public static final class IAMGrpc.IAMStub extends AbstractAsyncStub<IAMGrpc.IAMStub>
Creates and manages Identity and Access Management (IAM) resources.
You can use this service to work with all of the following resources:
- Service accounts, which identify an application or a virtual machine
(VM) instance rather than a person
- Service account keys, which service accounts use to authenticate with
Google APIs
- IAM policies for service accounts, which specify the roles that a
principal has for the service account
- IAM custom roles, which help you limit the number of permissions that
you grant to principals
In addition, you can use this service to complete the following tasks, among
others:
- Test whether a service account can use specific permissions
- Check which roles you can grant for a specific resource
- Lint, or validate, condition expressions in an IAM policy
When you read data from the IAM API, each read is eventually consistent. In
other words, if you write data with the IAM API, then immediately read that
data, the read operation might return an older version of the data. To deal
with this behavior, your application can retry the request with truncated
exponential backoff.
In contrast, writing data to the IAM API is sequentially consistent. In other
words, write operations are always processed in the order in which they were
received.
Inheritance
java.lang.Object >
io.grpc.stub.AbstractStub >
io.grpc.stub.AbstractAsyncStub >
IAMGrpc.IAMStub
Inherited Members
io.grpc.stub.AbstractAsyncStub.<T>newStub(io.grpc.stub.AbstractStub.StubFactory<T>,io.grpc.Channel)
io.grpc.stub.AbstractAsyncStub.<T>newStub(io.grpc.stub.AbstractStub.StubFactory<T>,io.grpc.Channel,io.grpc.CallOptions)
io.grpc.stub.AbstractStub.<T>withOption(io.grpc.CallOptions.Key<T>,T)
io.grpc.stub.AbstractStub.build(io.grpc.Channel,io.grpc.CallOptions)
io.grpc.stub.AbstractStub.getCallOptions()
io.grpc.stub.AbstractStub.getChannel()
io.grpc.stub.AbstractStub.withCallCredentials(io.grpc.CallCredentials)
io.grpc.stub.AbstractStub.withChannel(io.grpc.Channel)
io.grpc.stub.AbstractStub.withCompression(java.lang.String)
io.grpc.stub.AbstractStub.withDeadline(io.grpc.Deadline)
io.grpc.stub.AbstractStub.withDeadlineAfter(long,java.util.concurrent.TimeUnit)
io.grpc.stub.AbstractStub.withExecutor(java.util.concurrent.Executor)
io.grpc.stub.AbstractStub.withInterceptors(io.grpc.ClientInterceptor...)
io.grpc.stub.AbstractStub.withMaxInboundMessageSize(int)
io.grpc.stub.AbstractStub.withMaxOutboundMessageSize(int)
io.grpc.stub.AbstractStub.withWaitForReady()
Methods
build(Channel channel, CallOptions callOptions)
protected IAMGrpc.IAMStub build(Channel channel, CallOptions callOptions)
Parameters
Name | Description |
channel | io.grpc.Channel
|
callOptions | io.grpc.CallOptions
|
Returns
Overrides
io.grpc.stub.AbstractStub.build(io.grpc.Channel,io.grpc.CallOptions)
createRole(CreateRoleRequest request, StreamObserver<Role> responseObserver)
public void createRole(CreateRoleRequest request, StreamObserver<Role> responseObserver)
Creates a new custom Role.
Parameters
createServiceAccount(CreateServiceAccountRequest request, StreamObserver<ServiceAccount> responseObserver)
public void createServiceAccount(CreateServiceAccountRequest request, StreamObserver<ServiceAccount> responseObserver)
Creates a ServiceAccount.
Parameters
createServiceAccountKey(CreateServiceAccountKeyRequest request, StreamObserver<ServiceAccountKey> responseObserver)
public void createServiceAccountKey(CreateServiceAccountKeyRequest request, StreamObserver<ServiceAccountKey> responseObserver)
Creates a ServiceAccountKey.
Parameters
deleteRole(DeleteRoleRequest request, StreamObserver<Role> responseObserver)
public void deleteRole(DeleteRoleRequest request, StreamObserver<Role> responseObserver)
Deletes a custom Role.
When you delete a custom role, the following changes occur immediately:
- You cannot bind a principal to the custom role in an IAM
Policy.
- Existing bindings to the custom role are not changed, but they have no
effect.
- By default, the response from ListRoles does not include the custom
role.
You have 7 days to undelete the custom role. After 7 days, the following
changes occur:
- The custom role is permanently deleted and cannot be recovered.
- If an IAM policy contains a binding to the custom role, the binding is
permanently removed.
Parameters
deleteServiceAccount(DeleteServiceAccountRequest request, StreamObserver<Empty> responseObserver)
public void deleteServiceAccount(DeleteServiceAccountRequest request, StreamObserver<Empty> responseObserver)
Deletes a ServiceAccount.
Warning: After you delete a service account, you might not be able to
undelete it. If you know that you need to re-enable the service account in
the future, use DisableServiceAccount instead.
If you delete a service account, IAM permanently removes the service
account 30 days later. Google Cloud cannot recover the service account
after it is permanently removed, even if you file a support request.
To help avoid unplanned outages, we recommend that you disable the service
account before you delete it. Use DisableServiceAccount to disable the
service account, then wait at least 24 hours and watch for unintended
consequences. If there are no unintended consequences, you can delete the
service account.
Parameters
deleteServiceAccountKey(DeleteServiceAccountKeyRequest request, StreamObserver<Empty> responseObserver)
public void deleteServiceAccountKey(DeleteServiceAccountKeyRequest request, StreamObserver<Empty> responseObserver)
Deletes a ServiceAccountKey. Deleting a service account key does not
revoke short-lived credentials that have been issued based on the service
account key.
Parameters
disableServiceAccount(DisableServiceAccountRequest request, StreamObserver<Empty> responseObserver)
public void disableServiceAccount(DisableServiceAccountRequest request, StreamObserver<Empty> responseObserver)
Disables a ServiceAccount immediately.
If an application uses the service account to authenticate, that
application can no longer call Google APIs or access Google Cloud
resources. Existing access tokens for the service account are rejected, and
requests for new access tokens will fail.
To re-enable the service account, use EnableServiceAccount. After you
re-enable the service account, its existing access tokens will be accepted,
and you can request new access tokens.
To help avoid unplanned outages, we recommend that you disable the service
account before you delete it. Use this method to disable the service
account, then wait at least 24 hours and watch for unintended consequences.
If there are no unintended consequences, you can delete the service account
with DeleteServiceAccount.
Parameters
disableServiceAccountKey(DisableServiceAccountKeyRequest request, StreamObserver<Empty> responseObserver)
public void disableServiceAccountKey(DisableServiceAccountKeyRequest request, StreamObserver<Empty> responseObserver)
Disable a ServiceAccountKey. A disabled service account key can be
re-enabled with EnableServiceAccountKey.
Parameters
enableServiceAccount(EnableServiceAccountRequest request, StreamObserver<Empty> responseObserver)
public void enableServiceAccount(EnableServiceAccountRequest request, StreamObserver<Empty> responseObserver)
Enables a ServiceAccount that was disabled by
DisableServiceAccount.
If the service account is already enabled, then this method has no effect.
If the service account was disabled by other means\u2014for example, if Google
disabled the service account because it was compromised\u2014you cannot use this
method to enable the service account.
Parameters
enableServiceAccountKey(EnableServiceAccountKeyRequest request, StreamObserver<Empty> responseObserver)
public void enableServiceAccountKey(EnableServiceAccountKeyRequest request, StreamObserver<Empty> responseObserver)
Enable a ServiceAccountKey.
Parameters
getIamPolicy(GetIamPolicyRequest request, StreamObserver<Policy> responseObserver)
public void getIamPolicy(GetIamPolicyRequest request, StreamObserver<Policy> responseObserver)
Gets the IAM policy that is attached to a ServiceAccount. This IAM
policy specifies which principals have access to the service account.
This method does not tell you whether the service account has been granted
any roles on other resources. To check whether a service account has role
grants on a resource, use the getIamPolicy
method for that resource. For
example, to view the role grants for a project, call the Resource Manager
API's
projects.getIamPolicy
method.
Parameters
Name | Description |
request | com.google.iam.v1.GetIamPolicyRequest
|
responseObserver | io.grpc.stub.StreamObserver<com.google.iam.v1.Policy>
|
getRole(GetRoleRequest request, StreamObserver<Role> responseObserver)
public void getRole(GetRoleRequest request, StreamObserver<Role> responseObserver)
Gets the definition of a Role.
Parameters
getServiceAccount(GetServiceAccountRequest request, StreamObserver<ServiceAccount> responseObserver)
public void getServiceAccount(GetServiceAccountRequest request, StreamObserver<ServiceAccount> responseObserver)
Parameters
getServiceAccountKey(GetServiceAccountKeyRequest request, StreamObserver<ServiceAccountKey> responseObserver)
public void getServiceAccountKey(GetServiceAccountKeyRequest request, StreamObserver<ServiceAccountKey> responseObserver)
Gets a ServiceAccountKey.
Parameters
lintPolicy(LintPolicyRequest request, StreamObserver<LintPolicyResponse> responseObserver)
public void lintPolicy(LintPolicyRequest request, StreamObserver<LintPolicyResponse> responseObserver)
Lints, or validates, an IAM policy. Currently checks the
google.iam.v1.Binding.condition field, which contains a condition
expression for a role binding.
Successful calls to this method always return an HTTP 200 OK
status code,
even if the linter detects an issue in the IAM policy.
Parameters
listRoles(ListRolesRequest request, StreamObserver<ListRolesResponse> responseObserver)
public void listRoles(ListRolesRequest request, StreamObserver<ListRolesResponse> responseObserver)
Lists every predefined Role that IAM supports, or every custom role
that is defined for an organization or project.
Parameters
listServiceAccountKeys(ListServiceAccountKeysRequest request, StreamObserver<ListServiceAccountKeysResponse> responseObserver)
public void listServiceAccountKeys(ListServiceAccountKeysRequest request, StreamObserver<ListServiceAccountKeysResponse> responseObserver)
Lists every ServiceAccountKey for a service account.
Parameters
listServiceAccounts(ListServiceAccountsRequest request, StreamObserver<ListServiceAccountsResponse> responseObserver)
public void listServiceAccounts(ListServiceAccountsRequest request, StreamObserver<ListServiceAccountsResponse> responseObserver)
Lists every ServiceAccount that belongs to a specific project.
Parameters
patchServiceAccount(PatchServiceAccountRequest request, StreamObserver<ServiceAccount> responseObserver)
public void patchServiceAccount(PatchServiceAccountRequest request, StreamObserver<ServiceAccount> responseObserver)
Patches a ServiceAccount.
Parameters
queryAuditableServices(QueryAuditableServicesRequest request, StreamObserver<QueryAuditableServicesResponse> responseObserver)
public void queryAuditableServices(QueryAuditableServicesRequest request, StreamObserver<QueryAuditableServicesResponse> responseObserver)
Returns a list of services that allow you to opt into audit logs that are
not generated by default.
To learn more about audit logs, see the Logging
documentation.
Parameters
queryGrantableRoles(QueryGrantableRolesRequest request, StreamObserver<QueryGrantableRolesResponse> responseObserver)
public void queryGrantableRoles(QueryGrantableRolesRequest request, StreamObserver<QueryGrantableRolesResponse> responseObserver)
Lists roles that can be granted on a Google Cloud resource. A role is
grantable if the IAM policy for the resource can contain bindings to the
role.
Parameters
queryTestablePermissions(QueryTestablePermissionsRequest request, StreamObserver<QueryTestablePermissionsResponse> responseObserver)
public void queryTestablePermissions(QueryTestablePermissionsRequest request, StreamObserver<QueryTestablePermissionsResponse> responseObserver)
Lists every permission that you can test on a resource. A permission is
testable if you can check whether a principal has that permission on the
resource.
Parameters
setIamPolicy(SetIamPolicyRequest request, StreamObserver<Policy> responseObserver)
public void setIamPolicy(SetIamPolicyRequest request, StreamObserver<Policy> responseObserver)
Sets the IAM policy that is attached to a ServiceAccount.
Use this method to grant or revoke access to the service account. For
example, you could grant a principal the ability to impersonate the service
account.
This method does not enable the service account to access other resources.
To grant roles to a service account on a resource, follow these steps:
- Call the resource's
getIamPolicy
method to get its current IAM policy.
- Edit the policy so that it binds the service account to an IAM role for
the resource.
- Call the resource's
setIamPolicy
method to update its IAM policy.
For detailed instructions, see
Manage access to project, folders, and
organizations
or Manage access to other
resources.
Parameters
Name | Description |
request | com.google.iam.v1.SetIamPolicyRequest
|
responseObserver | io.grpc.stub.StreamObserver<com.google.iam.v1.Policy>
|
signBlob(SignBlobRequest request, StreamObserver<SignBlobResponse> responseObserver)
public void signBlob(SignBlobRequest request, StreamObserver<SignBlobResponse> responseObserver)
Note: This method is deprecated. Use the
signBlob
method in the IAM Service Account Credentials API instead. If you currently
use this method, see the migration
guide for
instructions.
Signs a blob using the system-managed private key for a ServiceAccount.
Parameters
signJwt(SignJwtRequest request, StreamObserver<SignJwtResponse> responseObserver)
public void signJwt(SignJwtRequest request, StreamObserver<SignJwtResponse> responseObserver)
Note: This method is deprecated. Use the
signJwt
method in the IAM Service Account Credentials API instead. If you currently
use this method, see the migration
guide for
instructions.
Signs a JSON Web Token (JWT) using the system-managed private key for a
ServiceAccount.
Parameters
testIamPermissions(TestIamPermissionsRequest request, StreamObserver<TestIamPermissionsResponse> responseObserver)
public void testIamPermissions(TestIamPermissionsRequest request, StreamObserver<TestIamPermissionsResponse> responseObserver)
Tests whether the caller has the specified permissions on a
ServiceAccount.
Parameters
Name | Description |
request | com.google.iam.v1.TestIamPermissionsRequest
|
responseObserver | io.grpc.stub.StreamObserver<com.google.iam.v1.TestIamPermissionsResponse>
|
undeleteRole(UndeleteRoleRequest request, StreamObserver<Role> responseObserver)
public void undeleteRole(UndeleteRoleRequest request, StreamObserver<Role> responseObserver)
Parameters
undeleteServiceAccount(UndeleteServiceAccountRequest request, StreamObserver<UndeleteServiceAccountResponse> responseObserver)
public void undeleteServiceAccount(UndeleteServiceAccountRequest request, StreamObserver<UndeleteServiceAccountResponse> responseObserver)
Restores a deleted ServiceAccount.
Important: It is not always possible to restore a deleted service
account. Use this method only as a last resort.
After you delete a service account, IAM permanently removes the service
account 30 days later. There is no way to restore a deleted service account
that has been permanently removed.
Parameters
updateRole(UpdateRoleRequest request, StreamObserver<Role> responseObserver)
public void updateRole(UpdateRoleRequest request, StreamObserver<Role> responseObserver)
Updates the definition of a custom Role.
Parameters
updateServiceAccount(ServiceAccount request, StreamObserver<ServiceAccount> responseObserver)
public void updateServiceAccount(ServiceAccount request, StreamObserver<ServiceAccount> responseObserver)
Note: We are in the process of deprecating this method. Use
PatchServiceAccount instead.
Updates a ServiceAccount.
You can update only the display_name
field.
Parameters
uploadServiceAccountKey(UploadServiceAccountKeyRequest request, StreamObserver<ServiceAccountKey> responseObserver)
public void uploadServiceAccountKey(UploadServiceAccountKeyRequest request, StreamObserver<ServiceAccountKey> responseObserver)
Uploads the public key portion of a key pair that you manage, and
associates the public key with a ServiceAccount.
After you upload the public key, you can use the private key from the key
pair as a service account key.
Parameters