Class IAMClient (3.32.0)

GitHub RepositoryProduct Reference

Service Description: Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

  • **Service accounts**, which identify an application or a virtual machine (VM) instance rather than a person
  • **Service account keys**, which service accounts use to authenticate with Google APIs
  • **IAM policies for service accounts**, which specify the roles that a principal has for the service account
  • **IAM custom roles**, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ServiceAccount response = iAMClient.getServiceAccount(name);
 }
 

Note: close() needs to be called on the IAMClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

Methods
MethodDescriptionMethod Variants

ListServiceAccounts

Lists every ServiceAccount that belongs to a specific project.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • listServiceAccounts(ListServiceAccountsRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • listServiceAccounts(ProjectName name)

  • listServiceAccounts(String name)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • listServiceAccountsPagedCallable()

  • listServiceAccountsCallable()

GetServiceAccount

Gets a ServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • getServiceAccount(GetServiceAccountRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • getServiceAccount(ServiceAccountName name)

  • getServiceAccount(String name)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • getServiceAccountCallable()

CreateServiceAccount

Creates a ServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • createServiceAccount(CreateServiceAccountRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • createServiceAccount(ProjectName name, String accountId, ServiceAccount serviceAccount)

  • createServiceAccount(String name, String accountId, ServiceAccount serviceAccount)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • createServiceAccountCallable()

UpdateServiceAccount

**Note:** We are in the process of deprecating this method. Use PatchServiceAccount instead.

Updates a ServiceAccount.

You can update only the display_name field.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • updateServiceAccount(ServiceAccount request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • updateServiceAccountCallable()

PatchServiceAccount

Patches a ServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • patchServiceAccount(PatchServiceAccountRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • patchServiceAccountCallable()

DeleteServiceAccount

Deletes a ServiceAccount.

**Warning:** After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • deleteServiceAccount(DeleteServiceAccountRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • deleteServiceAccount(ServiceAccountName name)

  • deleteServiceAccount(String name)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • deleteServiceAccountCallable()

UndeleteServiceAccount

Restores a deleted ServiceAccount.

**Important:** It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • undeleteServiceAccount(UndeleteServiceAccountRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • undeleteServiceAccountCallable()

EnableServiceAccount

Enables a ServiceAccount that was disabled by DisableServiceAccount.

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • enableServiceAccount(EnableServiceAccountRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • enableServiceAccountCallable()

DisableServiceAccount

Disables a ServiceAccount immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • disableServiceAccount(DisableServiceAccountRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • disableServiceAccountCallable()

ListServiceAccountKeys

Lists every ServiceAccountKey for a service account.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • listServiceAccountKeys(ListServiceAccountKeysRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • listServiceAccountKeys(ServiceAccountName name, List<ListServiceAccountKeysRequest.KeyType> keyTypes)

  • listServiceAccountKeys(String name, List<ListServiceAccountKeysRequest.KeyType> keyTypes)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • listServiceAccountKeysCallable()

GetServiceAccountKey

Gets a ServiceAccountKey.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • getServiceAccountKey(GetServiceAccountKeyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • getServiceAccountKey(KeyName name, ServiceAccountPublicKeyType publicKeyType)

  • getServiceAccountKey(String name, ServiceAccountPublicKeyType publicKeyType)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • getServiceAccountKeyCallable()

CreateServiceAccountKey

Creates a ServiceAccountKey.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • createServiceAccountKey(CreateServiceAccountKeyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • createServiceAccountKey(ServiceAccountName name, ServiceAccountPrivateKeyType privateKeyType, ServiceAccountKeyAlgorithm keyAlgorithm)

  • createServiceAccountKey(String name, ServiceAccountPrivateKeyType privateKeyType, ServiceAccountKeyAlgorithm keyAlgorithm)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • createServiceAccountKeyCallable()

UploadServiceAccountKey

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • uploadServiceAccountKey(UploadServiceAccountKeyRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • uploadServiceAccountKeyCallable()

DeleteServiceAccountKey

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • deleteServiceAccountKey(DeleteServiceAccountKeyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • deleteServiceAccountKey(KeyName name)

  • deleteServiceAccountKey(String name)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • deleteServiceAccountKeyCallable()

DisableServiceAccountKey

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • disableServiceAccountKey(DisableServiceAccountKeyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • disableServiceAccountKey(KeyName name)

  • disableServiceAccountKey(String name)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • disableServiceAccountKeyCallable()

EnableServiceAccountKey

Enable a ServiceAccountKey.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • enableServiceAccountKey(EnableServiceAccountKeyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • enableServiceAccountKey(KeyName name)

  • enableServiceAccountKey(String name)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • enableServiceAccountKeyCallable()

SignBlob

**Note:** This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • signBlob(SignBlobRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • signBlob(ServiceAccountName name, ByteString bytesToSign)

  • signBlob(String name, ByteString bytesToSign)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • signBlobCallable()

SignJwt

**Note:** This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • signJwt(SignJwtRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • signJwt(ServiceAccountName name, String payload)

  • signJwt(String name, String payload)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • signJwtCallable()

GetIamPolicy

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • getIamPolicy(GetIamPolicyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • getIamPolicy(ResourceName resource)

  • getIamPolicy(String resource)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • getIamPolicyCallable()

SetIamPolicy

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • setIamPolicy(SetIamPolicyRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • setIamPolicy(ResourceName resource, Policy policy)

  • setIamPolicy(String resource, Policy policy)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • setIamPolicyCallable()

TestIamPermissions

Tests whether the caller has the specified permissions on a ServiceAccount.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • testIamPermissions(TestIamPermissionsRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • testIamPermissions(ResourceName resource, List<String> permissions)

  • testIamPermissions(String resource, List<String> permissions)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • testIamPermissionsCallable()

QueryGrantableRoles

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • queryGrantableRoles(QueryGrantableRolesRequest request)

"Flattened" method variants have converted the fields of the request object into function parameters to enable multiple ways to call the same method.

  • queryGrantableRoles(String fullResourceName)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • queryGrantableRolesPagedCallable()

  • queryGrantableRolesCallable()

ListRoles

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • listRoles(ListRolesRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • listRolesPagedCallable()

  • listRolesCallable()

GetRole

Gets the definition of a Role.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • getRole(GetRoleRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • getRoleCallable()

CreateRole

Creates a new custom Role.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • createRole(CreateRoleRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • createRoleCallable()

UpdateRole

Updates the definition of a custom Role.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • updateRole(UpdateRoleRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • updateRoleCallable()

DeleteRole

Deletes a custom Role.

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • deleteRole(DeleteRoleRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • deleteRoleCallable()

UndeleteRole

Undeletes a custom Role.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • undeleteRole(UndeleteRoleRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • undeleteRoleCallable()

QueryTestablePermissions

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • queryTestablePermissions(QueryTestablePermissionsRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • queryTestablePermissionsPagedCallable()

  • queryTestablePermissionsCallable()

QueryAuditableServices

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • queryAuditableServices(QueryAuditableServicesRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • queryAuditableServicesCallable()

LintPolicy

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Request object method variants only take one parameter, a request object, which must be constructed before the call.

  • lintPolicy(LintPolicyRequest request)

Callable method variants take no parameters and return an immutable API callable object, which can be used to initiate calls to the service.

  • lintPolicyCallable()

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of IAMSettings to create(). For example:

To customize credentials:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IAMSettings iAMSettings =
     IAMSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 IAMClient iAMClient = IAMClient.create(iAMSettings);
 

To customize the endpoint:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 IAMSettings iAMSettings = IAMSettings.newBuilder().setEndpoint(myEndpoint).build();
 IAMClient iAMClient = IAMClient.create(iAMSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

Inheritance

java.lang.Object > IAMClient

Static Methods

create()

public static final IAMClient create()

Constructs an instance of IAMClient with default settings.

Returns
TypeDescription
IAMClient
Exceptions
TypeDescription
IOException

create(IAMSettings settings)

public static final IAMClient create(IAMSettings settings)

Constructs an instance of IAMClient, using the given settings. The channels are created based on the settings passed in, or defaults for any settings that are not set.

Parameter
NameDescription
settingsIAMSettings
Returns
TypeDescription
IAMClient
Exceptions
TypeDescription
IOException

create(IAMStub stub)

public static final IAMClient create(IAMStub stub)

Constructs an instance of IAMClient, using the given stub for making calls. This is for advanced usage - prefer using create(IAMSettings).

Parameter
NameDescription
stubIAMStub
Returns
TypeDescription
IAMClient

Constructors

IAMClient(IAMSettings settings)

protected IAMClient(IAMSettings settings)

Constructs an instance of IAMClient, using the given settings. This is protected so that it is easy to make a subclass, but otherwise, the static factory methods should be preferred.

Parameter
NameDescription
settingsIAMSettings

IAMClient(IAMStub stub)

protected IAMClient(IAMStub stub)
Parameter
NameDescription
stubIAMStub

Methods

awaitTermination(long duration, TimeUnit unit)

public boolean awaitTermination(long duration, TimeUnit unit)
Parameters
NameDescription
durationlong
unitTimeUnit
Returns
TypeDescription
boolean
Exceptions
TypeDescription
InterruptedException

close()

public final void close()

createRole(CreateRoleRequest request)

public final Role createRole(CreateRoleRequest request)

Creates a new custom Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   CreateRoleRequest request =
       CreateRoleRequest.newBuilder()
           .setParent(ProjectName.of("[PROJECT]").toString())
           .setRoleId("roleId-925416399")
           .setRole(Role.newBuilder().build())
           .build();
   Role response = iAMClient.createRole(request);
 }
 
Parameter
NameDescription
requestCreateRoleRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
Role

createRoleCallable()

public final UnaryCallable<CreateRoleRequest,Role> createRoleCallable()

Creates a new custom Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   CreateRoleRequest request =
       CreateRoleRequest.newBuilder()
           .setParent(ProjectName.of("[PROJECT]").toString())
           .setRoleId("roleId-925416399")
           .setRole(Role.newBuilder().build())
           .build();
   ApiFuture<Role> future = iAMClient.createRoleCallable().futureCall(request);
   // Do something.
   Role response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<CreateRoleRequest,Role>

createServiceAccount(CreateServiceAccountRequest request)

public final ServiceAccount createServiceAccount(CreateServiceAccountRequest request)

Creates a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   CreateServiceAccountRequest request =
       CreateServiceAccountRequest.newBuilder()
           .setName(ProjectName.of("[PROJECT]").toString())
           .setAccountId("accountId-1827029976")
           .setServiceAccount(ServiceAccount.newBuilder().build())
           .build();
   ServiceAccount response = iAMClient.createServiceAccount(request);
 }
 
Parameter
NameDescription
requestCreateServiceAccountRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccount

createServiceAccount(ProjectName name, String accountId, ServiceAccount serviceAccount)

public final ServiceAccount createServiceAccount(ProjectName name, String accountId, ServiceAccount serviceAccount)

Creates a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ProjectName name = ProjectName.of("[PROJECT]");
   String accountId = "accountId-1827029976";
   ServiceAccount serviceAccount = ServiceAccount.newBuilder().build();
   ServiceAccount response = iAMClient.createServiceAccount(name, accountId, serviceAccount);
 }
 
Parameters
NameDescription
nameProjectName

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

accountIdString

Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035.

serviceAccountServiceAccount

The ServiceAccount resource to create. Currently, only the following values are user assignable: display_name and description.

Returns
TypeDescription
ServiceAccount

createServiceAccount(String name, String accountId, ServiceAccount serviceAccount)

public final ServiceAccount createServiceAccount(String name, String accountId, ServiceAccount serviceAccount)

Creates a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ProjectName.of("[PROJECT]").toString();
   String accountId = "accountId-1827029976";
   ServiceAccount serviceAccount = ServiceAccount.newBuilder().build();
   ServiceAccount response = iAMClient.createServiceAccount(name, accountId, serviceAccount);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

accountIdString

Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035.

serviceAccountServiceAccount

The ServiceAccount resource to create. Currently, only the following values are user assignable: display_name and description.

Returns
TypeDescription
ServiceAccount

createServiceAccountCallable()

public final UnaryCallable<CreateServiceAccountRequest,ServiceAccount> createServiceAccountCallable()

Creates a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   CreateServiceAccountRequest request =
       CreateServiceAccountRequest.newBuilder()
           .setName(ProjectName.of("[PROJECT]").toString())
           .setAccountId("accountId-1827029976")
           .setServiceAccount(ServiceAccount.newBuilder().build())
           .build();
   ApiFuture<ServiceAccount> future =
       iAMClient.createServiceAccountCallable().futureCall(request);
   // Do something.
   ServiceAccount response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<CreateServiceAccountRequest,ServiceAccount>

createServiceAccountKey(CreateServiceAccountKeyRequest request)

public final ServiceAccountKey createServiceAccountKey(CreateServiceAccountKeyRequest request)

Creates a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   CreateServiceAccountKeyRequest request =
       CreateServiceAccountKeyRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setPrivateKeyType(ServiceAccountPrivateKeyType.forNumber(0))
           .setKeyAlgorithm(ServiceAccountKeyAlgorithm.forNumber(0))
           .build();
   ServiceAccountKey response = iAMClient.createServiceAccountKey(request);
 }
 
Parameter
NameDescription
requestCreateServiceAccountKeyRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccountKey

createServiceAccountKey(ServiceAccountName name, ServiceAccountPrivateKeyType privateKeyType, ServiceAccountKeyAlgorithm keyAlgorithm)

public final ServiceAccountKey createServiceAccountKey(ServiceAccountName name, ServiceAccountPrivateKeyType privateKeyType, ServiceAccountKeyAlgorithm keyAlgorithm)

Creates a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ServiceAccountPrivateKeyType privateKeyType = ServiceAccountPrivateKeyType.forNumber(0);
   ServiceAccountKeyAlgorithm keyAlgorithm = ServiceAccountKeyAlgorithm.forNumber(0);
   ServiceAccountKey response =
       iAMClient.createServiceAccountKey(name, privateKeyType, keyAlgorithm);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

privateKeyTypeServiceAccountPrivateKeyType

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

keyAlgorithmServiceAccountKeyAlgorithm

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Returns
TypeDescription
ServiceAccountKey

createServiceAccountKey(String name, ServiceAccountPrivateKeyType privateKeyType, ServiceAccountKeyAlgorithm keyAlgorithm)

public final ServiceAccountKey createServiceAccountKey(String name, ServiceAccountPrivateKeyType privateKeyType, ServiceAccountKeyAlgorithm keyAlgorithm)

Creates a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   ServiceAccountPrivateKeyType privateKeyType = ServiceAccountPrivateKeyType.forNumber(0);
   ServiceAccountKeyAlgorithm keyAlgorithm = ServiceAccountKeyAlgorithm.forNumber(0);
   ServiceAccountKey response =
       iAMClient.createServiceAccountKey(name, privateKeyType, keyAlgorithm);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

privateKeyTypeServiceAccountPrivateKeyType

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

keyAlgorithmServiceAccountKeyAlgorithm

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Returns
TypeDescription
ServiceAccountKey

createServiceAccountKeyCallable()

public final UnaryCallable<CreateServiceAccountKeyRequest,ServiceAccountKey> createServiceAccountKeyCallable()

Creates a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   CreateServiceAccountKeyRequest request =
       CreateServiceAccountKeyRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setPrivateKeyType(ServiceAccountPrivateKeyType.forNumber(0))
           .setKeyAlgorithm(ServiceAccountKeyAlgorithm.forNumber(0))
           .build();
   ApiFuture<ServiceAccountKey> future =
       iAMClient.createServiceAccountKeyCallable().futureCall(request);
   // Do something.
   ServiceAccountKey response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<CreateServiceAccountKeyRequest,ServiceAccountKey>

deleteRole(DeleteRoleRequest request)

public final Role deleteRole(DeleteRoleRequest request)

Deletes a custom Role.

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DeleteRoleRequest request =
       DeleteRoleRequest.newBuilder()
           .setName("DeleteRoleRequest1468559982".toString())
           .setEtag(ByteString.EMPTY)
           .build();
   Role response = iAMClient.deleteRole(request);
 }
 
Parameter
NameDescription
requestDeleteRoleRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
Role

deleteRoleCallable()

public final UnaryCallable<DeleteRoleRequest,Role> deleteRoleCallable()

Deletes a custom Role.

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DeleteRoleRequest request =
       DeleteRoleRequest.newBuilder()
           .setName("DeleteRoleRequest1468559982".toString())
           .setEtag(ByteString.EMPTY)
           .build();
   ApiFuture<Role> future = iAMClient.deleteRoleCallable().futureCall(request);
   // Do something.
   Role response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<DeleteRoleRequest,Role>

deleteServiceAccount(DeleteServiceAccountRequest request)

public final void deleteServiceAccount(DeleteServiceAccountRequest request)

Deletes a ServiceAccount.

**Warning:** After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DeleteServiceAccountRequest request =
       DeleteServiceAccountRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .build();
   iAMClient.deleteServiceAccount(request);
 }
 
Parameter
NameDescription
requestDeleteServiceAccountRequest

The request object containing all of the parameters for the API call.

deleteServiceAccount(ServiceAccountName name)

public final void deleteServiceAccount(ServiceAccountName name)

Deletes a ServiceAccount.

**Warning:** After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   iAMClient.deleteServiceAccount(name);
 }
 
Parameter
NameDescription
nameServiceAccountName

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

deleteServiceAccount(String name)

public final void deleteServiceAccount(String name)

Deletes a ServiceAccount.

**Warning:** After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   iAMClient.deleteServiceAccount(name);
 }
 
Parameter
NameDescription
nameString

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

deleteServiceAccountCallable()

public final UnaryCallable<DeleteServiceAccountRequest,Empty> deleteServiceAccountCallable()

Deletes a ServiceAccount.

**Warning:** After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DeleteServiceAccountRequest request =
       DeleteServiceAccountRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .build();
   ApiFuture<Empty> future = iAMClient.deleteServiceAccountCallable().futureCall(request);
   // Do something.
   future.get();
 }
 
Returns
TypeDescription
UnaryCallable<DeleteServiceAccountRequest,Empty>

deleteServiceAccountKey(DeleteServiceAccountKeyRequest request)

public final void deleteServiceAccountKey(DeleteServiceAccountKeyRequest request)

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DeleteServiceAccountKeyRequest request =
       DeleteServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .build();
   iAMClient.deleteServiceAccountKey(request);
 }
 
Parameter
NameDescription
requestDeleteServiceAccountKeyRequest

The request object containing all of the parameters for the API call.

deleteServiceAccountKey(KeyName name)

public final void deleteServiceAccountKey(KeyName name)

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   KeyName name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]");
   iAMClient.deleteServiceAccountKey(name);
 }
 
Parameter
NameDescription
nameKeyName

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

deleteServiceAccountKey(String name)

public final void deleteServiceAccountKey(String name)

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString();
   iAMClient.deleteServiceAccountKey(name);
 }
 
Parameter
NameDescription
nameString

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

deleteServiceAccountKeyCallable()

public final UnaryCallable<DeleteServiceAccountKeyRequest,Empty> deleteServiceAccountKeyCallable()

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DeleteServiceAccountKeyRequest request =
       DeleteServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .build();
   ApiFuture<Empty> future = iAMClient.deleteServiceAccountKeyCallable().futureCall(request);
   // Do something.
   future.get();
 }
 
Returns
TypeDescription
UnaryCallable<DeleteServiceAccountKeyRequest,Empty>

disableServiceAccount(DisableServiceAccountRequest request)

public final void disableServiceAccount(DisableServiceAccountRequest request)

Disables a ServiceAccount immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DisableServiceAccountRequest request =
       DisableServiceAccountRequest.newBuilder().setName("name3373707").build();
   iAMClient.disableServiceAccount(request);
 }
 
Parameter
NameDescription
requestDisableServiceAccountRequest

The request object containing all of the parameters for the API call.

disableServiceAccountCallable()

public final UnaryCallable<DisableServiceAccountRequest,Empty> disableServiceAccountCallable()

Disables a ServiceAccount immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DisableServiceAccountRequest request =
       DisableServiceAccountRequest.newBuilder().setName("name3373707").build();
   ApiFuture<Empty> future = iAMClient.disableServiceAccountCallable().futureCall(request);
   // Do something.
   future.get();
 }
 
Returns
TypeDescription
UnaryCallable<DisableServiceAccountRequest,Empty>

disableServiceAccountKey(DisableServiceAccountKeyRequest request)

public final void disableServiceAccountKey(DisableServiceAccountKeyRequest request)

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DisableServiceAccountKeyRequest request =
       DisableServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .build();
   iAMClient.disableServiceAccountKey(request);
 }
 
Parameter
NameDescription
requestDisableServiceAccountKeyRequest

The request object containing all of the parameters for the API call.

disableServiceAccountKey(KeyName name)

public final void disableServiceAccountKey(KeyName name)

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   KeyName name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]");
   iAMClient.disableServiceAccountKey(name);
 }
 
Parameter
NameDescription
nameKeyName

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

disableServiceAccountKey(String name)

public final void disableServiceAccountKey(String name)

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString();
   iAMClient.disableServiceAccountKey(name);
 }
 
Parameter
NameDescription
nameString

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

disableServiceAccountKeyCallable()

public final UnaryCallable<DisableServiceAccountKeyRequest,Empty> disableServiceAccountKeyCallable()

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   DisableServiceAccountKeyRequest request =
       DisableServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .build();
   ApiFuture<Empty> future = iAMClient.disableServiceAccountKeyCallable().futureCall(request);
   // Do something.
   future.get();
 }
 
Returns
TypeDescription
UnaryCallable<DisableServiceAccountKeyRequest,Empty>

enableServiceAccount(EnableServiceAccountRequest request)

public final void enableServiceAccount(EnableServiceAccountRequest request)

Enables a ServiceAccount that was disabled by DisableServiceAccount.

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   EnableServiceAccountRequest request =
       EnableServiceAccountRequest.newBuilder().setName("name3373707").build();
   iAMClient.enableServiceAccount(request);
 }
 
Parameter
NameDescription
requestEnableServiceAccountRequest

The request object containing all of the parameters for the API call.

enableServiceAccountCallable()

public final UnaryCallable<EnableServiceAccountRequest,Empty> enableServiceAccountCallable()

Enables a ServiceAccount that was disabled by DisableServiceAccount.

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   EnableServiceAccountRequest request =
       EnableServiceAccountRequest.newBuilder().setName("name3373707").build();
   ApiFuture<Empty> future = iAMClient.enableServiceAccountCallable().futureCall(request);
   // Do something.
   future.get();
 }
 
Returns
TypeDescription
UnaryCallable<EnableServiceAccountRequest,Empty>

enableServiceAccountKey(EnableServiceAccountKeyRequest request)

public final void enableServiceAccountKey(EnableServiceAccountKeyRequest request)

Enable a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   EnableServiceAccountKeyRequest request =
       EnableServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .build();
   iAMClient.enableServiceAccountKey(request);
 }
 
Parameter
NameDescription
requestEnableServiceAccountKeyRequest

The request object containing all of the parameters for the API call.

enableServiceAccountKey(KeyName name)

public final void enableServiceAccountKey(KeyName name)

Enable a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   KeyName name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]");
   iAMClient.enableServiceAccountKey(name);
 }
 
Parameter
NameDescription
nameKeyName

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

enableServiceAccountKey(String name)

public final void enableServiceAccountKey(String name)

Enable a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString();
   iAMClient.enableServiceAccountKey(name);
 }
 
Parameter
NameDescription
nameString

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

enableServiceAccountKeyCallable()

public final UnaryCallable<EnableServiceAccountKeyRequest,Empty> enableServiceAccountKeyCallable()

Enable a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   EnableServiceAccountKeyRequest request =
       EnableServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .build();
   ApiFuture<Empty> future = iAMClient.enableServiceAccountKeyCallable().futureCall(request);
   // Do something.
   future.get();
 }
 
Returns
TypeDescription
UnaryCallable<EnableServiceAccountKeyRequest,Empty>

getIamPolicy(ResourceName resource)

public final Policy getIamPolicy(ResourceName resource)

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ResourceName resource = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   Policy response = iAMClient.getIamPolicy(resource);
 }
 
Parameter
NameDescription
resourcecom.google.api.resourcenames.ResourceName

REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.

Returns
TypeDescription
com.google.iam.v1.Policy

getIamPolicy(GetIamPolicyRequest request)

public final Policy getIamPolicy(GetIamPolicyRequest request)

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetIamPolicyRequest request =
       GetIamPolicyRequest.newBuilder()
           .setResource(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setOptions(GetPolicyOptions.newBuilder().build())
           .build();
   Policy response = iAMClient.getIamPolicy(request);
 }
 
Parameter
NameDescription
requestcom.google.iam.v1.GetIamPolicyRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
com.google.iam.v1.Policy

getIamPolicy(String resource)

public final Policy getIamPolicy(String resource)

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String resource = ProjectName.of("[PROJECT]").toString();
   Policy response = iAMClient.getIamPolicy(resource);
 }
 
Parameter
NameDescription
resourceString

REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.

Returns
TypeDescription
com.google.iam.v1.Policy

getIamPolicyCallable()

public final UnaryCallable<GetIamPolicyRequest,Policy> getIamPolicyCallable()

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetIamPolicyRequest request =
       GetIamPolicyRequest.newBuilder()
           .setResource(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setOptions(GetPolicyOptions.newBuilder().build())
           .build();
   ApiFuture<Policy> future = iAMClient.getIamPolicyCallable().futureCall(request);
   // Do something.
   Policy response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<com.google.iam.v1.GetIamPolicyRequest,com.google.iam.v1.Policy>

getRole(GetRoleRequest request)

public final Role getRole(GetRoleRequest request)

Gets the definition of a Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetRoleRequest request =
       GetRoleRequest.newBuilder().setName("GetRoleRequest84528163".toString()).build();
   Role response = iAMClient.getRole(request);
 }
 
Parameter
NameDescription
requestGetRoleRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
Role

getRoleCallable()

public final UnaryCallable<GetRoleRequest,Role> getRoleCallable()

Gets the definition of a Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetRoleRequest request =
       GetRoleRequest.newBuilder().setName("GetRoleRequest84528163".toString()).build();
   ApiFuture<Role> future = iAMClient.getRoleCallable().futureCall(request);
   // Do something.
   Role response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<GetRoleRequest,Role>

getServiceAccount(GetServiceAccountRequest request)

public final ServiceAccount getServiceAccount(GetServiceAccountRequest request)

Gets a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetServiceAccountRequest request =
       GetServiceAccountRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .build();
   ServiceAccount response = iAMClient.getServiceAccount(request);
 }
 
Parameter
NameDescription
requestGetServiceAccountRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccount

getServiceAccount(ServiceAccountName name)

public final ServiceAccount getServiceAccount(ServiceAccountName name)

Gets a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ServiceAccount response = iAMClient.getServiceAccount(name);
 }
 
Parameter
NameDescription
nameServiceAccountName

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Returns
TypeDescription
ServiceAccount

getServiceAccount(String name)

public final ServiceAccount getServiceAccount(String name)

Gets a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   ServiceAccount response = iAMClient.getServiceAccount(name);
 }
 
Parameter
NameDescription
nameString

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Returns
TypeDescription
ServiceAccount

getServiceAccountCallable()

public final UnaryCallable<GetServiceAccountRequest,ServiceAccount> getServiceAccountCallable()

Gets a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetServiceAccountRequest request =
       GetServiceAccountRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .build();
   ApiFuture<ServiceAccount> future = iAMClient.getServiceAccountCallable().futureCall(request);
   // Do something.
   ServiceAccount response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<GetServiceAccountRequest,ServiceAccount>

getServiceAccountKey(GetServiceAccountKeyRequest request)

public final ServiceAccountKey getServiceAccountKey(GetServiceAccountKeyRequest request)

Gets a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetServiceAccountKeyRequest request =
       GetServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .setPublicKeyType(ServiceAccountPublicKeyType.forNumber(0))
           .build();
   ServiceAccountKey response = iAMClient.getServiceAccountKey(request);
 }
 
Parameter
NameDescription
requestGetServiceAccountKeyRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccountKey

getServiceAccountKey(KeyName name, ServiceAccountPublicKeyType publicKeyType)

public final ServiceAccountKey getServiceAccountKey(KeyName name, ServiceAccountPublicKeyType publicKeyType)

Gets a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   KeyName name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]");
   ServiceAccountPublicKeyType publicKeyType = ServiceAccountPublicKeyType.forNumber(0);
   ServiceAccountKey response = iAMClient.getServiceAccountKey(name, publicKeyType);
 }
 
Parameters
NameDescription
nameKeyName

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

publicKeyTypeServiceAccountPublicKeyType

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

Returns
TypeDescription
ServiceAccountKey

getServiceAccountKey(String name, ServiceAccountPublicKeyType publicKeyType)

public final ServiceAccountKey getServiceAccountKey(String name, ServiceAccountPublicKeyType publicKeyType)

Gets a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString();
   ServiceAccountPublicKeyType publicKeyType = ServiceAccountPublicKeyType.forNumber(0);
   ServiceAccountKey response = iAMClient.getServiceAccountKey(name, publicKeyType);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

publicKeyTypeServiceAccountPublicKeyType

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

Returns
TypeDescription
ServiceAccountKey

getServiceAccountKeyCallable()

public final UnaryCallable<GetServiceAccountKeyRequest,ServiceAccountKey> getServiceAccountKeyCallable()

Gets a ServiceAccountKey.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   GetServiceAccountKeyRequest request =
       GetServiceAccountKeyRequest.newBuilder()
           .setName(KeyName.of("[PROJECT]", "[SERVICE_ACCOUNT]", "[KEY]").toString())
           .setPublicKeyType(ServiceAccountPublicKeyType.forNumber(0))
           .build();
   ApiFuture<ServiceAccountKey> future =
       iAMClient.getServiceAccountKeyCallable().futureCall(request);
   // Do something.
   ServiceAccountKey response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<GetServiceAccountKeyRequest,ServiceAccountKey>

getSettings()

public final IAMSettings getSettings()
Returns
TypeDescription
IAMSettings

getStub()

public IAMStub getStub()
Returns
TypeDescription
IAMStub

isShutdown()

public boolean isShutdown()
Returns
TypeDescription
boolean

isTerminated()

public boolean isTerminated()
Returns
TypeDescription
boolean

lintPolicy(LintPolicyRequest request)

public final LintPolicyResponse lintPolicy(LintPolicyRequest request)

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   LintPolicyRequest request =
       LintPolicyRequest.newBuilder().setFullResourceName("fullResourceName-853732376").build();
   LintPolicyResponse response = iAMClient.lintPolicy(request);
 }
 
Parameter
NameDescription
requestLintPolicyRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
LintPolicyResponse

lintPolicyCallable()

public final UnaryCallable<LintPolicyRequest,LintPolicyResponse> lintPolicyCallable()

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   LintPolicyRequest request =
       LintPolicyRequest.newBuilder().setFullResourceName("fullResourceName-853732376").build();
   ApiFuture<LintPolicyResponse> future = iAMClient.lintPolicyCallable().futureCall(request);
   // Do something.
   LintPolicyResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<LintPolicyRequest,LintPolicyResponse>

listRoles(ListRolesRequest request)

public final IAMClient.ListRolesPagedResponse listRoles(ListRolesRequest request)

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListRolesRequest request =
       ListRolesRequest.newBuilder()
           .setParent(ProjectName.of("[PROJECT]").toString())
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .setView(RoleView.forNumber(0))
           .setShowDeleted(true)
           .build();
   for (Role element : iAMClient.listRoles(request).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
requestListRolesRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
IAMClient.ListRolesPagedResponse

listRolesCallable()

public final UnaryCallable<ListRolesRequest,ListRolesResponse> listRolesCallable()

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListRolesRequest request =
       ListRolesRequest.newBuilder()
           .setParent(ProjectName.of("[PROJECT]").toString())
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .setView(RoleView.forNumber(0))
           .setShowDeleted(true)
           .build();
   while (true) {
     ListRolesResponse response = iAMClient.listRolesCallable().call(request);
     for (Role element : response.getRolesList()) {
       // doThingsWith(element);
     }
     String nextPageToken = response.getNextPageToken();
     if (!Strings.isNullOrEmpty(nextPageToken)) {
       request = request.toBuilder().setPageToken(nextPageToken).build();
     } else {
       break;
     }
   }
 }
 
Returns
TypeDescription
UnaryCallable<ListRolesRequest,ListRolesResponse>

listRolesPagedCallable()

public final UnaryCallable<ListRolesRequest,IAMClient.ListRolesPagedResponse> listRolesPagedCallable()

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListRolesRequest request =
       ListRolesRequest.newBuilder()
           .setParent(ProjectName.of("[PROJECT]").toString())
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .setView(RoleView.forNumber(0))
           .setShowDeleted(true)
           .build();
   ApiFuture<Role> future = iAMClient.listRolesPagedCallable().futureCall(request);
   // Do something.
   for (Role element : future.get().iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Returns
TypeDescription
UnaryCallable<ListRolesRequest,ListRolesPagedResponse>

listServiceAccountKeys(ListServiceAccountKeysRequest request)

public final ListServiceAccountKeysResponse listServiceAccountKeys(ListServiceAccountKeysRequest request)

Lists every ServiceAccountKey for a service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListServiceAccountKeysRequest request =
       ListServiceAccountKeysRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllKeyTypes(new ArrayList<ListServiceAccountKeysRequest.KeyType>())
           .build();
   ListServiceAccountKeysResponse response = iAMClient.listServiceAccountKeys(request);
 }
 
Parameter
NameDescription
requestListServiceAccountKeysRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ListServiceAccountKeysResponse

listServiceAccountKeys(ServiceAccountName name, List<ListServiceAccountKeysRequest.KeyType> keyTypes)

public final ListServiceAccountKeysResponse listServiceAccountKeys(ServiceAccountName name, List<ListServiceAccountKeysRequest.KeyType> keyTypes)

Lists every ServiceAccountKey for a service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<ListServiceAccountKeysRequest.KeyType> keyTypes = new ArrayList<>();
   ListServiceAccountKeysResponse response = iAMClient.listServiceAccountKeys(name, keyTypes);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}.

Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

keyTypesList<KeyType>

Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

Returns
TypeDescription
ListServiceAccountKeysResponse

listServiceAccountKeys(String name, List<ListServiceAccountKeysRequest.KeyType> keyTypes)

public final ListServiceAccountKeysResponse listServiceAccountKeys(String name, List<ListServiceAccountKeysRequest.KeyType> keyTypes)

Lists every ServiceAccountKey for a service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   List<ListServiceAccountKeysRequest.KeyType> keyTypes = new ArrayList<>();
   ListServiceAccountKeysResponse response = iAMClient.listServiceAccountKeys(name, keyTypes);
 }
 
Parameters
NameDescription
nameString

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}.

Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

keyTypesList<KeyType>

Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

Returns
TypeDescription
ListServiceAccountKeysResponse

listServiceAccountKeysCallable()

public final UnaryCallable<ListServiceAccountKeysRequest,ListServiceAccountKeysResponse> listServiceAccountKeysCallable()

Lists every ServiceAccountKey for a service account.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListServiceAccountKeysRequest request =
       ListServiceAccountKeysRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllKeyTypes(new ArrayList<ListServiceAccountKeysRequest.KeyType>())
           .build();
   ApiFuture<ListServiceAccountKeysResponse> future =
       iAMClient.listServiceAccountKeysCallable().futureCall(request);
   // Do something.
   ListServiceAccountKeysResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<ListServiceAccountKeysRequest,ListServiceAccountKeysResponse>

listServiceAccounts(ListServiceAccountsRequest request)

public final IAMClient.ListServiceAccountsPagedResponse listServiceAccounts(ListServiceAccountsRequest request)

Lists every ServiceAccount that belongs to a specific project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListServiceAccountsRequest request =
       ListServiceAccountsRequest.newBuilder()
           .setName(ProjectName.of("[PROJECT]").toString())
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   for (ServiceAccount element : iAMClient.listServiceAccounts(request).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
requestListServiceAccountsRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
IAMClient.ListServiceAccountsPagedResponse

listServiceAccounts(ProjectName name)

public final IAMClient.ListServiceAccountsPagedResponse listServiceAccounts(ProjectName name)

Lists every ServiceAccount that belongs to a specific project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ProjectName name = ProjectName.of("[PROJECT]");
   for (ServiceAccount element : iAMClient.listServiceAccounts(name).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
nameProjectName

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Returns
TypeDescription
IAMClient.ListServiceAccountsPagedResponse

listServiceAccounts(String name)

public final IAMClient.ListServiceAccountsPagedResponse listServiceAccounts(String name)

Lists every ServiceAccount that belongs to a specific project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ProjectName.of("[PROJECT]").toString();
   for (ServiceAccount element : iAMClient.listServiceAccounts(name).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
nameString

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Returns
TypeDescription
IAMClient.ListServiceAccountsPagedResponse

listServiceAccountsCallable()

public final UnaryCallable<ListServiceAccountsRequest,ListServiceAccountsResponse> listServiceAccountsCallable()

Lists every ServiceAccount that belongs to a specific project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListServiceAccountsRequest request =
       ListServiceAccountsRequest.newBuilder()
           .setName(ProjectName.of("[PROJECT]").toString())
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   while (true) {
     ListServiceAccountsResponse response =
         iAMClient.listServiceAccountsCallable().call(request);
     for (ServiceAccount element : response.getAccountsList()) {
       // doThingsWith(element);
     }
     String nextPageToken = response.getNextPageToken();
     if (!Strings.isNullOrEmpty(nextPageToken)) {
       request = request.toBuilder().setPageToken(nextPageToken).build();
     } else {
       break;
     }
   }
 }
 
Returns
TypeDescription
UnaryCallable<ListServiceAccountsRequest,ListServiceAccountsResponse>

listServiceAccountsPagedCallable()

public final UnaryCallable<ListServiceAccountsRequest,IAMClient.ListServiceAccountsPagedResponse> listServiceAccountsPagedCallable()

Lists every ServiceAccount that belongs to a specific project.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ListServiceAccountsRequest request =
       ListServiceAccountsRequest.newBuilder()
           .setName(ProjectName.of("[PROJECT]").toString())
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   ApiFuture<ServiceAccount> future =
       iAMClient.listServiceAccountsPagedCallable().futureCall(request);
   // Do something.
   for (ServiceAccount element : future.get().iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Returns
TypeDescription
UnaryCallable<ListServiceAccountsRequest,ListServiceAccountsPagedResponse>

patchServiceAccount(PatchServiceAccountRequest request)

public final ServiceAccount patchServiceAccount(PatchServiceAccountRequest request)

Patches a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   PatchServiceAccountRequest request =
       PatchServiceAccountRequest.newBuilder()
           .setServiceAccount(ServiceAccount.newBuilder().build())
           .setUpdateMask(FieldMask.newBuilder().build())
           .build();
   ServiceAccount response = iAMClient.patchServiceAccount(request);
 }
 
Parameter
NameDescription
requestPatchServiceAccountRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccount

patchServiceAccountCallable()

public final UnaryCallable<PatchServiceAccountRequest,ServiceAccount> patchServiceAccountCallable()

Patches a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   PatchServiceAccountRequest request =
       PatchServiceAccountRequest.newBuilder()
           .setServiceAccount(ServiceAccount.newBuilder().build())
           .setUpdateMask(FieldMask.newBuilder().build())
           .build();
   ApiFuture<ServiceAccount> future =
       iAMClient.patchServiceAccountCallable().futureCall(request);
   // Do something.
   ServiceAccount response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<PatchServiceAccountRequest,ServiceAccount>

queryAuditableServices(QueryAuditableServicesRequest request)

public final QueryAuditableServicesResponse queryAuditableServices(QueryAuditableServicesRequest request)

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryAuditableServicesRequest request =
       QueryAuditableServicesRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .build();
   QueryAuditableServicesResponse response = iAMClient.queryAuditableServices(request);
 }
 
Parameter
NameDescription
requestQueryAuditableServicesRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
QueryAuditableServicesResponse

queryAuditableServicesCallable()

public final UnaryCallable<QueryAuditableServicesRequest,QueryAuditableServicesResponse> queryAuditableServicesCallable()

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryAuditableServicesRequest request =
       QueryAuditableServicesRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .build();
   ApiFuture<QueryAuditableServicesResponse> future =
       iAMClient.queryAuditableServicesCallable().futureCall(request);
   // Do something.
   QueryAuditableServicesResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<QueryAuditableServicesRequest,QueryAuditableServicesResponse>

queryGrantableRoles(QueryGrantableRolesRequest request)

public final IAMClient.QueryGrantableRolesPagedResponse queryGrantableRoles(QueryGrantableRolesRequest request)

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryGrantableRolesRequest request =
       QueryGrantableRolesRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .setView(RoleView.forNumber(0))
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   for (Role element : iAMClient.queryGrantableRoles(request).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
requestQueryGrantableRolesRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
IAMClient.QueryGrantableRolesPagedResponse

queryGrantableRoles(String fullResourceName)

public final IAMClient.QueryGrantableRolesPagedResponse queryGrantableRoles(String fullResourceName)

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String fullResourceName = "fullResourceName-853732376";
   for (Role element : iAMClient.queryGrantableRoles(fullResourceName).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
fullResourceNameString

Required. The full resource name to query from the list of grantable roles.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

Returns
TypeDescription
IAMClient.QueryGrantableRolesPagedResponse

queryGrantableRolesCallable()

public final UnaryCallable<QueryGrantableRolesRequest,QueryGrantableRolesResponse> queryGrantableRolesCallable()

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryGrantableRolesRequest request =
       QueryGrantableRolesRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .setView(RoleView.forNumber(0))
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   while (true) {
     QueryGrantableRolesResponse response =
         iAMClient.queryGrantableRolesCallable().call(request);
     for (Role element : response.getRolesList()) {
       // doThingsWith(element);
     }
     String nextPageToken = response.getNextPageToken();
     if (!Strings.isNullOrEmpty(nextPageToken)) {
       request = request.toBuilder().setPageToken(nextPageToken).build();
     } else {
       break;
     }
   }
 }
 
Returns
TypeDescription
UnaryCallable<QueryGrantableRolesRequest,QueryGrantableRolesResponse>

queryGrantableRolesPagedCallable()

public final UnaryCallable<QueryGrantableRolesRequest,IAMClient.QueryGrantableRolesPagedResponse> queryGrantableRolesPagedCallable()

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryGrantableRolesRequest request =
       QueryGrantableRolesRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .setView(RoleView.forNumber(0))
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   ApiFuture<Role> future = iAMClient.queryGrantableRolesPagedCallable().futureCall(request);
   // Do something.
   for (Role element : future.get().iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Returns
TypeDescription
UnaryCallable<QueryGrantableRolesRequest,QueryGrantableRolesPagedResponse>

queryTestablePermissions(QueryTestablePermissionsRequest request)

public final IAMClient.QueryTestablePermissionsPagedResponse queryTestablePermissions(QueryTestablePermissionsRequest request)

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryTestablePermissionsRequest request =
       QueryTestablePermissionsRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   for (Permission element : iAMClient.queryTestablePermissions(request).iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Parameter
NameDescription
requestQueryTestablePermissionsRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
IAMClient.QueryTestablePermissionsPagedResponse

queryTestablePermissionsCallable()

public final UnaryCallable<QueryTestablePermissionsRequest,QueryTestablePermissionsResponse> queryTestablePermissionsCallable()

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryTestablePermissionsRequest request =
       QueryTestablePermissionsRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   while (true) {
     QueryTestablePermissionsResponse response =
         iAMClient.queryTestablePermissionsCallable().call(request);
     for (Permission element : response.getPermissionsList()) {
       // doThingsWith(element);
     }
     String nextPageToken = response.getNextPageToken();
     if (!Strings.isNullOrEmpty(nextPageToken)) {
       request = request.toBuilder().setPageToken(nextPageToken).build();
     } else {
       break;
     }
   }
 }
 
Returns
TypeDescription
UnaryCallable<QueryTestablePermissionsRequest,QueryTestablePermissionsResponse>

queryTestablePermissionsPagedCallable()

public final UnaryCallable<QueryTestablePermissionsRequest,IAMClient.QueryTestablePermissionsPagedResponse> queryTestablePermissionsPagedCallable()

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   QueryTestablePermissionsRequest request =
       QueryTestablePermissionsRequest.newBuilder()
           .setFullResourceName("fullResourceName-853732376")
           .setPageSize(883849137)
           .setPageToken("pageToken873572522")
           .build();
   ApiFuture<Permission> future =
       iAMClient.queryTestablePermissionsPagedCallable().futureCall(request);
   // Do something.
   for (Permission element : future.get().iterateAll()) {
     // doThingsWith(element);
   }
 }
 
Returns
TypeDescription
UnaryCallable<QueryTestablePermissionsRequest,QueryTestablePermissionsPagedResponse>

setIamPolicy(ResourceName resource, Policy policy)

public final Policy setIamPolicy(ResourceName resource, Policy policy)

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ResourceName resource = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   Policy policy = Policy.newBuilder().build();
   Policy response = iAMClient.setIamPolicy(resource, policy);
 }
 
Parameters
NameDescription
resourcecom.google.api.resourcenames.ResourceName

REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.

policycom.google.iam.v1.Policy

REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.

Returns
TypeDescription
com.google.iam.v1.Policy

setIamPolicy(SetIamPolicyRequest request)

public final Policy setIamPolicy(SetIamPolicyRequest request)

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   SetIamPolicyRequest request =
       SetIamPolicyRequest.newBuilder()
           .setResource(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setPolicy(Policy.newBuilder().build())
           .setUpdateMask(FieldMask.newBuilder().build())
           .build();
   Policy response = iAMClient.setIamPolicy(request);
 }
 
Parameter
NameDescription
requestcom.google.iam.v1.SetIamPolicyRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
com.google.iam.v1.Policy

setIamPolicy(String resource, Policy policy)

public final Policy setIamPolicy(String resource, Policy policy)

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String resource = ProjectName.of("[PROJECT]").toString();
   Policy policy = Policy.newBuilder().build();
   Policy response = iAMClient.setIamPolicy(resource, policy);
 }
 
Parameters
NameDescription
resourceString

REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.

policycom.google.iam.v1.Policy

REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.

Returns
TypeDescription
com.google.iam.v1.Policy

setIamPolicyCallable()

public final UnaryCallable<SetIamPolicyRequest,Policy> setIamPolicyCallable()

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   SetIamPolicyRequest request =
       SetIamPolicyRequest.newBuilder()
           .setResource(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setPolicy(Policy.newBuilder().build())
           .setUpdateMask(FieldMask.newBuilder().build())
           .build();
   ApiFuture<Policy> future = iAMClient.setIamPolicyCallable().futureCall(request);
   // Do something.
   Policy response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<com.google.iam.v1.SetIamPolicyRequest,com.google.iam.v1.Policy>

shutdown()

public void shutdown()

shutdownNow()

public void shutdownNow()

signBlob(ServiceAccountName name, ByteString bytesToSign) (deprecated)

public final SignBlobResponse signBlob(ServiceAccountName name, ByteString bytesToSign)

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   ByteString bytesToSign = ByteString.EMPTY;
   SignBlobResponse response = iAMClient.signBlob(name, bytesToSign);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

bytesToSignByteString

Required. Deprecated. Migrate to Service Account Credentials API.

The bytes to sign.

Returns
TypeDescription
SignBlobResponse

signBlob(SignBlobRequest request) (deprecated)

public final SignBlobResponse signBlob(SignBlobRequest request)

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setBytesToSign(ByteString.EMPTY)
           .build();
   SignBlobResponse response = iAMClient.signBlob(request);
 }
 
Parameter
NameDescription
requestSignBlobRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
SignBlobResponse

signBlob(String name, ByteString bytesToSign) (deprecated)

public final SignBlobResponse signBlob(String name, ByteString bytesToSign)

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   ByteString bytesToSign = ByteString.EMPTY;
   SignBlobResponse response = iAMClient.signBlob(name, bytesToSign);
 }
 
Parameters
NameDescription
nameString

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

bytesToSignByteString

Required. Deprecated. Migrate to Service Account Credentials API.

The bytes to sign.

Returns
TypeDescription
SignBlobResponse

signBlobCallable() (deprecated)

public final UnaryCallable<SignBlobRequest,SignBlobResponse> signBlobCallable()

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   SignBlobRequest request =
       SignBlobRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setBytesToSign(ByteString.EMPTY)
           .build();
   ApiFuture<SignBlobResponse> future = iAMClient.signBlobCallable().futureCall(request);
   // Do something.
   SignBlobResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<SignBlobRequest,SignBlobResponse>

signJwt(ServiceAccountName name, String payload) (deprecated)

public final SignJwtResponse signJwt(ServiceAccountName name, String payload)

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccountName name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   String payload = "payload-786701938";
   SignJwtResponse response = iAMClient.signJwt(name, payload);
 }
 
Parameters
NameDescription
nameServiceAccountName

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

payloadString

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

Returns
TypeDescription
SignJwtResponse

signJwt(SignJwtRequest request) (deprecated)

public final SignJwtResponse signJwt(SignJwtRequest request)

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setPayload("payload-786701938")
           .build();
   SignJwtResponse response = iAMClient.signJwt(request);
 }
 
Parameter
NameDescription
requestSignJwtRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
SignJwtResponse

signJwt(String name, String payload) (deprecated)

public final SignJwtResponse signJwt(String name, String payload)

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String name = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString();
   String payload = "payload-786701938";
   SignJwtResponse response = iAMClient.signJwt(name, payload);
 }
 
Parameters
NameDescription
nameString

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

payloadString

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

Returns
TypeDescription
SignJwtResponse

signJwtCallable() (deprecated)

public final UnaryCallable<SignJwtRequest,SignJwtResponse> signJwtCallable()

Deprecated. This method is deprecated and will be removed in the next major version update.

**Note:** This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   SignJwtRequest request =
       SignJwtRequest.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setPayload("payload-786701938")
           .build();
   ApiFuture<SignJwtResponse> future = iAMClient.signJwtCallable().futureCall(request);
   // Do something.
   SignJwtResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<SignJwtRequest,SignJwtResponse>

testIamPermissions(ResourceName resource, List<String> permissions)

public final TestIamPermissionsResponse testIamPermissions(ResourceName resource, List<String> permissions)

Tests whether the caller has the specified permissions on a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ResourceName resource = ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]");
   List<String> permissions = new ArrayList<>();
   TestIamPermissionsResponse response = iAMClient.testIamPermissions(resource, permissions);
 }
 
Parameters
NameDescription
resourcecom.google.api.resourcenames.ResourceName

REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.

permissionsList<String>

The set of permissions to check for the resource. Permissions with wildcards (such as '*' or 'storage.*') are not allowed. For more information see IAM Overview.

Returns
TypeDescription
com.google.iam.v1.TestIamPermissionsResponse

testIamPermissions(TestIamPermissionsRequest request)

public final TestIamPermissionsResponse testIamPermissions(TestIamPermissionsRequest request)

Tests whether the caller has the specified permissions on a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   TestIamPermissionsRequest request =
       TestIamPermissionsRequest.newBuilder()
           .setResource(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllPermissions(new ArrayList<String>())
           .build();
   TestIamPermissionsResponse response = iAMClient.testIamPermissions(request);
 }
 
Parameter
NameDescription
requestcom.google.iam.v1.TestIamPermissionsRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
com.google.iam.v1.TestIamPermissionsResponse

testIamPermissions(String resource, List<String> permissions)

public final TestIamPermissionsResponse testIamPermissions(String resource, List<String> permissions)

Tests whether the caller has the specified permissions on a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   String resource = ProjectName.of("[PROJECT]").toString();
   List<String> permissions = new ArrayList<>();
   TestIamPermissionsResponse response = iAMClient.testIamPermissions(resource, permissions);
 }
 
Parameters
NameDescription
resourceString

REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.

permissionsList<String>

The set of permissions to check for the resource. Permissions with wildcards (such as '*' or 'storage.*') are not allowed. For more information see IAM Overview.

Returns
TypeDescription
com.google.iam.v1.TestIamPermissionsResponse

testIamPermissionsCallable()

public final UnaryCallable<TestIamPermissionsRequest,TestIamPermissionsResponse> testIamPermissionsCallable()

Tests whether the caller has the specified permissions on a ServiceAccount.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   TestIamPermissionsRequest request =
       TestIamPermissionsRequest.newBuilder()
           .setResource(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .addAllPermissions(new ArrayList<String>())
           .build();
   ApiFuture<TestIamPermissionsResponse> future =
       iAMClient.testIamPermissionsCallable().futureCall(request);
   // Do something.
   TestIamPermissionsResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<com.google.iam.v1.TestIamPermissionsRequest,com.google.iam.v1.TestIamPermissionsResponse>

undeleteRole(UndeleteRoleRequest request)

public final Role undeleteRole(UndeleteRoleRequest request)

Undeletes a custom Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UndeleteRoleRequest request =
       UndeleteRoleRequest.newBuilder()
           .setName("UndeleteRoleRequest755355893".toString())
           .setEtag(ByteString.EMPTY)
           .build();
   Role response = iAMClient.undeleteRole(request);
 }
 
Parameter
NameDescription
requestUndeleteRoleRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
Role

undeleteRoleCallable()

public final UnaryCallable<UndeleteRoleRequest,Role> undeleteRoleCallable()

Undeletes a custom Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UndeleteRoleRequest request =
       UndeleteRoleRequest.newBuilder()
           .setName("UndeleteRoleRequest755355893".toString())
           .setEtag(ByteString.EMPTY)
           .build();
   ApiFuture<Role> future = iAMClient.undeleteRoleCallable().futureCall(request);
   // Do something.
   Role response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<UndeleteRoleRequest,Role>

undeleteServiceAccount(UndeleteServiceAccountRequest request)

public final UndeleteServiceAccountResponse undeleteServiceAccount(UndeleteServiceAccountRequest request)

Restores a deleted ServiceAccount.

**Important:** It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UndeleteServiceAccountRequest request =
       UndeleteServiceAccountRequest.newBuilder().setName("name3373707").build();
   UndeleteServiceAccountResponse response = iAMClient.undeleteServiceAccount(request);
 }
 
Parameter
NameDescription
requestUndeleteServiceAccountRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
UndeleteServiceAccountResponse

undeleteServiceAccountCallable()

public final UnaryCallable<UndeleteServiceAccountRequest,UndeleteServiceAccountResponse> undeleteServiceAccountCallable()

Restores a deleted ServiceAccount.

**Important:** It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UndeleteServiceAccountRequest request =
       UndeleteServiceAccountRequest.newBuilder().setName("name3373707").build();
   ApiFuture<UndeleteServiceAccountResponse> future =
       iAMClient.undeleteServiceAccountCallable().futureCall(request);
   // Do something.
   UndeleteServiceAccountResponse response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<UndeleteServiceAccountRequest,UndeleteServiceAccountResponse>

updateRole(UpdateRoleRequest request)

public final Role updateRole(UpdateRoleRequest request)

Updates the definition of a custom Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UpdateRoleRequest request =
       UpdateRoleRequest.newBuilder()
           .setName("UpdateRoleRequest230834320".toString())
           .setRole(Role.newBuilder().build())
           .setUpdateMask(FieldMask.newBuilder().build())
           .build();
   Role response = iAMClient.updateRole(request);
 }
 
Parameter
NameDescription
requestUpdateRoleRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
Role

updateRoleCallable()

public final UnaryCallable<UpdateRoleRequest,Role> updateRoleCallable()

Updates the definition of a custom Role.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UpdateRoleRequest request =
       UpdateRoleRequest.newBuilder()
           .setName("UpdateRoleRequest230834320".toString())
           .setRole(Role.newBuilder().build())
           .setUpdateMask(FieldMask.newBuilder().build())
           .build();
   ApiFuture<Role> future = iAMClient.updateRoleCallable().futureCall(request);
   // Do something.
   Role response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<UpdateRoleRequest,Role>

updateServiceAccount(ServiceAccount request)

public final ServiceAccount updateServiceAccount(ServiceAccount request)

**Note:** We are in the process of deprecating this method. Use PatchServiceAccount instead.

Updates a ServiceAccount.

You can update only the display_name field.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccount request =
       ServiceAccount.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setProjectId("projectId-894832108")
           .setUniqueId("uniqueId-294460212")
           .setEmail("email96619420")
           .setDisplayName("displayName1714148973")
           .setEtag(ByteString.EMPTY)
           .setDescription("description-1724546052")
           .setOauth2ClientId("oauth2ClientId-1210797087")
           .setDisabled(true)
           .build();
   ServiceAccount response = iAMClient.updateServiceAccount(request);
 }
 
Parameter
NameDescription
requestServiceAccount

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccount

updateServiceAccountCallable()

public final UnaryCallable<ServiceAccount,ServiceAccount> updateServiceAccountCallable()

**Note:** We are in the process of deprecating this method. Use PatchServiceAccount instead.

Updates a ServiceAccount.

You can update only the display_name field.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   ServiceAccount request =
       ServiceAccount.newBuilder()
           .setName(ServiceAccountName.of("[PROJECT]", "[SERVICE_ACCOUNT]").toString())
           .setProjectId("projectId-894832108")
           .setUniqueId("uniqueId-294460212")
           .setEmail("email96619420")
           .setDisplayName("displayName1714148973")
           .setEtag(ByteString.EMPTY)
           .setDescription("description-1724546052")
           .setOauth2ClientId("oauth2ClientId-1210797087")
           .setDisabled(true)
           .build();
   ApiFuture<ServiceAccount> future =
       iAMClient.updateServiceAccountCallable().futureCall(request);
   // Do something.
   ServiceAccount response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<ServiceAccount,ServiceAccount>

uploadServiceAccountKey(UploadServiceAccountKeyRequest request)

public final ServiceAccountKey uploadServiceAccountKey(UploadServiceAccountKeyRequest request)

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UploadServiceAccountKeyRequest request =
       UploadServiceAccountKeyRequest.newBuilder()
           .setName("name3373707")
           .setPublicKeyData(ByteString.EMPTY)
           .build();
   ServiceAccountKey response = iAMClient.uploadServiceAccountKey(request);
 }
 
Parameter
NameDescription
requestUploadServiceAccountKeyRequest

The request object containing all of the parameters for the API call.

Returns
TypeDescription
ServiceAccountKey

uploadServiceAccountKeyCallable()

public final UnaryCallable<UploadServiceAccountKeyRequest,ServiceAccountKey> uploadServiceAccountKeyCallable()

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

Sample code:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (IAMClient iAMClient = IAMClient.create()) {
   UploadServiceAccountKeyRequest request =
       UploadServiceAccountKeyRequest.newBuilder()
           .setName("name3373707")
           .setPublicKeyData(ByteString.EMPTY)
           .build();
   ApiFuture<ServiceAccountKey> future =
       iAMClient.uploadServiceAccountKeyCallable().futureCall(request);
   // Do something.
   ServiceAccountKey response = future.get();
 }
 
Returns
TypeDescription
UnaryCallable<UploadServiceAccountKeyRequest,ServiceAccountKey>