Package com.google.cloud.iam.admin.v1 (3.12.0)

A client to Identity and Access Management (IAM) API

The interfaces provided are listed below, along with usage samples.

IAMClient

Service Description: Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

  • **Service accounts**, which identify an application or a virtual machine (VM) instance rather than a person
  • **Service account keys**, which service accounts use to authenticate with Google APIs
  • **IAM policies for service accounts**, which specify the roles that a principal has for the service account
  • **IAM custom roles**, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

Sample for IAMClient:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ServiceAccount response = iAMClient.getServiceAccount(name);
 }
 

Classes

IAMClient

Service Description: Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

  • **Service accounts**, which identify an application or a virtual machine (VM) instance rather than a person
  • **Service account keys**, which service accounts use to authenticate with Google APIs
  • **IAM policies for service accounts**, which specify the roles that a principal has for the service account
  • **IAM custom roles**, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ServiceAccount response = iAMClient.getServiceAccount(name);
 }
 

Note: close() needs to be called on the IAMClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

The surface of this class includes several types of Java methods for each of the API's methods:

  1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
  2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
  3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of IAMSettings to create(). For example:

To customize credentials:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IAMSettings iAMSettings =
     IAMSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 IAMClient iAMClient = IAMClient.create(iAMSettings);
 

To customize the endpoint:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IAMSettings iAMSettings = IAMSettings.newBuilder().setEndpoint(myEndpoint).build();
 IAMClient iAMClient = IAMClient.create(iAMSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

IAMClient.ListRolesFixedSizeCollection

IAMClient.ListRolesPage

IAMClient.ListRolesPagedResponse

IAMClient.ListServiceAccountsFixedSizeCollection

IAMClient.ListServiceAccountsPage

IAMClient.ListServiceAccountsPagedResponse

IAMClient.QueryGrantableRolesFixedSizeCollection

IAMClient.QueryGrantableRolesPage

IAMClient.QueryGrantableRolesPagedResponse

IAMClient.QueryTestablePermissionsFixedSizeCollection

IAMClient.QueryTestablePermissionsPage

IAMClient.QueryTestablePermissionsPagedResponse

IAMSettings

Settings class to configure an instance of IAMClient.

The default instance has everything set to sensible defaults:

  • The default service address (iam.googleapis.com) and default port (443) are used.
  • Credentials are acquired automatically through Application Default Credentials.
  • Retries are configured for idempotent methods but not for non-idempotent methods.

The builder of this class is recursive, so contained classes are themselves builders. When build() is called, the tree of builders is called to create the complete settings object.

For example, to set the total timeout of getServiceAccount to 30 seconds:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IAMSettings.Builder iAMSettingsBuilder = IAMSettings.newBuilder();
 iAMSettingsBuilder
     .getServiceAccountSettings()
     .setRetrySettings(
         iAMSettingsBuilder
             .getServiceAccountSettings()
             .getRetrySettings()
             .toBuilder()
             .setTotalTimeout(Duration.ofSeconds(30))
             .build());
 IAMSettings iAMSettings = iAMSettingsBuilder.build();
 

IAMSettings.Builder

Builder for IAMSettings.