Class IAMGrpc.IAMFutureStub (2.0.0)

public static final class IAMGrpc.IAMFutureStub extends AbstractFutureStub<IAMGrpc.IAMFutureStub>

Creates and manages Identity and Access Management (IAM) resources. You can use this service to work with all of the following resources:

  • Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
  • Service account keys, which service accounts use to authenticate with Google APIs
  • IAM policies for service accounts, which specify the roles that a principal has for the service account
  • IAM custom roles, which help you limit the number of permissions that you grant to principals In addition, you can use this service to complete the following tasks, among others:
  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff. In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

Inheritance

java.lang.Object > io.grpc.stub.AbstractStub > io.grpc.stub.AbstractFutureStub > IAMGrpc.IAMFutureStub

Methods

build(Channel channel, CallOptions callOptions)

protected IAMGrpc.IAMFutureStub build(Channel channel, CallOptions callOptions)
Parameters
NameDescription
channelio.grpc.Channel
callOptionsio.grpc.CallOptions
Returns
TypeDescription
IAMGrpc.IAMFutureStub
Overrides
io.grpc.stub.AbstractStub.build(io.grpc.Channel,io.grpc.CallOptions)

createRole(CreateRoleRequest request)

public ListenableFuture<Role> createRole(CreateRoleRequest request)

Creates a new custom Role.

Parameter
NameDescription
requestCreateRoleRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Role>

createServiceAccount(CreateServiceAccountRequest request)

public ListenableFuture<ServiceAccount> createServiceAccount(CreateServiceAccountRequest request)

Creates a ServiceAccount.

Parameter
NameDescription
requestCreateServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccount>

createServiceAccountKey(CreateServiceAccountKeyRequest request)

public ListenableFuture<ServiceAccountKey> createServiceAccountKey(CreateServiceAccountKeyRequest request)

Creates a ServiceAccountKey.

Parameter
NameDescription
requestCreateServiceAccountKeyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccountKey>

deleteRole(DeleteRoleRequest request)

public ListenableFuture<Role> deleteRole(DeleteRoleRequest request)

Deletes a custom Role. When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role. You have 7 days to undelete the custom role. After 7 days, the following changes occur:
  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.
Parameter
NameDescription
requestDeleteRoleRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Role>

deleteServiceAccount(DeleteServiceAccountRequest request)

public ListenableFuture<Empty> deleteServiceAccount(DeleteServiceAccountRequest request)

Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Parameter
NameDescription
requestDeleteServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Empty>

deleteServiceAccountKey(DeleteServiceAccountKeyRequest request)

public ListenableFuture<Empty> deleteServiceAccountKey(DeleteServiceAccountKeyRequest request)

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Parameter
NameDescription
requestDeleteServiceAccountKeyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Empty>

disableServiceAccount(DisableServiceAccountRequest request)

public ListenableFuture<Empty> disableServiceAccount(DisableServiceAccountRequest request)

Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Parameter
NameDescription
requestDisableServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Empty>

disableServiceAccountKey(DisableServiceAccountKeyRequest request)

public ListenableFuture<Empty> disableServiceAccountKey(DisableServiceAccountKeyRequest request)

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Parameter
NameDescription
requestDisableServiceAccountKeyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Empty>

enableServiceAccount(EnableServiceAccountRequest request)

public ListenableFuture<Empty> enableServiceAccount(EnableServiceAccountRequest request)

Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means\u2014for example, if Google disabled the service account because it was compromised\u2014you cannot use this method to enable the service account.

Parameter
NameDescription
requestEnableServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Empty>

enableServiceAccountKey(EnableServiceAccountKeyRequest request)

public ListenableFuture<Empty> enableServiceAccountKey(EnableServiceAccountKeyRequest request)

Enable a ServiceAccountKey.

Parameter
NameDescription
requestEnableServiceAccountKeyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Empty>

getIamPolicy(GetIamPolicyRequest request)

public ListenableFuture<Policy> getIamPolicy(GetIamPolicyRequest request)

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account. This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Parameter
NameDescription
requestcom.google.iam.v1.GetIamPolicyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<com.google.iam.v1.Policy>

getRole(GetRoleRequest request)

public ListenableFuture<Role> getRole(GetRoleRequest request)

Gets the definition of a Role.

Parameter
NameDescription
requestGetRoleRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Role>

getServiceAccount(GetServiceAccountRequest request)

public ListenableFuture<ServiceAccount> getServiceAccount(GetServiceAccountRequest request)

Gets a ServiceAccount.

Parameter
NameDescription
requestGetServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccount>

getServiceAccountKey(GetServiceAccountKeyRequest request)

public ListenableFuture<ServiceAccountKey> getServiceAccountKey(GetServiceAccountKeyRequest request)

Gets a ServiceAccountKey.

Parameter
NameDescription
requestGetServiceAccountKeyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccountKey>

lintPolicy(LintPolicyRequest request)

public ListenableFuture<LintPolicyResponse> lintPolicy(LintPolicyRequest request)

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding. Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Parameter
NameDescription
requestLintPolicyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<LintPolicyResponse>

listRoles(ListRolesRequest request)

public ListenableFuture<ListRolesResponse> listRoles(ListRolesRequest request)

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Parameter
NameDescription
requestListRolesRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ListRolesResponse>

listServiceAccountKeys(ListServiceAccountKeysRequest request)

public ListenableFuture<ListServiceAccountKeysResponse> listServiceAccountKeys(ListServiceAccountKeysRequest request)

Lists every ServiceAccountKey for a service account.

Parameter
NameDescription
requestListServiceAccountKeysRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ListServiceAccountKeysResponse>

listServiceAccounts(ListServiceAccountsRequest request)

public ListenableFuture<ListServiceAccountsResponse> listServiceAccounts(ListServiceAccountsRequest request)

Lists every ServiceAccount that belongs to a specific project.

Parameter
NameDescription
requestListServiceAccountsRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ListServiceAccountsResponse>

patchServiceAccount(PatchServiceAccountRequest request)

public ListenableFuture<ServiceAccount> patchServiceAccount(PatchServiceAccountRequest request)

Patches a ServiceAccount.

Parameter
NameDescription
requestPatchServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccount>

queryAuditableServices(QueryAuditableServicesRequest request)

public ListenableFuture<QueryAuditableServicesResponse> queryAuditableServices(QueryAuditableServicesRequest request)

Returns a list of services that allow you to opt into audit logs that are not generated by default. To learn more about audit logs, see the Logging documentation.

Parameter
NameDescription
requestQueryAuditableServicesRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<QueryAuditableServicesResponse>

queryGrantableRoles(QueryGrantableRolesRequest request)

public ListenableFuture<QueryGrantableRolesResponse> queryGrantableRoles(QueryGrantableRolesRequest request)

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Parameter
NameDescription
requestQueryGrantableRolesRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<QueryGrantableRolesResponse>

queryTestablePermissions(QueryTestablePermissionsRequest request)

public ListenableFuture<QueryTestablePermissionsResponse> queryTestablePermissions(QueryTestablePermissionsRequest request)

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Parameter
NameDescription
requestQueryTestablePermissionsRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<QueryTestablePermissionsResponse>

setIamPolicy(SetIamPolicyRequest request)

public ListenableFuture<Policy> setIamPolicy(SetIamPolicyRequest request)

Sets the IAM policy that is attached to a ServiceAccount. Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

  1. Call the resource's getIamPolicy method to get its current IAM policy.
  2. Edit the policy so that it binds the service account to an IAM role for the resource.
  3. Call the resource's setIamPolicy method to update its IAM policy. For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.
Parameter
NameDescription
requestcom.google.iam.v1.SetIamPolicyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<com.google.iam.v1.Policy>

signBlob(SignBlobRequest request)

public ListenableFuture<SignBlobResponse> signBlob(SignBlobRequest request)

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount.

Parameter
NameDescription
requestSignBlobRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<SignBlobResponse>

signJwt(SignJwtRequest request)

public ListenableFuture<SignJwtResponse> signJwt(SignJwtRequest request)

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Parameter
NameDescription
requestSignJwtRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<SignJwtResponse>

testIamPermissions(TestIamPermissionsRequest request)

public ListenableFuture<TestIamPermissionsResponse> testIamPermissions(TestIamPermissionsRequest request)

Tests whether the caller has the specified permissions on a ServiceAccount.

Parameter
NameDescription
requestcom.google.iam.v1.TestIamPermissionsRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<com.google.iam.v1.TestIamPermissionsResponse>

undeleteRole(UndeleteRoleRequest request)

public ListenableFuture<Role> undeleteRole(UndeleteRoleRequest request)

Undeletes a custom Role.

Parameter
NameDescription
requestUndeleteRoleRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Role>

undeleteServiceAccount(UndeleteServiceAccountRequest request)

public ListenableFuture<UndeleteServiceAccountResponse> undeleteServiceAccount(UndeleteServiceAccountRequest request)

Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Parameter
NameDescription
requestUndeleteServiceAccountRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<UndeleteServiceAccountResponse>

updateRole(UpdateRoleRequest request)

public ListenableFuture<Role> updateRole(UpdateRoleRequest request)

Updates the definition of a custom Role.

Parameter
NameDescription
requestUpdateRoleRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<Role>

updateServiceAccount(ServiceAccount request)

public ListenableFuture<ServiceAccount> updateServiceAccount(ServiceAccount request)

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field.

Parameter
NameDescription
requestServiceAccount
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccount>

uploadServiceAccountKey(UploadServiceAccountKeyRequest request)

public ListenableFuture<ServiceAccountKey> uploadServiceAccountKey(UploadServiceAccountKeyRequest request)

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount. After you upload the public key, you can use the private key from the key pair as a service account key.

Parameter
NameDescription
requestUploadServiceAccountKeyRequest
Returns
TypeDescription
com.google.common.util.concurrent.ListenableFuture<ServiceAccountKey>