Index
IAM
(interface)WorkforcePools
(interface)AuditData
(message)AuditData.PermissionDelta
(message)CreateRoleRequest
(message)CreateServiceAccountKeyRequest
(message)CreateServiceAccountRequest
(message)CreateWorkforcePoolProviderKeyRequest
(message)CreateWorkforcePoolProviderRequest
(message)CreateWorkforcePoolRequest
(message)DeleteRoleRequest
(message)DeleteServiceAccountKeyRequest
(message)DeleteServiceAccountRequest
(message)DeleteWorkforcePoolProviderKeyRequest
(message)DeleteWorkforcePoolProviderRequest
(message)DeleteWorkforcePoolRequest
(message)DeleteWorkforcePoolSubjectRequest
(message)DisableServiceAccountKeyRequest
(message)DisableServiceAccountRequest
(message)EnableServiceAccountKeyRequest
(message)EnableServiceAccountRequest
(message)GetRoleRequest
(message)GetServiceAccountKeyRequest
(message)GetServiceAccountRequest
(message)GetWorkforcePoolProviderKeyRequest
(message)GetWorkforcePoolProviderRequest
(message)GetWorkforcePoolRequest
(message)KeyData
(message)KeyData.KeyFormat
(enum)KeyData.KeySpec
(enum)LintPolicyRequest
(message)LintPolicyResponse
(message)LintResult
(message)LintResult.Level
(enum)LintResult.Severity
(enum)ListRolesRequest
(message)ListRolesResponse
(message)ListServiceAccountKeysRequest
(message)ListServiceAccountKeysRequest.KeyType
(enum)ListServiceAccountKeysResponse
(message)ListServiceAccountsRequest
(message)ListServiceAccountsResponse
(message)ListWorkforcePoolProviderKeysRequest
(message)ListWorkforcePoolProviderKeysResponse
(message)ListWorkforcePoolProvidersRequest
(message)ListWorkforcePoolProvidersResponse
(message)ListWorkforcePoolsRequest
(message)ListWorkforcePoolsResponse
(message)PatchServiceAccountRequest
(message)Permission
(message)Permission.CustomRolesSupportLevel
(enum)Permission.PermissionLaunchStage
(enum)QueryAuditableServicesRequest
(message)QueryAuditableServicesResponse
(message)QueryAuditableServicesResponse.AuditableService
(message)QueryGrantableRolesRequest
(message)QueryGrantableRolesResponse
(message)QueryTestablePermissionsRequest
(message)QueryTestablePermissionsResponse
(message)Role
(message)Role.RoleLaunchStage
(enum)RoleView
(enum)ServiceAccount
(message)ServiceAccountKey
(message)ServiceAccountKeyAlgorithm
(enum)ServiceAccountKeyOrigin
(enum)ServiceAccountPrivateKeyType
(enum)ServiceAccountPublicKeyType
(enum)SignBlobRequest
(message)SignBlobResponse
(message)SignJwtRequest
(message)SignJwtResponse
(message)UndeleteRoleRequest
(message)UndeleteServiceAccountRequest
(message)UndeleteServiceAccountResponse
(message)UndeleteWorkforcePoolProviderKeyRequest
(message)UndeleteWorkforcePoolProviderRequest
(message)UndeleteWorkforcePoolRequest
(message)UndeleteWorkforcePoolSubjectRequest
(message)UpdateRoleRequest
(message)UpdateWorkforcePoolProviderRequest
(message)UpdateWorkforcePoolRequest
(message)UploadServiceAccountKeyRequest
(message)WorkforcePool
(message)WorkforcePool.State
(enum)WorkforcePoolProvider
(message)WorkforcePoolProvider.Oidc
(message)WorkforcePoolProvider.Oidc.ClientSecret
(message)WorkforcePoolProvider.Oidc.ClientSecret.Value
(message)WorkforcePoolProvider.Oidc.WebSsoConfig
(message)WorkforcePoolProvider.Oidc.WebSsoConfig.AssertionClaimsBehavior
(enum)WorkforcePoolProvider.Oidc.WebSsoConfig.ResponseType
(enum)WorkforcePoolProvider.Saml
(message)WorkforcePoolProvider.State
(enum)WorkforcePoolProviderKey
(message)WorkforcePoolProviderKey.KeyUse
(enum)WorkforcePoolProviderKey.State
(enum)
IAM
Creates and manages Identity and Access Management (IAM) resources.
You can use this service to work with all of the following resources:
- Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
- Service account keys, which service accounts use to authenticate with Google APIs
- IAM policies for service accounts, which specify the roles that a principal has for the service account
- IAM custom roles, which help you limit the number of permissions that you grant to principals
In addition, you can use this service to complete the following tasks, among others:
- Test whether a service account can use specific permissions
- Check which roles you can grant for a specific resource
- Lint, or validate, condition expressions in an IAM policy
When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.
In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.
CreateRole |
---|
Creates a new custom
|
CreateServiceAccount |
---|
Creates a
|
CreateServiceAccountKey |
---|
Creates a
|
DeleteRole |
---|
Deletes a custom When you delete a custom role, the following changes occur immediately:
You have 7 days to undelete the custom role. After 7 days, the following changes occur:
|
DeleteServiceAccount |
---|
Deletes a Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use
|
DeleteServiceAccountKey |
---|
Deletes a
|
DisableServiceAccount |
---|
Disables a If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with
|
DisableServiceAccountKey |
---|
Disable a
|
EnableServiceAccount |
---|
Enables a If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.
|
EnableServiceAccountKey |
---|
Enable a
|
GetIamPolicy |
---|
Gets the IAM policy that is attached to a This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the
|
GetRole |
---|
Gets the definition of a
|
GetServiceAccount |
---|
Gets a
|
GetServiceAccountKey |
---|
Gets a
|
LintPolicy |
---|
Lints, or validates, an IAM policy. Currently checks the Successful calls to this method always return an HTTP
|
ListRoles |
---|
Lists every predefined
|
ListServiceAccountKeys |
---|
Lists every
|
ListServiceAccounts |
---|
Lists every
|
PatchServiceAccount |
---|
Patches a
|
QueryAuditableServices |
---|
Returns a list of services that allow you to opt into audit logs that are not generated by default. To learn more about audit logs, see the Logging documentation.
|
QueryGrantableRoles |
---|
Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.
|
QueryTestablePermissions |
---|
Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.
|
SetIamPolicy |
---|
Sets the IAM policy that is attached to a Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:
For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.
|
SignBlob |
---|
Note: This method is deprecated. Use the Signs a blob using the system-managed private key for a
|
SignJwt |
---|
Note: This method is deprecated. Use the Signs a JSON Web Token (JWT) using the system-managed private key for a
|
TestIamPermissions |
---|
Tests whether the caller has the specified permissions on a
|
UndeleteRole |
---|
Undeletes a custom
|
UndeleteServiceAccount |
---|
Restores a deleted Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.
|
UpdateRole |
---|
Updates the definition of a custom
|
UpdateServiceAccount |
---|
Note: We are in the process of deprecating this method. Use Updates a You can update only the
|
UploadServiceAccountKey |
---|
Uploads the public key portion of a key pair that you manage, and associates the public key with a After you upload the public key, you can use the private key from the key pair as a service account key.
|
WorkforcePools
Manages WorkforcePools.
CreateWorkforcePool |
---|
Creates a new You cannot reuse the name of a deleted pool until 30 days after deletion.
|
CreateWorkforcePoolProvider |
---|
Creates a new You cannot reuse the name of a deleted provider until 30 days after deletion.
|
CreateWorkforcePoolProviderKey |
---|
Creates a new
|
DeleteWorkforcePool |
---|
Deletes a You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.
|
DeleteWorkforcePoolProvider |
---|
Deletes a Deleting a provider does not revoke credentials that have already been\ issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.
|
DeleteWorkforcePoolProviderKey |
---|
Deletes a
|
DeleteWorkforcePoolSubject |
---|
Deletes a Subject must not already be in a deleted state. A WorkforcePoolSubject is automatically created the first time an external credential is exchanged for a Google Cloud credential with a mapped Once deleted, the WorkforcePoolSubject may not be used for 30 days. After 30 days, the WorkforcePoolSubject will be deleted forever and can be reused in token exchanges with Google Cloud STS. This will automatically create a new WorkforcePoolSubject that is independent of the previously deleted WorkforcePoolSubject with the same google.subject value.
|
GetIamPolicy |
---|
Gets IAM policies on a
|
GetWorkforcePool |
---|
Gets an individual
|
GetWorkforcePoolProvider |
---|
Gets an individual
|
GetWorkforcePoolProviderKey |
---|
Gets a
|
ListWorkforcePoolProviderKeys |
---|
Lists all non-deleted
|
ListWorkforcePoolProviders |
---|
Lists all non-deleted
|
ListWorkforcePools |
---|
Lists all non-deleted
|
SetIamPolicy |
---|
Sets IAM policies on a
|
TestIamPermissions |
---|
Returns the caller's permissions on the
|
UndeleteWorkforcePool |
---|
Undeletes a
|
UndeleteWorkforcePoolProvider |
---|
Undeletes a
|
UndeleteWorkforcePoolProviderKey |
---|
Undeletes a
|
UndeleteWorkforcePoolSubject |
---|
Undeletes a
|
UpdateWorkforcePool |
---|
Updates an existing
|
UpdateWorkforcePoolProvider |
---|
Updates an existing
|
AuditData
Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any
type in the ServiceData
message of an AuditLog
message.
Fields | |
---|---|
permission_delta |
The permission_delta when when creating or updating a Role. |
PermissionDelta
A PermissionDelta message to record the added_permissions and removed_permissions inside a role.
Fields | |
---|---|
added_permissions[] |
Added permissions. |
removed_permissions[] |
Removed permissions. |
CreateRoleRequest
The request to create a new role.
Fields | |
---|---|
parent |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
role_id |
The role ID to use for this role. A role ID may contain alphanumeric characters, underscores ( |
role |
The Role resource to create. |
CreateServiceAccountKeyRequest
The service account key create request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
private_key_type |
The output format of the private key. The default value is |
key_algorithm |
Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. |
CreateServiceAccountRequest
The service account create request.
Fields | |
---|---|
name |
Required. The resource name of the project associated with the service accounts, such as Authorization requires the following IAM permission on the specified resource
|
account_id |
Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression |
service_account |
The |
CreateWorkforcePoolProviderKeyRequest
Request message for CreateWorkforcePoolProviderKey.
Fields | |
---|---|
parent |
Required. The provider to create this key in. |
workforce_pool_provider_key |
Required. The WorkforcePoolProviderKey to create. |
workforce_pool_provider_key_id |
Required. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. |
CreateWorkforcePoolProviderRequest
Request message for CreateWorkforcePoolProvider.
Fields | |
---|---|
parent |
Required. The pool to create this provider in. Format: |
workforce_pool_provider |
Required. The provider to create. |
workforce_pool_provider_id |
Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix |
CreateWorkforcePoolRequest
Request message for CreateWorkforcePool.
Fields | |
---|---|
workforce_pool |
Required. The pool to create. |
location |
The location of the pool to create. Format: |
workforce_pool_id |
The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix |
DeleteRoleRequest
The request to delete an existing role.
Fields | |
---|---|
name |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
etag |
Used to perform a consistent read-modify-write. |
DeleteServiceAccountKeyRequest
The service account key delete request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
DeleteServiceAccountRequest
The service account delete request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
DeleteWorkforcePoolProviderKeyRequest
Request message for DeleteWorkforcePoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the key to delete. |
DeleteWorkforcePoolProviderRequest
Request message for DeleteWorkforcePoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to delete. Format: |
DeleteWorkforcePoolRequest
Request message for DeleteWorkforcePool.
Fields | |
---|---|
name |
Required. The name of the pool to delete. Format: |
DeleteWorkforcePoolSubjectRequest
Request message for DeleteWorkforcePoolSubject.
Fields | |
---|---|
name |
Required. The resource name of the WorkforcePoolSubject. Special characters, like '/' and ':', must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986. Format: |
DisableServiceAccountKeyRequest
The service account key disable request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
DisableServiceAccountRequest
The service account disable request.
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
EnableServiceAccountKeyRequest
The service account key enable request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
EnableServiceAccountRequest
The service account enable request.
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
GetRoleRequest
The request to get the definition of an existing role.
Fields | |
---|---|
name |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
GetServiceAccountKeyRequest
The service account key get by id request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
public_key_type |
Optional. The output format of the public key. The default is |
GetServiceAccountRequest
The service account get request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
GetWorkforcePoolProviderKeyRequest
Request message for GetWorkforcePoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the key to retrieve. |
GetWorkforcePoolProviderRequest
Request message for GetWorkforcePoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to retrieve. Format: |
GetWorkforcePoolRequest
Request message for GetWorkforcePool.
Fields | |
---|---|
name |
Required. The name of the pool to retrieve. Format: |
KeyData
Represents a public key data along with its format.
Fields | |
---|---|
format |
Output only. The format of the key. |
not_before_time |
Output only. Earliest timestamp when this key is valid. Attempts to use this key before this time will fail. Only present if the key data represents a X.509 certificate. |
not_after_time |
Output only. Latest timestamp when this key is valid. Attempts to use this key after this time will fail. Only present if the key data represents a X.509 certificate. |
key |
Output only. The key data. The format of the key is represented by the |
key_spec |
Required. The specifications for the key. |
KeyFormat
The supported formats for the public key.
Enums | |
---|---|
KEY_FORMAT_UNSPECIFIED |
No format has been specified. This is an invalid format and must not be used. |
RSA_X509_PEM |
A RSA public key wrapped in an X.509v3 certificate (RFC5280), encoded in base64, and wrapped in public certificate label. |
KeySpec
Allowed list of specifications for the key.
Enums | |
---|---|
KEY_SPEC_UNSPECIFIED |
No key specification specified. |
RSA_2048 |
A 2048 bit RSA key. |
RSA_3072 |
A 3072 bit RSA key. |
RSA_4096 |
A 4096 bit RSA key. |
LintPolicyRequest
The request to lint a Cloud IAM policy object.
Fields | |
---|---|
full_resource_name |
The full resource name of the policy this lint request is about. The name follows the Google Cloud format for full resource names. For example, a Cloud project with ID The resource name is not used to read a policy from IAM. Only the data in the request object is linted. |
Union field lint_object . Required. The IAM object to be linted. lint_object can be only one of the following: |
|
condition |
|
LintPolicyResponse
The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.
Fields | |
---|---|
lint_results[] |
List of lint results sorted by |
LintResult
Structured response of a single validation unit.
Fields | |
---|---|
level |
The validation unit level. |
validation_unit_name |
The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck". |
severity |
The validation unit severity. |
field_name |
The name of the field for which this lint result is about. For nested messages |
location_offset |
0-based character position of problematic construct within the object identified by |
debug_message |
Human readable debug message associated with the issue. |
Level
Possible Level values of a validation unit corresponding to its domain of discourse.
Enums | |
---|---|
LEVEL_UNSPECIFIED |
Level is unspecified. |
CONDITION |
A validation unit which operates on an individual condition within a binding. |
Severity
Possible Severity values of an issued result.
Enums | |
---|---|
SEVERITY_UNSPECIFIED |
Severity is unspecified. |
ERROR |
A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail. |
WARNING |
Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail
|
NOTICE |
Reserved for the issues that are not severe as ERROR /WARNING , but need special handling. For instance, messages about skipped validation units are issued as NOTICE . |
INFO |
Any informative statement which is not severe enough to raise ERROR /WARNING /NOTICE , like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO . |
DEPRECATED |
Deprecated severity level. |
ListRolesRequest
The request to get all roles defined under a resource.
Fields | |
---|---|
parent |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. |
page_token |
Optional pagination token returned in an earlier ListRolesResponse. |
view |
Optional view for the returned Role objects. When |
show_deleted |
Include Roles that have been deleted. |
ListRolesResponse
The response containing the roles defined under a resource.
Fields | |
---|---|
roles[] |
The Roles defined on this resource. |
next_page_token |
To retrieve the next page of results, set |
ListServiceAccountKeysRequest
The service account keys list request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
key_types[] |
Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. |
KeyType
KeyType
filters to selectively retrieve certain varieties of keys.
Enums | |
---|---|
KEY_TYPE_UNSPECIFIED |
Unspecified key type. The presence of this in the message will immediately result in an error. |
USER_MANAGED |
User-managed keys (managed and rotated by the user). |
SYSTEM_MANAGED |
System-managed keys (managed and rotated by Google). |
ListServiceAccountKeysResponse
The service account keys list response.
Fields | |
---|---|
keys[] |
The public keys for the service account. |
ListServiceAccountsRequest
The service account list request.
Fields | |
---|---|
name |
Required. The resource name of the project associated with the service accounts, such as Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the The default is 20, and the maximum is 100. |
page_token |
Optional pagination token returned in an earlier |
ListServiceAccountsResponse
The service account list response.
Fields | |
---|---|
accounts[] |
The list of matching service accounts. |
next_page_token |
To retrieve the next page of results, set |
ListWorkforcePoolProviderKeysRequest
Request message for ListWorkforcePoolProviderKeys.
Fields | |
---|---|
parent |
Required. The provider resource to list encryption keys for. Format: |
page_size |
The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted keys. |
ListWorkforcePoolProviderKeysResponse
Response message for ListWorkforcePoolProviderKeys.
Fields | |
---|---|
workforce_pool_provider_keys[] |
A list of WorkforcePoolProviderKeys. |
next_page_token |
A token, which can be sent as |
ListWorkforcePoolProvidersRequest
Request message for ListWorkforcePoolProviders.
Fields | |
---|---|
parent |
Required. The pool to list providers for. Format: |
page_size |
The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted providers. |
ListWorkforcePoolProvidersResponse
Response message for ListWorkforcePoolProviders.
Fields | |
---|---|
workforce_pool_providers[] |
A list of providers. |
next_page_token |
A token, which can be sent as |
ListWorkforcePoolsRequest
Request message for ListWorkforcePools.
Fields | |
---|---|
parent |
Required. The parent resource to list pools for. Format: |
page_size |
The maximum number of pools to return. If unspecified, at most 50 pools will be returned. The maximum value is 1000; values above 1000 are truncated to 1000. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted pools. |
location |
The location of the pool. Format: |
ListWorkforcePoolsResponse
Response message for ListWorkforcePools.
Fields | |
---|---|
workforce_pools[] |
A list of pools. |
next_page_token |
A token, which can be sent as |
PatchServiceAccountRequest
The service account patch request.
You can patch only the display_name
and description
fields. You must use the update_mask
field to specify which of these fields you want to patch.
Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.
Fields | |
---|---|
service_account |
Authorization requires the following IAM permission on the specified resource
|
update_mask |
Permission
A permission which can be included by a role.
Fields | |
---|---|
name |
The name of this Permission. |
title |
The title of this Permission. |
description |
A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles. |
only_in_predefined_roles |
|
stage |
The current launch stage of the permission. |
custom_roles_support_level |
The current custom role support level. |
api_disabled |
The service API associated with the permission is not enabled. |
primary_permission |
The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission. |
CustomRolesSupportLevel
The state of the permission with regards to custom roles.
Enums | |
---|---|
SUPPORTED |
Default state. Permission is fully supported for custom role use. |
TESTING |
Permission is being tested to check custom role compatibility. |
NOT_SUPPORTED |
Permission is not supported for custom role use. |
PermissionLaunchStage
A stage representing a permission's lifecycle phase.
Enums | |
---|---|
ALPHA |
The permission is currently in an alpha phase. |
BETA |
The permission is currently in a beta phase. |
GA |
The permission is generally available. |
DEPRECATED |
The permission is being deprecated. |
QueryAuditableServicesRequest
A request to get the list of auditable services for a resource.
Fields | |
---|---|
full_resource_name |
Required. The full resource name to query from the list of auditable services. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id |
QueryAuditableServicesResponse
A response containing a list of auditable services for a resource.
Fields | |
---|---|
services[] |
The auditable services for a resource. |
AuditableService
Contains information about an auditable service.
Fields | |
---|---|
name |
Public name of the service. For example, the service name for Cloud IAM is 'iam.googleapis.com'. |
QueryGrantableRolesRequest
The grantable role query request.
Fields | |
---|---|
full_resource_name |
Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id |
view |
|
page_size |
Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. |
page_token |
Optional pagination token returned in an earlier QueryGrantableRolesResponse. |
QueryGrantableRolesResponse
The grantable role query response.
Fields | |
---|---|
roles[] |
The list of matching roles. |
next_page_token |
To retrieve the next page of results, set |
QueryTestablePermissionsRequest
A request to get permissions which can be tested on a resource.
Fields | |
---|---|
full_resource_name |
Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id |
page_size |
Optional limit on the number of permissions to include in the response. The default is 100, and the maximum is 1,000. |
page_token |
Optional pagination token returned in an earlier QueryTestablePermissionsRequest. |
QueryTestablePermissionsResponse
The response containing permissions which can be tested on a resource.
Fields | |
---|---|
permissions[] |
The Permissions testable on the requested resource. |
next_page_token |
To retrieve the next page of results, set |
Role
A role in the Identity and Access Management API.
Fields | |
---|---|
name |
The name of the role. When When |
title |
Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. |
description |
Optional. A human-readable description for the role. |
included_permissions[] |
The names of the permissions this role grants when bound in an IAM policy. |
stage |
The current launch stage of the role. If the |
etag |
Used to perform a consistent read-modify-write. |
deleted |
The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole. |
RoleLaunchStage
A stage representing a role's lifecycle phase.
Enums | |
---|---|
ALPHA |
The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role. |
BETA |
The user has indicated this role is currently in a Beta phase. |
GA |
The user has indicated this role is generally available. |
DEPRECATED |
The user has indicated this role is being deprecated. |
DISABLED |
This role is disabled and will not contribute permissions to any principals it is granted to in policies. |
EAP |
The user has indicated this role is currently in an EAP phase. |
RoleView
A view for Role objects.
Enums | |
---|---|
BASIC |
Omits the included_permissions field. This is the default value. |
FULL |
Returns all fields. |
ServiceAccount
An IAM service account.
A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts.
When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service //
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the |
project_id |
Output only. The ID of the project that owns the service account. |
unique_id |
Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. |
email |
Output only. The email address of the service account. |
display_name |
Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. |
etag |
Deprecated. Do not use. |
description |
Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
oauth2_client_id |
Output only. The OAuth 2.0 client ID for the service account. |
disabled |
Output only. Whether the service account is disabled. |
ServiceAccountKey
Represents a service account key.
A service account has two sets of key-pairs: user-managed, and system-managed.
User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.
System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.
If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.
Public keys for all service accounts are also published at the OAuth2 Service Account API.
Fields | |
---|---|
name |
The resource name of the service account key in the following format |
private_key_type |
The output format for the private key. Only provided in Google never exposes system-managed private keys, and never retains user-managed private keys. |
key_algorithm |
Specifies the algorithm (and possibly key size) for the key. |
private_key_data |
The private key data. Only provided in |
public_key_data |
The public key data. Only provided in |
valid_after_time |
The key can be used after this timestamp. |
valid_before_time |
The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time. |
key_origin |