Package google.iam.admin.v1

PermissionDelta

The permission_delta when when creating or updating a Role.

string

Added permissions.

string

Removed permissions.

string

Required. The parent resource to create the OAuth client Credential in.

OauthClientCredential

Required. The OAuth client credential to create.

string

Required. The ID to use for the OAuth client credential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

string

Required. The parent resource to create the OAuth client in. The only supported location is global.

OauthClient

Required. The OAuth client to create.

string

Required. The ID to use for the OAuth client, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

string

The parent parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's parent value format is described below:

• projects.roles.create(): projects/{PROJECT_ID}. This method creates project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

• organizations.roles.create(): organizations/{ORGANIZATION_ID}. This method creates organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource parent:

• iam.roles.create

string

The role ID to use for this role.

A role ID may contain alphanumeric characters, underscores (_), and periods (.). It must contain a minimum of 3 characters and a maximum of 64 characters.

Role

The Role resource to create.

string

Required. The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.create

ServiceAccountPrivateKeyType

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

ServiceAccountKeyAlgorithm

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

string

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.create

string

Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.

ServiceAccount

The ServiceAccount resource to create. Currently, only the following values are user assignable: display_name and description.

string

Required. The provider to create this key in.

WorkforcePoolProviderKey

Required. The WorkforcePoolProviderKey to create.

string

Required. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-].

string

Required. The pool to create this provider in.

Format: locations/{location}/workforcePools/{workforce_pool_id}

WorkforcePoolProvider

Required. The provider to create.

string

Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

WorkforcePool

Required. The pool to create.

string

The location of the pool to create.

Format: locations/{location}.

string

The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

string

Required. The name of the OAuth client credential to delete.

Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential}.

string

Required. The name of the OAuth client to delete.

Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}.

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

• projects.roles.delete(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method deletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

• organizations.roles.delete(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method deletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

• iam.roles.delete

bytes

Used to perform a consistent read-modify-write.

string

Required. The resource name of the service account key.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.delete

string

Required. The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.delete

string

Required. The name of the key to delete.

string

Required. The name of the provider to delete.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

string

Required. The name of the pool to delete.

Format: locations/{location}/workforcePools/{workforce_pool_id}

string

Required. The resource name of the WorkforcePoolSubject. Special characters, like / and :, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.

Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

string

Required. The resource name of the service account key.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.disable

ServiceAccountKeyDisableReason

Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.

string

Optional. Usable by internal google services only. An extended_status_message can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub.

string

The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.disable

string

Required. The resource name of the service account key.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.enable

string

The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.enable

string

Required. The name of the OAuth client credential to retrieve.

Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential}.

string

Required. The name of the OAuth client to retrieve.

Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}.

string

The name parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's name value format is described below:

• roles.get(): roles/{ROLE_NAME}. This method returns results from all predefined roles in IAM. Example request URL: https://iam.googleapis.com/v1/roles/{ROLE_NAME}

• projects.roles.get(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

• organizations.roles.get(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

• iam.roles.get

string

Required. The resource name of the service account key.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
• projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.get

ServiceAccountPublicKeyType

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

string

Required. The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.get

string

Required. The name of the key to retrieve.

string

Required. The name of the provider to retrieve.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

string

Required. The name of the pool to retrieve.

Format: locations/{location}/workforcePools/{workforce_pool_id}

KeyFormat

Output only. The format of the key.

Timestamp

Output only. Earliest timestamp when this key is valid. Attempts to use this key before this time will fail. Only present if the key data represents a X.509 certificate.

Timestamp

Output only. Latest timestamp when this key is valid. Attempts to use this key after this time will fail. Only present if the key data represents a X.509 certificate.

string

Output only. The key data. The format of the key is represented by the format field.

KeySpec

Required. The specifications for the key.

string

The full resource name of the policy this lint request is about.

The name follows the Google Cloud format for full resource names. For example, a Google Cloud project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

The resource name is not used to read a policy from IAM. Only the data in the request object is linted.

Expr

google.iam.v1.Binding.condition object to be linted.

LintResult

List of lint results sorted by severity in descending order.

Level

The validation unit level.

string

The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck".

Severity

The validation unit severity.

string

The name of the field for which this lint result is about.

For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.

int32

0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression.

string

Human readable debug message associated with the issue.

string

Required. The parent to list OAuth client credentials for.

OauthClientCredential

A list of OAuth client credentials.

string

Required. The parent to list OAuth clients for.

int32

Optional. The maximum number of OAuth clients to return. If unspecified, at most 50 OAuth clients will be returned. The maximum value is 100; values above 100 are truncated to 100.

string

Optional. A page token, received from a previous ListOauthClients call. Provide this to retrieve the subsequent page.

bool

Optional. Whether to return soft-deleted OAuth clients.

OauthClient

A list of OAuth clients.

string

Optional. A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

string

The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below:

• roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in IAM. Example request URL: https://iam.googleapis.com/v1/roles

• projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

• organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource parent:

• iam.roles.list

int32

Optional limit on the number of roles to include in the response.

The default is 300, and the maximum is 1,000.

string

Optional pagination token returned in an earlier ListRolesResponse.

RoleView

Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.

bool

Include Roles that have been deleted.

Role

The Roles defined on this resource.

string

To retrieve the next page of results, set ListRolesRequest.page_token to this value.

string

Required. The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.list

KeyType

Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

ServiceAccountKey

The public keys for the service account.

string

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.list

int32

Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request.

The default is 20, and the maximum is 100.

string

Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token.

ServiceAccount

The list of matching service accounts.

string

To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value.

string

Required. The provider resource to list encryption keys for.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

int32

The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10.

string

A page token, received from a previous ListWorkforcePoolProviderKeys call. Provide this to retrieve the subsequent page.

bool

Whether to return soft-deleted keys.

WorkforcePoolProviderKey

A list of WorkforcePoolProviderKeys.

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

string

Required. The pool to list providers for.

Format: locations/{location}/workforcePools/{workforce_pool_id}

int32

The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100.

string

A page token, received from a previous ListWorkforcePoolProviders call. Provide this to retrieve the subsequent page.

bool

Whether to return soft-deleted providers.

WorkforcePoolProvider

A list of providers.

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

string

Required. The parent resource to list pools for.

Format: organizations/{org-id}.

int32

The maximum number of pools to return. If unspecified, at most 50 pools will be returned. The maximum value is 1000; values above 1000 are truncated to 1000.

string

A page token, received from a previous ListWorkforcePools call. Provide this to retrieve the subsequent page.

bool

Whether to return soft-deleted pools.

string

The location of the pool.

Format: locations/{location}.

WorkforcePool

A list of pools.

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

string

Immutable. The resource name of the OAuth client.

Format:projects/{project}/locations/{location}/oauthClients/{oauth_client}.

State

Output only. The state of the OAuth client.

bool

Optional. Whether the OAuth client is disabled. You cannot use a disabled OAuth client.

string

Output only. The system-generated OAuth client id.

string

Optional. A user-specified display name of the OAuth client.

Cannot exceed 32 characters.

string

Optional. A user-specified description of the OAuth client.

Cannot exceed 256 characters.

ClientType

Immutable. The type of OAuth client. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource.

GrantType

Required. The list of OAuth grant types is allowed for the OAuth client.

string

Required. The list of scopes that the OAuth client is allowed to request during OAuth flows.

The following scopes are supported:

• https://www.googleapis.com/auth/cloud-platform: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account.
• openid: Associate you with your personal info on Google Cloud.
• email: See your Google Cloud Account email address.

string

Required. The list of redirect uris that is allowed to redirect back when authorization process is completed.

Timestamp

Output only. Time after which the OAuth client will be permanently purged and cannot be recovered.

string

Immutable. The resource name of the OAuth client credential.

Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential}

bool

Optional. Whether the OAuth client credential is disabled. You cannot use a disabled OAuth client credential.

string

Optional. A user-specified display name of the OAuth client credential.

Cannot exceed 32 characters.

string

Output only. The system-generated OAuth client secret.

The client secret must be stored securely. If the client secret is leaked, you must delete and re-create the client credential.

ServiceAccountKey

Required. The service account key to update.

FieldMask

Required. The update mask to apply to the service account key. Only the following fields are eligible for patching: - contact - description

ServiceAccount

Authorization requires the following IAM permission on the specified resource serviceAccount:

• iam.serviceAccounts.update

FieldMask

string

The name of this Permission.

string

The title of this Permission.

string

A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.

bool

PermissionLaunchStage

The current launch stage of the permission.

CustomRolesSupportLevel

The current custom role support level.

bool

The service API associated with the permission is not enabled.

string

The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.

string

Required. The full resource name to query from the list of auditable services.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

AuditableService

The auditable services for a resource.

string

Public name of the service. For example, the service name for IAM is 'iam.googleapis.com'.

string

Required. The full resource name to query from the list of grantable roles.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

RoleView

int32

Optional limit on the number of roles to include in the response.

The default is 300, and the maximum is 1,000.

string

Optional pagination token returned in an earlier QueryGrantableRolesResponse.

Role

The list of matching roles.

string

To retrieve the next page of results, set QueryGrantableRolesRequest.page_token to this value.

string

Required. The full resource name to query from the list of testable permissions.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

int32

Optional limit on the number of permissions to include in the response.

The default is 100, and the maximum is 1,000.

string

Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

Permission

The Permissions testable on the requested resource.

string

To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.

string

The name of the role.

When Role is used in CreateRole, the role name must not be set.

When Role is used in output and other input such as UpdateRole, the role name is the complete path. For example, roles/logging.viewer for predefined roles, organizations/{ORGANIZATION_ID}/roles/myRole for organization-level custom roles, and projects/{PROJECT_ID}/roles/myRole for project-level custom roles.

string

Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

string

Optional. A human-readable description for the role.

string

The names of the permissions this role grants when bound in an IAM policy.

RoleLaunchStage

The current launch stage of the role. If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.

bytes

Used to perform a consistent read-modify-write.

bool

The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

string

The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

string

Output only. The ID of the project that owns the service account.

string

Output only. The unique, stable numeric ID for the service account.

Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.

string

Output only. The email address of the service account.

string

Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.

bytes

Deprecated. Do not use.

string

Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.

string

Output only. The OAuth 2.0 client ID for the service account.

bool

Output only. Whether the service account is disabled.

string

The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

ServiceAccountPrivateKeyType

The output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses.

Google never exposes system-managed private keys, and never retains user-managed private keys.

ServiceAccountKeyAlgorithm

Specifies the algorithm (and possibly key size) for the key.

bytes

The private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.

bytes

The public key data. Only provided in GetServiceAccountKey responses.

Timestamp

The key can be used after this timestamp.

Timestamp

The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

ServiceAccountKeyOrigin

The key origin.

KeyType

The key type.

bool

The key status.

ServiceAccountKeyDisableReason

optional. If the key is disabled, it may have a DisableReason describing why it was disabled.

ExtendedStatus

Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status.

string

Optional. A user provided email address as the point of contact for this service account key. Must be an email address. Limit 64 characters.

string

Optional. A user provided description of this service account key.

string

Output only. The cloud identity that created this service account key. Populated automatically when the key is created and not editable by the user.

ServiceAccountKeyExtendedStatusKey

The key for this extended status.

string

The value for the extended status.

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.signBlob

bytes

Required. Deprecated. Migrate to Service Account Credentials API.

The bytes to sign.

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the blob.

bytes

Deprecated. Migrate to Service Account Credentials API.

The signed blob.

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.signJwt

string

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the JWT.

string

Deprecated. Migrate to Service Account Credentials API.

The signed JWT.

string

Required. The name of the OAuth client to undelete.

Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}.

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

• projects.roles.undelete(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method undeletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

• organizations.roles.undelete(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method undeletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

• iam.roles.undelete

bytes

Used to perform a consistent read-modify-write.

string

The resource name of the service account.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccounts.undelete

ServiceAccount

Metadata for the restored service account.

string

Required. The name of the key to undelete.

string

Required. The name of the provider to undelete.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

string

Required. The name of the pool to undelete.

Format: locations/{location}/workforcePools/{workforce_pool_id}

string

Required. The resource name of the WorkforcePoolSubject. Special characters, like / and :, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.

Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

OauthClientCredential

Required. The OAuth client credential to update. The name field is used to identify the OAuth client credential.

FieldMask

Required. The list of fields to update.

OauthClient

Required. The OAuth client to update. The name field is used to identify the OAuth client.

FieldMask

Required. The list of fields to update.

string

The name parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's name value format is described below:

• projects.roles.patch(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method updates only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

• organizations.roles.patch(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method updates only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Authorization requires the following IAM permission on the specified resource name:

• iam.roles.update

Role

The updated role.

FieldMask

A mask describing which fields in the Role have changed.

WorkforcePoolProvider

Required. The provider to update.

FieldMask

Required. The list of fields to update.

WorkforcePool

Required. The pool to update. The name field is used to identify the pool.

FieldMask

Required. The list of fields to update.

string

The resource name of the service account key.

Use one of the following formats:

• projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
• projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

• projects/-/serviceAccounts/{EMAIL_ADDRESS}
• projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

• iam.serviceAccountKeys.create

bytes

The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE-----, and the last line, -----END CERTIFICATE-----.

string

Output only. The resource name of the pool.

Format: locations/{location}/workforcePools/{workforce_pool_id}

string

Immutable. The resource name of the parent.

Format: organizations/{org-id}.

string

A user-specified display name of the pool in Google Cloud Console.

Cannot exceed 32 characters.

string

A user-specified description of the pool.

Cannot exceed 256 characters.

State

Output only. The state of the pool.

bool

Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

Duration

Duration that the Google Cloud access tokens, console sign-in sessions, and gcloud sign-in sessions from this pool are valid.

Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session_duration is not configured, minted credentials have a default duration of one hour (3600s).

For SAML providers, the lifetime of the token is the minimum of the session_duration and the SessionNotOnOrAfter claim in the SAML assertion.

Timestamp

Output only. Time after which the workforce pool will be permanently purged and cannot be recovered.

AccessRestrictions

Optional. Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users.

ServiceConfig

Optional. Immutable. Services allowed for web sign-in with the workforce pool. If not set by default there are no restrictions.

bool

Optional. Disable programmatic sign-in by disabling token issue via the Security Token API endpoint. See Security Token Service API.

string

Optional. Domain name of the service.

Example: console.cloud.google

string

Output only. The resource name of the provider.

Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

string

A user-specified display name for the provider.

Cannot exceed 32 characters.

string

A user-specified description of the provider. Cannot exceed 256 characters.

State

Output only. The state of the provider.

bool

Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

map<string, string>

Required. Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment.

Each key must be a string specifying the Google Cloud IAM attribute to map to.

The following keys are supported:

• google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.

• google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.

• google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.

• google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings.

• google.posix_username: The Linux username used by OS Login. This is an optional field and the mapped POSIX username cannot exceed 32 characters, The key must match the regex "^[a-zA-Z0-9._][a-zA-Z0-9._-]{0,31}$". This attribute cannot be referenced in IAM bindings.

You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_].

You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:

• google.subject: principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}

• google.groups: principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}

• attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}

Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key.

You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider.

The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 4KB.

For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.

The expression must output a boolean representing whether to allow the federation.

The following keywords may be referenced in the expressions:

• assertion: JSON representing the authentication credential issued by the provider.
• google: The Google attributes mapped from the assertion in the attribute_mappings. google.profile_photo, google.display_name and google.posix_username are not supported.
• attribute: The custom attributes mapped from the assertion in the attribute_mappings.

The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted.

The following example shows how to only allow credentials with a mapped google.groups value of admins:

"'admins' in google.groups"

Timestamp

Output only. Time after which the workload pool provider will be permanently purged and cannot be recovered.

ExtraAttributesOAuth2Client

Optional. The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol.

Saml

A SAML identity provider configuration.

Oidc

An OpenId Connect 1.0 identity provider configuration.

string

Required. The OIDC identity provider's issuer URI. Must be a valid URI using the https scheme. Required to get the OIDC discovery document.

string

Required. The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.

ClientSecret

Required. The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.

AttributesType

Required. Represents the IdP and type of claims that should be fetched.

QueryParameters

Optional. Represents the parameters to control which claims are fetched from an IdP.

string

Optional. The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.

string

Required. The OIDC issuer URI. Must be a valid URI using the https scheme.

string

Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.

ClientSecret

The optional client secret. Required to enable Authorization Code flow for web sign-in.

WebSsoConfig

Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.

string

OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the jwks_uri from the discovery document(fetched from the .well-known path of the issuer_uri) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }

Value

The value of the client secret.

string

Input only. The plain text of the client secret value. For security reasons, this field is only used for input and will never be populated in any response.

string

Output only. A thumbprint to represent the current client secret value.

ResponseType

Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.

The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

AssertionClaimsBehavior

Required. The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

string

Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested.

Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

string

Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters.

The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 15 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml.

When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

string

Output only. The resource name of the key.

KeyData

Immutable. Public half of the asymmetric key.

State

Output only. The state of the key.

KeyUse

Required. The purpose of the key.

Timestamp

Output only. The time after which the key will be permanently deleted and cannot be recovered. Note that the key may get purged before this time if the total limit of keys per provider is exceeded.

string

Output only. The resource name of the WorkforcePoolSubject. Special characters, like / and :, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.

Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

Timestamp

Output only. The planned hard deletion time of this resource in RFC3339 text format.