(PatchServiceAccountRequest) returns (ServiceAccount)

Patches a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

QueryAuditableServices

rpc QueryAuditableServices(QueryAuditableServicesRequest) returns (QueryAuditableServicesResponse)

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

QueryGrantableRoles

rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse)

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

QueryTestablePermissions

rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse)

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SetIamPolicy

rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy)

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

  1. Call the resource's getIamPolicy method to get its current IAM policy.
  2. Edit the policy so that it binds the service account to an IAM role for the resource.
  3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SignBlob

rpc SignBlob(SignBlobRequest) returns (SignBlobResponse)

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SignJwt

rpc SignJwt(SignJwtRequest) returns (SignJwtResponse)

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

TestIamPermissions

rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse)

Tests whether the caller has the specified permissions on a ServiceAccount.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UndeleteRole

rpc UndeleteRole(UndeleteRoleRequest) returns (Role)

Undeletes a custom Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UndeleteServiceAccount

rpc UndeleteServiceAccount(UndeleteServiceAccountRequest) returns (UndeleteServiceAccountResponse)

Restores a deleted ServiceAccount.

Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateRole

rpc UpdateRole(UpdateRoleRequest) returns (Role)

Updates the definition of a custom Role.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateServiceAccount

rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount)

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead.

Updates a ServiceAccount.

You can update only the display_name field.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UploadServiceAccountKey

rpc UploadServiceAccountKey(UploadServiceAccountKeyRequest) returns (ServiceAccountKey)

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AuditData

Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any type in the ServiceData message of an AuditLog message.

Fields
permission_delta

PermissionDelta

The permission_delta when when creating or updating a Role.

PermissionDelta

A PermissionDelta message to record the added_permissions and removed_permissions inside a role.

Fields
added_permissions[]

string

Added permissions.

removed_permissions[]

string

Removed permissions.

CreateRoleRequest

The request to create a new role.

Fields
parent

string

The parent parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's parent value format is described below:

  • projects.roles.create(): projects/{PROJECT_ID}. This method creates project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

  • organizations.roles.create(): organizations/{ORGANIZATION_ID}. This method creates organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource parent:

  • iam.roles.create
role_id

string

The role ID to use for this role.

A role ID may contain alphanumeric characters, underscores (_), and periods (.). It must contain a minimum of 3 characters and a maximum of 64 characters.

role

Role

The Role resource to create.

CreateServiceAccountKeyRequest

The service account key create request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create
private_key_type

ServiceAccountPrivateKeyType

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

key_algorithm

ServiceAccountKeyAlgorithm

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

CreateServiceAccountRequest

The service account create request.

Fields
name

string

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.create
account_id

string

Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.

service_account

ServiceAccount

The ServiceAccount resource to create. Currently, only the following values are user assignable: display_name and description.

DeleteRoleRequest

The request to delete an existing role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

  • projects.roles.delete(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method deletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.delete(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method deletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.delete
etag

bytes

Used to perform a consistent read-modify-write.

DeleteServiceAccountKeyRequest

The service account key delete request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.delete

DeleteServiceAccountRequest

The service account delete request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.delete

DisableServiceAccountKeyRequest

The service account key disable request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.disable

DisableServiceAccountRequest

The service account disable request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.disable

EnableServiceAccountKeyRequest

The service account key enable request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.enable

EnableServiceAccountRequest

The service account enable request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.enable

GetRoleRequest

The request to get the definition of an existing role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's name value format is described below:

  • roles.get(): roles/{ROLE_NAME}. This method returns results from all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles/{ROLE_NAME}

  • projects.roles.get(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.get(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.get

GetServiceAccountKeyRequest

The service account key get by id request.

Fields
name

string

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.get
public_key_type

ServiceAccountPublicKeyType

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

GetServiceAccountRequest

The service account get request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.get

LintPolicyRequest

The request to lint a Cloud IAM policy object.

Fields
full_resource_name

string

The full resource name of the policy this lint request is about.

The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object.

condition

Expr

google.iam.v1.Binding.condition object to be linted.

LintPolicyResponse

The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.

Fields
lint_results[]

LintResult

List of lint results sorted by severity in descending order.

LintResult

Structured response of a single validation unit.

Fields
level

Level

The validation unit level.

validation_unit_name

string

The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck".

severity

Severity

The validation unit severity.

field_name

string

The name of the field for which this lint result is about.

For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.

location_offset

int32

0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression.

debug_message

string

Human readable debug message associated with the issue.

Level

Possible Level values of a validation unit corresponding to its domain of discourse.

Enums
LEVEL_UNSPECIFIED Level is unspecified.
CONDITION A validation unit which operates on an individual condition within a binding.

Severity

Possible Severity values of an issued result.

Enums
SEVERITY_UNSPECIFIED Severity is unspecified.
ERROR A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail.
WARNING

Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail setPolicy, but there is a high likelihood that they won't behave as expected during policy evaluation in checkPolicy. This includes the following common scenarios:

  • Unsatisfiable condition: Expired timestamp in date/time condition.
  • Ineffective condition: Condition on a <principal, role> pair which is granted unconditionally in another binding of the same policy.
NOTICE Reserved for the issues that are not severe as ERROR/WARNING, but need special handling. For instance, messages about skipped validation units are issued as NOTICE.
INFO Any informative statement which is not severe enough to raise ERROR/WARNING/NOTICE, like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO.
DEPRECATED Deprecated severity level.

ListRolesRequest

The request to get all roles defined under a resource.

Fields
parent

string

The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below:

  • roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles

  • projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

  • organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource parent:

  • iam.roles.list
page_size

int32

Optional limit on the number of roles to include in the response.

The default is 300, and the maximum is 1,000.

page_token

string

Optional pagination token returned in an earlier ListRolesResponse.

view

RoleView

Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.

show_deleted

bool

Include Roles that have been deleted.

ListRolesResponse

The response containing the roles defined under a resource.

Fields
roles[]

Role

The Roles defined on this resource.

next_page_token

string

To retrieve the next page of results, set ListRolesRequest.page_token to this value.

ListServiceAccountKeysRequest

The service account keys list request.

Fields
name

string

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}.

Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.list
key_types[]

KeyType

Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

KeyType

KeyType filters to selectively retrieve certain varieties of keys.

Enums
KEY_TYPE_UNSPECIFIED Unspecified key type. The presence of this in the message will immediately result in an error.
USER_MANAGED User-managed keys (managed and rotated by the user).
SYSTEM_MANAGED System-managed keys (managed and rotated by Google).

ListServiceAccountKeysResponse

The service account keys list response.

Fields
keys[]

ServiceAccountKey

The public keys for the service account.

ListServiceAccountsRequest

The service account list request.

Fields
name

string

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.list
page_size

int32

Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request.

The default is 20, and the maximum is 100.

page_token

string

Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token.

ListServiceAccountsResponse

The service account list response.

Fields
accounts[]

ServiceAccount

The list of matching service accounts.

next_page_token

string

To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value.

PatchServiceAccountRequest

The service account patch request.

You can patch only the display_name and description fields. You must use the update_mask field to specify which of these fields you want to patch.

Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.

Fields
service_account

ServiceAccount

Authorization requires the following IAM permission on the specified resource serviceAccount:

  • iam.serviceAccounts.update
update_mask

FieldMask

Permission

A permission which can be included by a role.

Fields
name

string

The name of this Permission.

title

string

The title of this Permission.

description

string

A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.

only_in_predefined_roles
(deprecated)

bool

stage

PermissionLaunchStage

The current launch stage of the permission.

custom_roles_support_level

CustomRolesSupportLevel

The current custom role support level.

api_disabled

bool

The service API associated with the permission is not enabled.

primary_permission

string

The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.

CustomRolesSupportLevel

The state of the permission with regards to custom roles.

Enums
SUPPORTED Default state. Permission is fully supported for custom role use.
TESTING Permission is being tested to check custom role compatibility.
NOT_SUPPORTED Permission is not supported for custom role use.

PermissionLaunchStage

A stage representing a permission's lifecycle phase.

Enums
ALPHA The permission is currently in an alpha phase.
BETA The permission is currently in a beta phase.
GA The permission is generally available.
DEPRECATED The permission is being deprecated.

QueryAuditableServicesRequest

A request to get the list of auditable services for a resource.

Fields
full_resource_name

string

Required. The full resource name to query from the list of auditable services.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

QueryAuditableServicesResponse

A response containing a list of auditable services for a resource.

Fields
services[]

AuditableService

The auditable services for a resource.

AuditableService

Contains information about an auditable service.

Fields
name

string

Public name of the service. For example, the service name for Cloud IAM is 'iam.googleapis.com'.

QueryGrantableRolesRequest

The grantable role query request.

Fields
full_resource_name

string

Required. The full resource name to query from the list of grantable roles.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

view

RoleView

page_size

int32

Optional limit on the number of roles to include in the response.

The default is 300, and the maximum is 1,000.

page_token

string

Optional pagination token returned in an earlier QueryGrantableRolesResponse.

QueryGrantableRolesResponse

The grantable role query response.

Fields
roles[]

Role

The list of matching roles.

next_page_token

string

To retrieve the next page of results, set QueryGrantableRolesRequest.page_token to this value.

QueryTestablePermissionsRequest

A request to get permissions which can be tested on a resource.

Fields
full_resource_name

string

Required. The full resource name to query from the list of testable permissions.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

page_size

int32

Optional limit on the number of permissions to include in the response.

The default is 100, and the maximum is 1,000.

page_token

string

Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

QueryTestablePermissionsResponse

The response containing permissions which can be tested on a resource.

Fields
permissions[]

Permission

The Permissions testable on the requested resource.

next_page_token

string

To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.

Role

A role in the Identity and Access Management API.

Fields
name

string

The name of the role.

When Role is used in CreateRole, the role name must not be set.

When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

title

string

Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

description

string

Optional. A human-readable description for the role.

included_permissions[]

string

The names of the permissions this role grants when bound in an IAM policy.

stage

RoleLaunchStage

The current launch stage of the role. If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.

etag

bytes

Used to perform a consistent read-modify-write.

deleted

bool

The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

RoleLaunchStage

A stage representing a role's lifecycle phase.

Enums
ALPHA The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role.
BETA The user has indicated this role is currently in a Beta phase.
GA The user has indicated this role is generally available.
DEPRECATED The user has indicated this role is being deprecated.
DISABLED This role is disabled and will not contribute permissions to any principals it is granted to in policies.
EAP The user has indicated this role is currently in an EAP phase.

RoleView

A view for Role objects.

Enums
BASIC Omits the included_permissions field. This is the default value.
FULL Returns all fields.

ServiceAccount

An IAM service account.

A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts.

When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account.

Fields
name

string

The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

project_id

string

Output only. The ID of the project that owns the service account.

unique_id

string

Output only. The unique, stable numeric ID for the service account.

Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.

email

string

Output only. The email address of the service account.

display_name

string

Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.

etag
(deprecated)

bytes

Deprecated. Do not use.

description

string

Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.

oauth2_client_id

string

Output only. The OAuth 2.0 client ID for the service account.

disabled

bool

Output only. Whether the service account is disabled.

ServiceAccountKey

Represents a service account key.

A service account has two sets of key-pairs: user-managed, and system-managed.

User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.

System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.

If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.

Public keys for all service accounts are also published at the OAuth2 Service Account API.

Fields
name

string

The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

private_key_type

ServiceAccountPrivateKeyType

The output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses.

Google never exposes system-managed private keys, and never retains user-managed private keys.

key_algorithm

ServiceAccountKeyAlgorithm

Specifies the algorithm (and possibly key size) for the key.

private_key_data

bytes

The private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.

public_key_data

bytes

The public key data. Only provided in GetServiceAccountKey responses.

valid_after_time

Timestamp

The key can be used after this timestamp.

valid_before_time

Timestamp

The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

key_origin

ServiceAccountKeyOrigin

The key origin.

key_type

KeyType

The key type.

disabled

bool

The key status.

ServiceAccountKeyAlgorithm

Supported key algorithms.

Enums
KEY_ALG_UNSPECIFIED An unspecified key algorithm.
KEY_ALG_RSA_1024 1k RSA Key.
KEY_ALG_RSA_2048 2k RSA Key.

ServiceAccountKeyOrigin

Service Account Key Origin.

Enums
ORIGIN_UNSPECIFIED Unspecified key origin.
USER_PROVIDED Key is provided by user.
GOOGLE_PROVIDED Key is provided by Google.

ServiceAccountPrivateKeyType

Supported private key output formats.

Enums
TYPE_UNSPECIFIED Unspecified. Equivalent to TYPE_GOOGLE_CREDENTIALS_FILE.
TYPE_PKCS12_FILE PKCS12 format. The password for the PKCS12 file is notasecret. For more information, see https://tools.ietf.org/html/rfc7292.
TYPE_GOOGLE_CREDENTIALS_FILE Google Credentials File format.

ServiceAccountPublicKeyType

Supported public key output formats.

Enums
TYPE_NONE Do not return the public key.
TYPE_X509_PEM_FILE X509 PEM format.
TYPE_RAW_PUBLIC_KEY Raw public key.

SignBlobRequest

Deprecated. Migrate to Service Account Credentials API.

The service account sign blob request.

Fields
name
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.signBlob
bytes_to_sign
(deprecated)

bytes

Required. Deprecated. Migrate to Service Account Credentials API.

The bytes to sign.

SignBlobResponse

Deprecated. Migrate to Service Account Credentials API.

The service account sign blob response.

Fields
key_id
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the blob.

signature
(deprecated)

bytes

Deprecated. Migrate to Service Account Credentials API.

The signed blob.

SignJwtRequest

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT request.

Fields
name
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.signJwt
payload
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

SignJwtResponse

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT response.

Fields
key_id
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the JWT.

signed_jwt
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The signed JWT.

UndeleteRoleRequest

The request to undelete an existing role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

  • projects.roles.undelete(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method undeletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.undelete(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method undeletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.undelete
etag

bytes

Used to perform a consistent read-modify-write.

UndeleteServiceAccountRequest

The service account undelete request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}. Using - as a wildcard for the PROJECT_ID will infer the project from the account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.undelete

UndeleteServiceAccountResponse

Fields
restored_account

ServiceAccount

Metadata for the restored service account.

UpdateRoleRequest

The request to update a role.

Fields
name

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

  • projects.roles.patch(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method updates only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

  • organizations.roles.patch(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method updates only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

  • iam.roles.update
role

Role

The updated role.

update_mask

FieldMask

A mask describing which fields in the Role have changed.

UploadServiceAccountKeyRequest

The service account key upload request.

Fields
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create
public_key_data

bytes

The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE-----, and the last line, -----END CERTIFICATE-----.