Index
IAM
(interface)OauthClients
(interface)WorkforcePools
(interface)AuditData
(message)AuditData.PermissionDelta
(message)CreateOauthClientCredentialRequest
(message)CreateOauthClientRequest
(message)CreateRoleRequest
(message)CreateServiceAccountKeyRequest
(message)CreateServiceAccountRequest
(message)CreateWorkforcePoolProviderKeyRequest
(message)CreateWorkforcePoolProviderRequest
(message)CreateWorkforcePoolRequest
(message)DeleteOauthClientCredentialRequest
(message)DeleteOauthClientRequest
(message)DeleteRoleRequest
(message)DeleteServiceAccountKeyRequest
(message)DeleteServiceAccountRequest
(message)DeleteWorkforcePoolProviderKeyRequest
(message)DeleteWorkforcePoolProviderRequest
(message)DeleteWorkforcePoolRequest
(message)DeleteWorkforcePoolSubjectRequest
(message)DisableServiceAccountKeyRequest
(message)DisableServiceAccountRequest
(message)EnableServiceAccountKeyRequest
(message)EnableServiceAccountRequest
(message)GetOauthClientCredentialRequest
(message)GetOauthClientRequest
(message)GetRoleRequest
(message)GetServiceAccountKeyRequest
(message)GetServiceAccountRequest
(message)GetWorkforcePoolProviderKeyRequest
(message)GetWorkforcePoolProviderRequest
(message)GetWorkforcePoolRequest
(message)KeyData
(message)KeyData.KeyFormat
(enum)KeyData.KeySpec
(enum)LintPolicyRequest
(message)LintPolicyResponse
(message)LintResult
(message)LintResult.Level
(enum)LintResult.Severity
(enum)ListOauthClientCredentialsRequest
(message)ListOauthClientCredentialsResponse
(message)ListOauthClientsRequest
(message)ListOauthClientsResponse
(message)ListRolesRequest
(message)ListRolesResponse
(message)ListServiceAccountKeysRequest
(message)ListServiceAccountKeysRequest.KeyType
(enum)ListServiceAccountKeysResponse
(message)ListServiceAccountsRequest
(message)ListServiceAccountsResponse
(message)ListWorkforcePoolProviderKeysRequest
(message)ListWorkforcePoolProviderKeysResponse
(message)ListWorkforcePoolProvidersRequest
(message)ListWorkforcePoolProvidersResponse
(message)ListWorkforcePoolsRequest
(message)ListWorkforcePoolsResponse
(message)OauthClient
(message)OauthClient.ClientType
(enum)OauthClient.GrantType
(enum)OauthClient.State
(enum)OauthClientCredential
(message)PatchServiceAccountRequest
(message)Permission
(message)Permission.CustomRolesSupportLevel
(enum)Permission.PermissionLaunchStage
(enum)QueryAuditableServicesRequest
(message)QueryAuditableServicesResponse
(message)QueryAuditableServicesResponse.AuditableService
(message)QueryGrantableRolesRequest
(message)QueryGrantableRolesResponse
(message)QueryTestablePermissionsRequest
(message)QueryTestablePermissionsResponse
(message)Role
(message)Role.RoleLaunchStage
(enum)RoleView
(enum)ServiceAccount
(message)ServiceAccountKey
(message)ServiceAccountKey.ExtendedStatus
(message)ServiceAccountKeyAlgorithm
(enum)ServiceAccountKeyDisableReason
(enum)ServiceAccountKeyExtendedStatusKey
(enum)ServiceAccountKeyOrigin
(enum)ServiceAccountPrivateKeyType
(enum)ServiceAccountPublicKeyType
(enum)SignBlobRequest
(message)SignBlobResponse
(message)SignJwtRequest
(message)SignJwtResponse
(message)UndeleteOauthClientRequest
(message)UndeleteRoleRequest
(message)UndeleteServiceAccountRequest
(message)UndeleteServiceAccountResponse
(message)UndeleteWorkforcePoolProviderKeyRequest
(message)UndeleteWorkforcePoolProviderRequest
(message)UndeleteWorkforcePoolRequest
(message)UndeleteWorkforcePoolSubjectRequest
(message)UpdateOauthClientCredentialRequest
(message)UpdateOauthClientRequest
(message)UpdateRoleRequest
(message)UpdateWorkforcePoolProviderRequest
(message)UpdateWorkforcePoolRequest
(message)UploadServiceAccountKeyRequest
(message)WorkforcePool
(message)WorkforcePool.AccessRestrictions
(message)WorkforcePool.AccessRestrictions.ServiceConfig
(message)WorkforcePool.State
(enum)WorkforcePoolOperationMetadata
(message)WorkforcePoolProvider
(message)WorkforcePoolProvider.ExtraAttributesOAuth2Client
(message)WorkforcePoolProvider.ExtraAttributesOAuth2Client.AttributesType
(enum)WorkforcePoolProvider.ExtraAttributesOAuth2Client.QueryParameters
(message)WorkforcePoolProvider.Oidc
(message)WorkforcePoolProvider.Oidc.ClientSecret
(message)WorkforcePoolProvider.Oidc.ClientSecret.Value
(message)WorkforcePoolProvider.Oidc.WebSsoConfig
(message)WorkforcePoolProvider.Oidc.WebSsoConfig.AssertionClaimsBehavior
(enum)WorkforcePoolProvider.Oidc.WebSsoConfig.ResponseType
(enum)WorkforcePoolProvider.Saml
(message)WorkforcePoolProvider.State
(enum)WorkforcePoolProviderKey
(message)WorkforcePoolProviderKey.KeyUse
(enum)WorkforcePoolProviderKey.State
(enum)WorkforcePoolProviderKeyOperationMetadata
(message)WorkforcePoolProviderOperationMetadata
(message)WorkforcePoolSubject
(message)WorkforcePoolSubjectOperationMetadata
(message)
IAM
Creates and manages Identity and Access Management (IAM) resources.
You can use this service to work with all of the following resources:
- Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
- Service account keys, which service accounts use to authenticate with Google APIs
- IAM policies for service accounts, which specify the roles that a principal has for the service account
- IAM custom roles, which help you limit the number of permissions that you grant to principals
In addition, you can use this service to complete the following tasks, among others:
- Test whether a service account can use specific permissions
- Check which roles you can grant for a specific resource
- Lint, or validate, condition expressions in an IAM policy
When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.
In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.
CreateRole |
---|
Creates a new custom
|
CreateServiceAccount |
---|
Creates a
|
CreateServiceAccountKey |
---|
Creates a
|
DeleteRole |
---|
Deletes a custom When you delete a custom role, the following changes occur immediately:
A deleted custom role still counts toward the custom role limit until it is permanently deleted. You have 7 days to undelete the custom role. After 7 days, the following changes occur:
|
DeleteServiceAccount |
---|
Deletes a Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use
|
DeleteServiceAccountKey |
---|
Deletes a
|
DisableServiceAccount |
---|
Disables a If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with
|
DisableServiceAccountKey |
---|
Disable a
|
EnableServiceAccount |
---|
Enables a If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.
|
EnableServiceAccountKey |
---|
Enable a
|
GetIamPolicy |
---|
Gets the IAM policy that is attached to a This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the
|
GetRole |
---|
Gets the definition of a
|
GetServiceAccount |
---|
Gets a
|
GetServiceAccountKey |
---|
Gets a
|
LintPolicy |
---|
Lints, or validates, an IAM policy. Currently checks the Successful calls to this method always return an HTTP
|
ListRoles |
---|
Lists every predefined
|
ListServiceAccountKeys |
---|
Lists every
|
ListServiceAccounts |
---|
Lists every
|
PatchServiceAccount |
---|
Patches a
|
QueryAuditableServices |
---|
Returns a list of services that allow you to opt into audit logs that are not generated by default. To learn more about audit logs, see the Logging documentation.
|
QueryGrantableRoles |
---|
Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.
|
QueryTestablePermissions |
---|
Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.
|
SetIamPolicy |
---|
Sets the IAM policy that is attached to a Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:
For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.
|
SignBlob |
---|
Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a
|
SignJwt |
---|
Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a
|
TestIamPermissions |
---|
Tests whether the caller has the specified permissions on a
|
UndeleteRole |
---|
Undeletes a custom
|
UndeleteServiceAccount |
---|
Restores a deleted Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.
|
UpdateRole |
---|
Updates the definition of a custom
|
UpdateServiceAccount |
---|
Note: We are in the process of deprecating this method. Use Updates a You can update only the
|
UploadServiceAccountKey |
---|
Uploads the public key portion of a key pair that you manage, and associates the public key with a After you upload the public key, you can use the private key from the key pair as a service account key.
|
OauthClients
Manages OauthClient
s. An OauthClient
represents a third-party application that can access Google Cloud resources.
CreateOauthClient |
---|
Creates a new You cannot reuse the name of a deleted
|
CreateOauthClientCredential |
---|
Creates a new
|
DeleteOauthClient |
---|
Deletes an You cannot use a deleted
|
DeleteOauthClientCredential |
---|
Deletes an Before deleting an
|
GetOauthClient |
---|
Gets an individual
|
GetOauthClientCredential |
---|
Gets an individual
|
ListOauthClientCredentials |
---|
Lists all
|
ListOauthClients |
---|
Lists all non-deleted
|
UndeleteOauthClient |
---|
Undeletes an
|
UpdateOauthClient |
---|
Updates an existing
|
UpdateOauthClientCredential |
---|
Updates an existing
|
WorkforcePools
Manages WorkforcePools.
CreateWorkforcePool |
---|
Creates a new You cannot reuse the name of a deleted pool until 30 days after deletion.
|
CreateWorkforcePoolProvider |
---|
Creates a new You cannot reuse the name of a deleted provider until 30 days after deletion.
|
CreateWorkforcePoolProviderKey |
---|
Creates a new
|
DeleteWorkforcePool |
---|
Deletes a You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.
|
DeleteWorkforcePoolProvider |
---|
Deletes a Deleting a provider does not revoke credentials that have already been issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.
|
DeleteWorkforcePoolProviderKey |
---|
Deletes a
|
DeleteWorkforcePoolSubject |
---|
Deletes a Subject must not already be in a deleted state. A For 30 days after a Call After 30 days, the
|
GetIamPolicy |
---|
Gets IAM policies on a
|
GetWorkforcePool |
---|
Gets an individual
|
GetWorkforcePoolProvider |
---|
Gets an individual
|
GetWorkforcePoolProviderKey |
---|
Gets a
|
ListWorkforcePoolProviderKeys |
---|
Lists all non-deleted
|
ListWorkforcePoolProviders |
---|
Lists all non-deleted
|
ListWorkforcePools |
---|
Lists all non-deleted
|
SetIamPolicy |
---|
Sets IAM policies on a
|
TestIamPermissions |
---|
Returns the caller's permissions on the
|
UndeleteWorkforcePool |
---|
Undeletes a
|
UndeleteWorkforcePoolProvider |
---|
Undeletes a
|
UndeleteWorkforcePoolProviderKey |
---|
Undeletes a
|
UndeleteWorkforcePoolSubject |
---|
Undeletes a
|
UpdateWorkforcePool |
---|
Updates an existing
|
UpdateWorkforcePoolProvider |
---|
Updates an existing
|
AuditData
Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any
type in the ServiceData
message of an AuditLog
message.
Fields | |
---|---|
permission_delta |
The permission_delta when when creating or updating a Role. |
PermissionDelta
A PermissionDelta message to record the added_permissions and removed_permissions inside a role.
Fields | |
---|---|
added_permissions[] |
Added permissions. |
removed_permissions[] |
Removed permissions. |
CreateOauthClientCredentialRequest
Request message for CreateOauthClientCredential.
Fields | |
---|---|
parent |
Required. The parent resource to create the |
oauth_client_credential |
Required. The |
oauth_client_credential_id |
Required. The ID to use for the |
CreateOauthClientRequest
Request message for CreateOauthClient.
Fields | |
---|---|
parent |
Required. The parent resource to create the |
oauth_client |
Required. The |
oauth_client_id |
Required. The ID to use for the |
CreateRoleRequest
The request to create a new role.
Fields | |
---|---|
parent |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
role_id |
The role ID to use for this role. A role ID may contain alphanumeric characters, underscores ( |
role |
The Role resource to create. |
CreateServiceAccountKeyRequest
The service account key create request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
private_key_type |
The output format of the private key. The default value is |
key_algorithm |
Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. |
CreateServiceAccountRequest
The service account create request.
Fields | |
---|---|
name |
Required. The resource name of the project associated with the service accounts, such as Authorization requires the following IAM permission on the specified resource
|
account_id |
Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression |
service_account |
The |
CreateWorkforcePoolProviderKeyRequest
Request message for CreateWorkforcePoolProviderKey.
Fields | |
---|---|
parent |
Required. The provider to create this key in. |
workforce_pool_provider_key |
Required. The WorkforcePoolProviderKey to create. |
workforce_pool_provider_key_id |
Required. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. |
CreateWorkforcePoolProviderRequest
Request message for CreateWorkforcePoolProvider.
Fields | |
---|---|
parent |
Required. The pool to create this provider in. Format: |
workforce_pool_provider |
Required. The provider to create. |
workforce_pool_provider_id |
Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix |
CreateWorkforcePoolRequest
Request message for CreateWorkforcePool.
Fields | |
---|---|
workforce_pool |
Required. The pool to create. |
location |
The location of the pool to create. Format: |
workforce_pool_id |
The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix |
DeleteOauthClientCredentialRequest
Request message for DeleteOauthClientCredential.
Fields | |
---|---|
name |
Required. The name of the Format: |
DeleteOauthClientRequest
Request message for DeleteOauthClient.
Fields | |
---|---|
name |
Required. The name of the Format: |
DeleteRoleRequest
The request to delete an existing role.
Fields | |
---|---|
name |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
etag |
Used to perform a consistent read-modify-write. |
DeleteServiceAccountKeyRequest
The service account key delete request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
DeleteServiceAccountRequest
The service account delete request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
DeleteWorkforcePoolProviderKeyRequest
Request message for DeleteWorkforcePoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the key to delete. |
DeleteWorkforcePoolProviderRequest
Request message for DeleteWorkforcePoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to delete. Format: |
DeleteWorkforcePoolRequest
Request message for DeleteWorkforcePool.
Fields | |
---|---|
name |
Required. The name of the pool to delete. Format: |
DeleteWorkforcePoolSubjectRequest
Request message for [DeleteWorkforcePoolSubject][].
Fields | |
---|---|
name |
Required. The resource name of the Format: |
DisableServiceAccountKeyRequest
The service account key disable request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
service_account_key_disable_reason |
Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used. |
extended_status_message |
Optional. Usable by internal google services only. An extended_status_message can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub. |
DisableServiceAccountRequest
The service account disable request.
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
EnableServiceAccountKeyRequest
The service account key enable request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
EnableServiceAccountRequest
The service account enable request.
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
GetOauthClientCredentialRequest
Request message for GetOauthClientCredential.
Fields | |
---|---|
name |
Required. The name of the Format: |
GetOauthClientRequest
Request message for GetOauthClient.
Fields | |
---|---|
name |
Required. The name of the Format: |
GetRoleRequest
The request to get the definition of an existing role.
Fields | |
---|---|
name |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
GetServiceAccountKeyRequest
The service account key get by id request.
Fields | |
---|---|
name |
Required. The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
public_key_type |
Optional. The output format of the public key. The default is |
GetServiceAccountRequest
The service account get request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
GetWorkforcePoolProviderKeyRequest
Request message for GetWorkforcePoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the key to retrieve. |
GetWorkforcePoolProviderRequest
Request message for GetWorkforcePoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to retrieve. Format: |
GetWorkforcePoolRequest
Request message for GetWorkforcePool.
Fields | |
---|---|
name |
Required. The name of the pool to retrieve. Format: |
KeyData
Represents a public key data along with its format.
Fields | |
---|---|
format |
Output only. The format of the key. |
not_before_time |
Output only. Earliest timestamp when this key is valid. Attempts to use this key before this time will fail. Only present if the key data represents a X.509 certificate. |
not_after_time |
Output only. Latest timestamp when this key is valid. Attempts to use this key after this time will fail. Only present if the key data represents a X.509 certificate. |
key |
Output only. The key data. The format of the key is represented by the |
key_spec |
Required. The specifications for the key. |
KeyFormat
The supported formats for the public key.
Enums | |
---|---|
KEY_FORMAT_UNSPECIFIED |
No format has been specified. This is an invalid format and must not be used. |
RSA_X509_PEM |
A RSA public key wrapped in an X.509v3 certificate (RFC5280), encoded in base64, and wrapped in public certificate label. |
KeySpec
Allowed list of specifications for the key.
Enums | |
---|---|
KEY_SPEC_UNSPECIFIED |
No key specification specified. |
RSA_2048 |
A 2048 bit RSA key. |
RSA_3072 |
A 3072 bit RSA key. |
RSA_4096 |
A 4096 bit RSA key. |
LintPolicyRequest
The request to lint an IAM policy object.
Fields | |
---|---|
full_resource_name |
The full resource name of the policy this lint request is about. The name follows the Google Cloud format for full resource names. For example, a Google Cloud project with ID The resource name is not used to read a policy from IAM. Only the data in the request object is linted. |
Union field lint_object . Required. The IAM object to be linted. lint_object can be only one of the following: |
|
condition |
|
LintPolicyResponse
The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.
Fields | |
---|---|
lint_results[] |
List of lint results sorted by |
LintResult
Structured response of a single validation unit.
Fields | |
---|---|
level |
The validation unit level. |
validation_unit_name |
The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck". |
severity |
The validation unit severity. |
field_name |
The name of the field for which this lint result is about. For nested messages |
location_offset |
0-based character position of problematic construct within the object identified by |
debug_message |
Human readable debug message associated with the issue. |
Level
Possible Level values of a validation unit corresponding to its domain of discourse.
Enums | |
---|---|
LEVEL_UNSPECIFIED |
Level is unspecified. |
CONDITION |
A validation unit which operates on an individual condition within a binding. |
Severity
Possible Severity values of an issued result.
Enums | |
---|---|
SEVERITY_UNSPECIFIED |
Severity is unspecified. |
ERROR |
A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail. |
WARNING |
Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail
|
NOTICE |
Reserved for the issues that are not severe as ERROR /WARNING , but need special handling. For instance, messages about skipped validation units are issued as NOTICE . |
INFO |
Any informative statement which is not severe enough to raise ERROR /WARNING /NOTICE , like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO . |
DEPRECATED |
Deprecated severity level. |
ListOauthClientCredentialsRequest
Request message for ListOauthClientCredentials.
Fields | |
---|---|
parent |
Required. The parent to list |
ListOauthClientCredentialsResponse
Response message for ListOauthClientCredentials.
Fields | |
---|---|
oauth_client_credentials[] |
A list of |
ListOauthClientsRequest
Request message for ListOauthClients.
Fields | |
---|---|
parent |
Required. The parent to list |
page_size |
Optional. The maximum number of |
page_token |
Optional. A page token, received from a previous |
show_deleted |
Optional. Whether to return soft-deleted |
ListOauthClientsResponse
Response message for ListOauthClients.
Fields | |
---|---|
oauth_clients[] |
A list of |
next_page_token |
Optional. A token, which can be sent as |
ListRolesRequest
The request to get all roles defined under a resource.
Fields | |
---|---|
parent |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. |
page_token |
Optional pagination token returned in an earlier ListRolesResponse. |
view |
Optional view for the returned Role objects. When |
show_deleted |
Include Roles that have been deleted. |
ListRolesResponse
The response containing the roles defined under a resource.
Fields | |
---|---|
roles[] |
The Roles defined on this resource. |
next_page_token |
To retrieve the next page of results, set |
ListServiceAccountKeysRequest
The service account keys list request.
Fields | |
---|---|
name |
Required. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
key_types[] |
Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. |
KeyType
KeyType
filters to selectively retrieve certain varieties of keys.
Enums | |
---|---|
KEY_TYPE_UNSPECIFIED |
Unspecified key type. The presence of this in the message will immediately result in an error. |
USER_MANAGED |
User-managed keys (managed and rotated by the user). |
SYSTEM_MANAGED |
System-managed keys (managed and rotated by Google). |
ListServiceAccountKeysResponse
The service account keys list response.
Fields | |
---|---|
keys[] |
The public keys for the service account. |
ListServiceAccountsRequest
The service account list request.
Fields | |
---|---|
name |
Required. The resource name of the project associated with the service accounts, such as Authorization requires the following IAM permission on the specified resource
|
page_size |
Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the The default is 20, and the maximum is 100. |
page_token |
Optional pagination token returned in an earlier |
ListServiceAccountsResponse
The service account list response.
Fields | |
---|---|
accounts[] |
The list of matching service accounts. |
next_page_token |
To retrieve the next page of results, set |
ListWorkforcePoolProviderKeysRequest
Request message for ListWorkforcePoolProviderKeys.
Fields | |
---|---|
parent |
Required. The provider resource to list encryption keys for. Format: |
page_size |
The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted keys. |
ListWorkforcePoolProviderKeysResponse
Response message for ListWorkforcePoolProviderKeys.
Fields | |
---|---|
workforce_pool_provider_keys[] |
A list of WorkforcePoolProviderKeys. |
next_page_token |
A token, which can be sent as |
ListWorkforcePoolProvidersRequest
Request message for ListWorkforcePoolProviders.
Fields | |
---|---|
parent |
Required. The pool to list providers for. Format: |
page_size |
The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted providers. |
ListWorkforcePoolProvidersResponse
Response message for ListWorkforcePoolProviders.
Fields | |
---|---|
workforce_pool_providers[] |
A list of providers. |
next_page_token |
A token, which can be sent as |
ListWorkforcePoolsRequest
Request message for ListWorkforcePools.
Fields | |
---|---|
parent |
Required. The parent resource to list pools for. Format: |
page_size |
The maximum number of pools to return. If unspecified, at most 50 pools will be returned. The maximum value is 1000; values above 1000 are truncated to 1000. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted pools. |
location |
The location of the pool. Format: |
ListWorkforcePoolsResponse
Response message for ListWorkforcePools.
Fields | |
---|---|
workforce_pools[] |
A list of pools. |
next_page_token |
A token, which can be sent as |
OauthClient
Represents an OauthClient
. Used to access Google Cloud resources on behalf of a Workforce Identity Federation user by using OAuth 2.0 Protocol to obtain an access token from Google Cloud.
Fields | |
---|---|
name |
Immutable. The resource name of the Format: |
state |
Output only. The state of the |
disabled |
Optional. Whether the |
client_id |
Output only. The system-generated |
display_name |
Optional. A user-specified display name of the Cannot exceed 32 characters. |
description |
Optional. A user-specified description of the Cannot exceed 256 characters. |
client_type |
Immutable. The type of |
allowed_grant_types[] |
Required. The list of OAuth grant types is allowed for the |
allowed_scopes[] |
Required. The list of scopes that the The following scopes are supported:
|
allowed_redirect_uris[] |
Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. |
expire_time |
Output only. Time after which the |
ClientType
The type of OauthClient
.
Enums | |
---|---|
CLIENT_TYPE_UNSPECIFIED |
Should not be used. |
PUBLIC_CLIENT |
Public client has no secret. |
CONFIDENTIAL_CLIENT |
Private client. |
GrantType
The OAuth grant type.
Enums | |
---|---|
GRANT_TYPE_UNSPECIFIED |
Should not be used. |
AUTHORIZATION_CODE_GRANT |
Authorization code grant. |
REFRESH_TOKEN_GRANT |
Refresh token grant. |
State
The current state of the OauthClient
.
Enums | |
---|---|
STATE_UNSPECIFIED |
Default value. This value is unused. |
ACTIVE |
The OauthClient is active. |
DELETED |
The OauthClient is soft-deleted. Soft-deleted OauthClient is permanently deleted after approximately 30 days unless restored via UndeleteOauthClient . |
OauthClientCredential
Represents an OauthClientCredential
. Used to authenticate an OauthClient
while accessing Google Cloud resources on behalf of a user by using OAuth 2.0 Protocol.
Fields | |
---|---|
name |
Immutable. The resource name of the Format: |
disabled |
Optional. Whether the |
display_name |
Optional. A user-specified display name of the Cannot exceed 32 characters. |
Union field
|
|
client_secret |
Output only. The system-generated OAuth client secret. The client secret must be stored securely. If the client secret is leaked, you must delete and re-create the client credential. To learn more, see OAuth client and credential security risks and mitigations |
PatchServiceAccountRequest
The service account patch request.
You can patch only the display_name
and description
fields. You must use the update_mask
field to specify which of these fields you want to patch.
Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.
Fields | |
---|---|
service_account |
Authorization requires the following IAM permission on the specified resource
|
update_mask |
Permission
A permission which can be included by a role.
Fields | |
---|---|
name |
The name of this Permission. |
title |
The title of this Permission. |
description |
A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles. |
only_in_predefined_roles |
|
stage |
The current launch stage of the permission. |
custom_roles_support_level |
The current custom role support level. |
api_disabled |
The service API associated with the permission is not enabled. |
primary_permission |
The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission. |
CustomRolesSupportLevel
The state of the permission with regards to custom roles.
Enums | |
---|---|
SUPPORTED |
Default state. Permission is fully supported for custom role use. |
TESTING |
Permission is being tested to check custom role compatibility. |
NOT_SUPPORTED |
Permission is not supported for custom role use. |
PermissionLaunchStage
A stage representing a permission's lifecycle phase.
Enums | |
---|---|
ALPHA |
The permission is currently in an alpha phase. |
BETA |
The permission is currently in a beta phase. |
GA |
The permission is generally available. |
DEPRECATED |
The permission is being deprecated. |
QueryAuditableServicesRequest
A request to get the list of auditable services for a resource.
Fields | |
---|---|
full_resource_name |
Required. The full resource name to query from the list of auditable services. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id |
QueryAuditableServicesResponse
A response containing a list of auditable services for a resource.
Fields | |
---|---|
services[] |
The auditable services for a resource. |
AuditableService
Contains information about an auditable service.
Fields | |
---|---|
name |
Public name of the service. For example, the service name for IAM is 'iam.googleapis.com'. |
QueryGrantableRolesRequest
The grantable role query request.
Fields | |
---|---|
full_resource_name |
Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id |
view |
|
page_size |
Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 2,000. |
page_token |
Optional pagination token returned in an earlier QueryGrantableRolesResponse. |
QueryGrantableRolesResponse
The grantable role query response.
Fields | |
---|---|
roles[] |
The list of matching roles. |
next_page_token |
To retrieve the next page of results, set |
QueryTestablePermissionsRequest
A request to get permissions which can be tested on a resource.
Fields | |
---|---|
full_resource_name |
Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id |
page_size |
Optional limit on the number of permissions to include in the response. The default is 100, and the maximum is 1,000. |
page_token |
Optional pagination token returned in an earlier QueryTestablePermissionsRequest. |
QueryTestablePermissionsResponse
The response containing permissions which can be tested on a resource.
Fields | |
---|---|
permissions[] |
The Permissions testable on the requested resource. |
next_page_token |
To retrieve the next page of results, set |
Role
A role in the Identity and Access Management API.
Fields | |
---|---|
name |
The name of the role. When When |
title |
Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. |
description |
Optional. A human-readable description for the role. |
included_permissions[] |
The names of the permissions this role grants when bound in an IAM policy. |
stage |
The current launch stage of the role. If the |
etag |
Used to perform a consistent read-modify-write. |
deleted |
The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole. |
RoleLaunchStage
A stage representing a role's lifecycle phase.
Enums | |
---|---|
ALPHA |
The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role. |
BETA |
The user has indicated this role is currently in a Beta phase. |
GA |
The user has indicated this role is generally available. |
DEPRECATED |
The user has indicated this role is being deprecated. |
DISABLED |
This role is disabled and will not contribute permissions to any principals it is granted to in policies. |
EAP |
The user has indicated this role is currently in an EAP phase. |
RoleView
A view for Role objects.
Enums | |
---|---|
BASIC |
Omits the included_permissions field. This is the default value. |
FULL |
Returns all fields. |
ServiceAccount
An IAM service account.
A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts.
When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account. //
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the |
project_id |
Output only. The ID of the project that owns the service account. |
unique_id |
Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. |
email |
Output only. The email address of the service account. |
display_name |
Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. |
etag |
Deprecated. Do not use. |
description |
Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
oauth2_client_id |
Output only. The OAuth 2.0 client ID for the service account. |
disabled |
Output only. Whether the service account is disabled. |
ServiceAccountKey
Represents a service account key.
A service account has two sets of key-pairs: user-managed, and system-managed.
User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.
System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.
If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.
Public keys for all service accounts are also published at the OAuth2 Service Account API.
Fields | |
---|---|
name |
The resource name of the service account key in the following format |
private_key_type |
The output format for the private key. Only provided in Google never exposes system-managed private keys, and never retains user-managed private keys. |
key_algorithm |
Specifies the algorithm (and possibly key size) for the key. |
private_key_data |
The private key data. Only provided in |
public_key_data |
The public key data. Only provided in |
valid_after_time |
The key can be used after this timestamp. |
valid_before_time |
The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time. |
key_origin |
The key origin. |
key_type |
The key type. |
disabled |
The key status. |
disable_reason |
Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled. |
extended_status[] |
Output only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status. |
ExtendedStatus
Extended status can store additional metadata. For example, for keys disabled due to their private key data being expoesed we may include a message with more information about the exposure.
Fields | |
---|---|
key |
The key for this extended status. |
value |
The value for the extended status. |
ServiceAccountKeyAlgorithm
Supported key algorithms.
Enums | |
---|---|
KEY_ALG_UNSPECIFIED |
An unspecified key algorithm. |
KEY_ALG_RSA_1024 |
1k RSA Key. |
KEY_ALG_RSA_2048 |
2k RSA Key. |
ServiceAccountKeyDisableReason
DisableReason is intended to communicate more information about a disabled Service Accounts or Service Account Key.
Enums | |
---|---|
SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED |
Unspecified disable reason |
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED |
Disabled by the user |
SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED |
Google detected this Service Account external key's private key data as exposed, typically in a public repository on GitHub or similar. |
SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED |
This service account external key was detected as compromised and used by an attacker. |
ServiceAccountKeyExtendedStatusKey
Different categories of extended_status messages. For example the accompanying message for SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED may contain information about how the key was exposed.
Enums | |
---|---|
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_UNSPECIFIED |
Unspecified extended status, should not be used. |
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED |
This key has been detected as exposed. extended_status_value may contain information about the exposure (public GitHub repo, open internet, etc.) |
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_COMPROMISE_DETECTED |
This key was implicated in a compromise or other attack. extended_status_value may contain information about the abuse perpetrated. |
ServiceAccountKeyOrigin
Service Account Key Origin.
Enums | |
---|---|
ORIGIN_UNSPECIFIED |
Unspecified key origin. |
USER_PROVIDED |
Key is provided by user. |
GOOGLE_PROVIDED |
Key is provided by Google. |
ServiceAccountPrivateKeyType
Supported private key output formats.
Enums | |
---|---|
TYPE_UNSPECIFIED |
Unspecified. Equivalent to TYPE_GOOGLE_CREDENTIALS_FILE . |
TYPE_PKCS12_FILE |
PKCS12 format. The password for the PKCS12 file is notasecret . For more information, see https://tools.ietf.org/html/rfc7292. |
TYPE_GOOGLE_CREDENTIALS_FILE |
Google Credentials File format. |
ServiceAccountPublicKeyType
Supported public key output formats.
Enums | |
---|---|
TYPE_NONE |
Do not return the public key. |
TYPE_X509_PEM_FILE |
X509 PEM format. |
TYPE_RAW_PUBLIC_KEY |
Raw public key. |
SignBlobRequest
Deprecated. Migrate to Service Account Credentials API.
The service account sign blob request.
Fields | |
---|---|
name |
Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
bytes_to_sign |
Required. Deprecated. Migrate to Service Account Credentials API. The bytes to sign. |
SignBlobResponse
Deprecated. Migrate to Service Account Credentials API.
The service account sign blob response.
Fields | |
---|---|
key_id |
Deprecated. Migrate to Service Account Credentials API. The id of the key used to sign the blob. |
signature |
Deprecated. Migrate to Service Account Credentials API. The signed blob. |
SignJwtRequest
Deprecated. Migrate to Service Account Credentials API.
The service account sign JWT request.
Fields | |
---|---|
name |
Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
payload |
Required. Deprecated. Migrate to Service Account Credentials API. The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: If the JWT Claims Set contains an expiration time ( If the JWT Claims Set does not contain an expiration time ( |
SignJwtResponse
Deprecated. Migrate to Service Account Credentials API.
The service account sign JWT response.
Fields | |
---|---|
key_id |
Deprecated. Migrate to Service Account Credentials API. The id of the key used to sign the JWT. |
signed_jwt |
Deprecated. Migrate to Service Account Credentials API. The signed JWT. |
UndeleteOauthClientRequest
Request message for UndeleteOauthClient.
Fields | |
---|---|
name |
Required. The name of the Format: |
UndeleteRoleRequest
The request to undelete an existing role.
Fields | |
---|---|
name |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
etag |
Used to perform a consistent read-modify-write. |
UndeleteServiceAccountRequest
The service account undelete request.
Fields | |
---|---|
name |
The resource name of the service account. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
UndeleteServiceAccountResponse
Fields | |
---|---|
restored_account |
Metadata for the restored service account. |
UndeleteWorkforcePoolProviderKeyRequest
Request message for UndeleteWorkforcePoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the key to undelete. |
UndeleteWorkforcePoolProviderRequest
Request message for UndeleteWorkforcePoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to undelete. Format: |
UndeleteWorkforcePoolRequest
Request message for UndeleteWorkforcePool.
Fields | |
---|---|
name |
Required. The name of the pool to undelete. Format: |
UndeleteWorkforcePoolSubjectRequest
Request message for [UndeleteWorkforcePoolSubject][].
Fields | |
---|---|
name |
Required. The resource name of the Format: |
UpdateOauthClientCredentialRequest
Request message for UpdateOauthClientCredential.
Fields | |
---|---|
oauth_client_credential |
Required. The |
update_mask |
Required. The list of fields to update. |
UpdateOauthClientRequest
Request message for UpdateOauthClient.
Fields | |
---|---|
oauth_client |
Required. The |
update_mask |
Required. The list of fields to update. |
UpdateRoleRequest
The request to update a role.
Fields | |
---|---|
name |
The
Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. Authorization requires the following IAM permission on the specified resource
|
role |
The updated role. |
update_mask |
A mask describing which fields in the Role have changed. |
UpdateWorkforcePoolProviderRequest
Request message for UpdateWorkforcePoolProvider.
Fields | |
---|---|
workforce_pool_provider |
Required. The provider to update. |
update_mask |
Required. The list of fields to update. |
UpdateWorkforcePoolRequest
Request message for UpdateWorkforcePool.
Fields | |
---|---|
workforce_pool |
Required. The pool to update. The |
update_mask |
Required. The list of fields to update. |
UploadServiceAccountKeyRequest
The service account key upload request.
Fields | |
---|---|
name |
The resource name of the service account key. Use one of the following formats:
As an alternative, you can use the
When possible, avoid using the Authorization requires the following IAM permission on the specified resource
|
public_key_data |
The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, |
WorkforcePool
Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.
Fields | |
---|---|
name |
Output only. The resource name of the pool. Format: |
parent |
Immutable. The resource name of the parent. Format: |
display_name |
A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters. |
description |
A user-specified description of the pool. Cannot exceed 256 characters. |
state |
Output only. The state of the pool. |
disabled |
Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. |
session_duration |
Duration that the Google Cloud access tokens, console sign-in sessions, and Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If For SAML providers, the lifetime of the token is the minimum of the |
expire_time |
Output only. Time after which the workforce pool will be permanently purged and cannot be recovered. |
access_restrictions |
Optional. Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users. |
AccessRestrictions
Access related restrictions on the workforce pool.
Fields | |
---|---|
allowed_services[] |
Optional. Immutable. Services allowed for web sign-in with the workforce pool. If not set by default there are no restrictions. |
disable_programmatic_signin |
Optional. Disable programmatic sign-in by disabling token issue via the Security Token API endpoint. See Security Token Service API. |
ServiceConfig
Configuration for a service.
Fields | |
---|---|
domain |
Optional. Domain name of the service. Example: console.cloud.google |
State
The current state of the pool.
Enums | |
---|---|
STATE_UNSPECIFIED |
State unspecified. |
ACTIVE |
The pool is active and may be used in Google Cloud policies. |
DELETED |
The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again. |
WorkforcePoolOperationMetadata
This type has no fields.
Metadata for long-running WorkforcePool operations.
WorkforcePoolProvider
A configuration for an external identity provider.
Fields | |
---|---|
name |
Output only. The resource name of the provider. Format: |
display_name |
A user-specified display name for the provider. Cannot exceed 32 characters. |
description |
A user-specified description of the provider. Cannot exceed 256 characters. |
state |
Output only. The state of the provider. |
disabled |
Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. |
attribute_mapping |
Required. Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:
You can also provide custom attributes by specifying You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 4KB. For OIDC providers, you must supply a custom mapping that includes the
|
attribute_condition |
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted. The following example shows how to only allow credentials with a mapped
|
expire_time |
Output only. Time after which the workload pool provider will be permanently purged and cannot be recovered. |
extra_attributes_oauth2_client |
Optional. The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. |
Union field
|
|
saml |
A SAML identity provider configuration. |
oidc |
An OpenId Connect 1.0 identity provider configuration. |
ExtraAttributesOAuth2Client
Represents the OAuth 2.0 client credential configuration for retrieving additional user attributes that are not present in the initial authentication credentials from the identity provider, e.g. groups. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4 for more details on client credentials grant flow.
Fields | |
---|---|
issuer_uri |
Required. The OIDC identity provider's issuer URI. Must be a valid URI using the |
client_id |
Required. The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. |
client_secret |
Required. The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. |
attributes_type |
Required. Represents the IdP and type of claims that should be fetched. |
query_parameters |
Optional. Represents the parameters to control which claims are fetched from an IdP. |
AttributesType
Represents the IdP and type of claims that should be fetched.
Enums | |
---|---|
ATTRIBUTES_TYPE_UNSPECIFIED |
No AttributesType specified. |
AZURE_AD_GROUPS_MAIL |
Used to get the user's group claims from the Microsoft Entra ID identity provider using configuration provided in ExtraAttributesOAuth2Client and mail property of the microsoft.graph.group object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on microsoft.graph.group properties. The attributes obtained from idntity provider are mapped to assertion.groups . |
QueryParameters
Represents the parameters to control which claims are fetched from an IdP.
Fields | |
---|---|
filter |
Optional. The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details. |
Oidc
Represents an OpenId Connect 1.0 identity provider.
Fields | |
---|---|
issuer_uri |
Required. The OIDC issuer URI. Must be a valid URI using the |
client_id |
Required. The client ID. Must match the audience claim of the JWT issued by the identity provider. |
client_secret |
The optional client secret. Required to enable Authorization Code flow for web sign-in. |
web_sso_config |
Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. |
jwks_json |
OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the |
ClientSecret
Representation of a client secret configured for the OIDC provider.
Fields | |
---|---|
Union field
|
|
value |
The value of the client secret. |
Value
Representation of the value of the client secret.
Fields | |
---|---|
plain_text |
Input only. The plain text of the client secret value. For security reasons, this field is only used for input and will never be populated in any response. |
thumbprint |
Output only. A thumbprint to represent the current client secret value. |
WebSsoConfig
Configuration for web single sign-on for the OIDC provider.
Fields | |
---|---|
response_type |
Required. The Response Type to request for in the OIDC Authorization Request for web sign-in. The |
assertion_claims_behavior |
Required. The behavior for how OIDC Claims are included in the |
additional_scopes[] |
Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured. |
AssertionClaimsBehavior
Possible behaviors for how OIDC Claims are included in the assertion
object used for attribute mapping and attribute condition.
Enums | |
---|---|
ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED |
No assertion claims behavior specified. |
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS |
Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow. |
ONLY_ID_TOKEN_CLAIMS |
Only include ID Token Claims. |
ResponseType
Possible Response Types to request for in the OIDC Authorization Request for web sign-in. This determines the OIDC Authentication Flow. See https://openid.net/specs/openid-connect-core-1_0.html#Authentication for a mapping of Response Type to OIDC Authentication Flow.
Enums | |
---|---|
RESPONSE_TYPE_UNSPECIFIED |
No Response Type specified. |
CODE |
The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. |
ID_TOKEN |
The response_type=id_token selection uses the Implicit Flow for web sign-in. |
Saml
Represents a SAML identity provider.
Fields | |
---|---|
Union field
|
|
idp_metadata_xml |
Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 20 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. |
State
The current state of the provider.
Enums | |
---|---|
STATE_UNSPECIFIED |
State unspecified. |
ACTIVE |
The provider is active and may be used to validate authentication credentials. |
DELETED |
The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkforcePoolProvider . |
WorkforcePoolProviderKey
Represents a public key configuration for a Workforce Pool Provider. The key can be configured in your identity provider to encrypt SAML assertions. Google holds the corresponding private key, which it uses to decrypt encrypted tokens.
Fields | |
---|---|
name |
Output only. The resource name of the key. |
key_data |
Immutable. Public half of the asymmetric key. |
state |
Output only. The state of the key. |
use |
Required. The purpose of the key. |
expire_time |
Output only. The time after which the key will be permanently deleted and cannot be recovered. Note that the key may get purged before this time if the total limit of keys per provider is exceeded. |
KeyUse
The purpose of the key.
Enums | |
---|---|
KEY_USE_UNSPECIFIED |
KeyUse unspecified. |
ENCRYPTION |
The key is used for encryption. |
State
The current state of the key.
Enums | |
---|---|
STATE_UNSPECIFIED |
State unspecified. |
ACTIVE |
The key is active. |
DELETED |
The key is soft-deleted. Soft-deleted keys are permanently deleted after approximately 30 days. You can restore a soft-deleted key using UndeleteWorkforcePoolProviderKey . |
WorkforcePoolProviderKeyOperationMetadata
This type has no fields.
Metadata for long-running WorkforcePoolProviderKey operations.
WorkforcePoolProviderOperationMetadata
This type has no fields.
Metadata for long-running WorkforcePoolProvider operations.
WorkforcePoolSubject
Represents a single identity in a Workforce Pool.
Fields | |
---|---|
name |
Output only. The resource name of the Format: |
expire_time |
Output only. The planned hard deletion time of this resource in RFC3339 text format. |
WorkforcePoolSubjectOperationMetadata
This type has no fields.
Metadata for long-running WorkforcePoolSubject
operations.