@datafire/google_iam

Client library for Identity and Access Management (IAM) API

Installation and Usage

npm install --save @datafire/google_iam

let google_iam = require('@datafire/google_iam').create({
  access_token: "",
  refresh_token: "",
  client_id: "",
  client_secret: "",
  redirect_uri: ""
});

.then(data => {
  console.log(data);
});

Description

Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.

Actions

oauthCallback

Exchange the code passed to your redirect URI for an access_token

google_iam.oauthCallback({
  "code": ""
}, context)

Input

• input object
  • code required string

Output

• output object
  • access_token string
  • refresh_token string
  • token_type string
  • scope string
  • expiration string

oauthRefresh

Exchange a refresh_token for an access_token

google_iam.oauthRefresh(null, context)

Input

This action has no parameters

Output

• output object
  • access_token string
  • refresh_token string
  • token_type string
  • scope string
  • expiration string

iam.iamPolicies.lintPolicy

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding. Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

google_iam.iam.iamPolicies.lintPolicy({}, context)

Input

• input object
  • body LintPolicyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output LintPolicyResponse

iam.iamPolicies.queryAuditableServices

Returns a list of services that allow you to opt into audit logs that are not generated by default. To learn more about audit logs, see the Logging documentation.

google_iam.iam.iamPolicies.queryAuditableServices({}, context)

Input

• input object
  • body QueryAuditableServicesRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output QueryAuditableServicesResponse

iam.permissions.queryTestablePermissions

Lists every permission that you can test on a resource. A permission is testable if you can check whether a member has that permission on the resource.

google_iam.iam.permissions.queryTestablePermissions({}, context)

Input

• input object
  • body QueryTestablePermissionsRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output QueryTestablePermissionsResponse

iam.roles.list

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

google_iam.iam.roles.list({}, context)

Input

• input object
  • pageSize integer: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
  • pageToken string: Optional pagination token returned in an earlier ListRolesResponse.
  • parent string: The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below: * roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles * projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles * organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • showDeleted boolean: Include Roles that have been deleted.
  • view string (values: BASIC, FULL): Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListRolesResponse

iam.roles.queryGrantableRoles

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

google_iam.iam.roles.queryGrantableRoles({}, context)

Input

• input object
  • body QueryGrantableRolesRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output QueryGrantableRolesResponse

iam.projects.serviceAccounts.keys.delete

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

google_iam.iam.projects.serviceAccounts.keys.delete({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • etag string: Used to perform a consistent read-modify-write.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

iam.roles.get

Gets the definition of a Role.

google_iam.iam.roles.get({
  "name": ""
}, context)

Input

• input object
  • name required string: The name parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's name value format is described below: * roles.get(): roles/{ROLE_NAME}. This method returns results from all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles/{ROLE_NAME} * projects.roles.get(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} * organizations.roles.get(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID} Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • publicKeyType string (values: TYPE_NONE, TYPE_X509_PEM_FILE, TYPE_RAW_PUBLIC_KEY): The output format of the public key requested. X509_PEM is the default output format.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Role

iam.projects.serviceAccounts.patch

Patches a ServiceAccount.

google_iam.iam.projects.serviceAccounts.patch({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
  • updateMask string: A mask describing which fields in the Role have changed.
  • body PatchServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccount

iam.projects.serviceAccounts.update

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name and description fields.

google_iam.iam.projects.serviceAccounts.update({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
  • body ServiceAccount
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccount

iam.projects.serviceAccounts.keys.list

Lists every ServiceAccountKey for a service account.

google_iam.iam.projects.serviceAccounts.keys.list({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • keyTypes array: Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListServiceAccountKeysResponse

iam.projects.serviceAccounts.keys.create

Creates a ServiceAccountKey.

google_iam.iam.projects.serviceAccounts.keys.create({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body CreateServiceAccountKeyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccountKey

iam.projects.serviceAccounts.keys.upload

Creates a ServiceAccountKey, using a public key that you provide.

google_iam.iam.projects.serviceAccounts.keys.upload({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body UploadServiceAccountKeyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccountKey

iam.projects.serviceAccounts.list

Lists every ServiceAccount that belongs to a specific project.

google_iam.iam.projects.serviceAccounts.list({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.
  • pageSize integer: Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request. The default is 20, and the maximum is 100.
  • pageToken string: Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListServiceAccountsResponse

iam.projects.serviceAccounts.create

Creates a ServiceAccount.

google_iam.iam.projects.serviceAccounts.create({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.
  • body CreateServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccount

iam.projects.serviceAccounts.disable

Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

google_iam.iam.projects.serviceAccounts.disable({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body DisableServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

iam.projects.serviceAccounts.enable

Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

google_iam.iam.projects.serviceAccounts.enable({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body EnableServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

iam.projects.serviceAccounts.signBlob

Note: This method is deprecated and will stop working on July 1, 2021. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount.

google_iam.iam.projects.serviceAccounts.signBlob({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body SignBlobRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output SignBlobResponse

iam.projects.serviceAccounts.signJwt

Note: This method is deprecated and will stop working on July 1, 2021. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

google_iam.iam.projects.serviceAccounts.signJwt({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body SignJwtRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output SignJwtResponse

iam.projects.serviceAccounts.undelete

Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

google_iam.iam.projects.serviceAccounts.undelete({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}. Using - as a wildcard for the PROJECT_ID will infer the project from the account.
  • body UndeleteServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output UndeleteServiceAccountResponse

iam.projects.roles.list

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

google_iam.iam.projects.roles.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below: * roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles * projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles * organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • pageSize integer: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
  • pageToken string: Optional pagination token returned in an earlier ListRolesResponse.
  • showDeleted boolean: Include Roles that have been deleted.
  • view string (values: BASIC, FULL): Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListRolesResponse

iam.projects.roles.create

Creates a new custom Role.

google_iam.iam.projects.roles.create({
  "parent": ""
}, context)

Input

• input object
  • parent required string: The parent parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's parent value format is described below: * projects.roles.create(): projects/{PROJECT_ID}. This method creates project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles * organizations.roles.create(): organizations/{ORGANIZATION_ID}. This method creates organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • body CreateRoleRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Role

iam.projects.serviceAccounts.getIamPolicy

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which members have access to the service account. This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

google_iam.iam.projects.serviceAccounts.getIamPolicy({
  "resource": ""
}, context)

Input

• input object
  • resource required string: REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.
  • options.requestedPolicyVersion integer: Optional. The policy format version to be returned. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional bindings must specify version 3. Policies without any conditional bindings may specify any valid value or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Policy

iam.projects.serviceAccounts.setIamPolicy

Sets the IAM policy that is attached to a ServiceAccount. Use this method to grant or revoke access to the service account. For example, you could grant a member the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps: 1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy. For detailed instructions, see Granting roles to a service account for specific resources.

google_iam.iam.projects.serviceAccounts.setIamPolicy({
  "resource": ""
}, context)

Input

• input object
  • resource required string: REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.
  • body SetIamPolicyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Policy

iam.projects.serviceAccounts.testIamPermissions

Tests whether the caller has the specified permissions on a ServiceAccount.

google_iam.iam.projects.serviceAccounts.testIamPermissions({
  "resource": ""
}, context)

Input

• input object
  • resource required string: REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.
  • body TestIamPermissionsRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output TestIamPermissionsResponse

Definitions

AdminAuditData

• AdminAuditData object: Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any type in the ServiceData message of an AuditLog message.
  • permissionDelta PermissionDelta

AuditConfig

• AuditConfig object: Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
  • auditLogConfigs array: The configuration for logging of each type of permission.
    • items AuditLogConfig
  • service string: Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

AuditData

• AuditData object: Audit log information specific to Cloud IAM. This message is serialized as an Any type in the ServiceData message of an AuditLog message.
  • policyDelta PolicyDelta

AuditLogConfig

• AuditLogConfig object: Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
  • exemptedMembers array: Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members.
    • items string
  • logType string (values: LOG_TYPE_UNSPECIFIED, ADMIN_READ, DATA_WRITE, DATA_READ): The log type that this config enables.

AuditableService

• AuditableService object: Contains information about an auditable service.
  • name string: Public name of the service. For example, the service name for Cloud IAM is 'iam.googleapis.com'.

Binding

• Binding object: Associates members with a role.
  • condition Expr
  • members array: Specifies the identities requesting access for a Cloud Platform resource. members can have the following values: * allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. * allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. * user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com . * serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * group:{emailid}: An email address that represents a Google group. For example, admins@example.com. * deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. * deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. * deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. * domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.
    • items string
  • role string: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

BindingDelta

• BindingDelta object: One delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry.
  • action string (values: ACTION_UNSPECIFIED, ADD, REMOVE): The action that was performed on a Binding. Required
  • condition Expr
  • member string: A single identity requesting access for a Cloud Platform resource. Follows the same format of Binding.members. Required
  • role string: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. Required

CreateRoleRequest

• CreateRoleRequest object: The request to create a new role.
  • role Role
  • roleId string: The role ID to use for this role. A role ID may contain alphanumeric characters, underscores (_), and periods (.). It must contain a minimum of 3 characters and a maximum of 64 characters.

CreateServiceAccountKeyRequest

• CreateServiceAccountKeyRequest object: The service account key create request.
  • keyAlgorithm string (values: KEY_ALG_UNSPECIFIED, KEY_ALG_RSA_1024, KEY_ALG_RSA_2048): Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.
  • privateKeyType string (values: TYPE_UNSPECIFIED, TYPE_PKCS12_FILE, TYPE_GOOGLE_CREDENTIALS_FILE): The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

CreateServiceAccountRequest

• CreateServiceAccountRequest object: The service account create request.
  • accountId string: Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.
  • serviceAccount ServiceAccount

DisableServiceAccountRequest

• DisableServiceAccountRequest object: The service account disable request.

Empty

• Empty object: A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for Empty is empty JSON object {}.

EnableServiceAccountRequest

• EnableServiceAccountRequest object: The service account enable request.

Expr

• Expr object: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
  • description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
  • expression string: Textual representation of an expression in Common Expression Language syntax.
  • location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
  • title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

LintPolicyRequest

• LintPolicyRequest object: The request to lint a Cloud IAM policy object.
  • condition Expr
  • fullResourceName string: The full resource name of the policy this lint request is about. The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project. The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object.

LintPolicyResponse

• LintPolicyResponse object: The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.
  • lintResults array: List of lint results sorted by severity in descending order.
    • items LintResult

LintResult

• LintResult object: Structured response of a single validation unit.
  • debugMessage string: Human readable debug message associated with the issue.
  • fieldName string: The name of the field for which this lint result is about. For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.
  • level string (values: LEVEL_UNSPECIFIED, CONDITION): The validation unit level.
  • locationOffset integer: 0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression.
  • severity string (values: SEVERITY_UNSPECIFIED, ERROR, WARNING, NOTICE, INFO, DEPRECATED): The validation unit severity.
  • validationUnitName string: The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck".

ListRolesResponse

• ListRolesResponse object: The response containing the roles defined under a resource.
  • nextPageToken string: To retrieve the next page of results, set ListRolesRequest.page_token to this value.
  • roles array: The Roles defined on this resource.
    • items Role

ListServiceAccountKeysResponse

• ListServiceAccountKeysResponse object: The service account keys list response.
  • keys array: The public keys for the service account.
    • items ServiceAccountKey

ListServiceAccountsResponse

• ListServiceAccountsResponse object: The service account list response.
  • accounts array: The list of matching service accounts.
    • items ServiceAccount
  • nextPageToken string: To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value.

Operation

• Operation object: This resource represents a long-running operation that is the result of a network API call.
  • done boolean: If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
  • error Status
  • metadata object: Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.
  • name string: The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the name should be a resource name ending with operations/{unique_id}.
  • response object: The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is standard Get/Create/Update, the response should be the resource. For other methods, the response should have the type XxxResponse, where Xxx is the original method name. For example, if the original method name is TakeSnapshot(), the inferred response type is TakeSnapshotResponse.

PatchServiceAccountRequest

• PatchServiceAccountRequest object: The request for PatchServiceAccount. You can patch only the display_name and description fields. You must use the update_mask field to specify which of these fields you want to patch. Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.
  • serviceAccount ServiceAccount
  • updateMask string

Permission

• Permission object: A permission which can be included by a role.
  • apiDisabled boolean: The service API associated with the permission is not enabled.
  • customRolesSupportLevel string (values: SUPPORTED, TESTING, NOT_SUPPORTED): The current custom role support level.
  • description string: A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.
  • name string: The name of this Permission.
  • onlyInPredefinedRoles boolean
  • primaryPermission string: The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.
  • stage string (values: ALPHA, BETA, GA, DEPRECATED): The current launch stage of the permission.
  • title string: The title of this Permission.

PermissionDelta

• PermissionDelta object: A PermissionDelta message to record the added_permissions and removed_permissions inside a role.
  • addedPermissions array: Added permissions.
    • items string
  • removedPermissions array: Removed permissions.
    • items string

Policy

• Policy object: An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3 For a description of IAM and its features, see the IAM documentation.
  • auditConfigs array: Specifies cloud audit logging configuration for this policy.
    • items AuditConfig
  • bindings array: Associates a list of members to a role. Optionally, may specify a condition that determines how and when the bindings are applied. Each of the bindings must contain at least one member.
    • items Binding
  • etag string: etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy. Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.
  • version integer: Specifies the format of the policy. Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected. Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations: * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation.

PolicyDelta

• PolicyDelta object: The difference delta between two policies.
  • bindingDeltas array: The delta for Bindings between two policies.
    • items BindingDelta

QueryAuditableServicesRequest

• QueryAuditableServicesRequest object: A request to get the list of auditable services for a resource.
  • fullResourceName string: Required. The full resource name to query from the list of auditable services. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

QueryAuditableServicesResponse

• QueryAuditableServicesResponse object: A response containing a list of auditable services for a resource.
  • services array: The auditable services for a resource.
    • items AuditableService

QueryGrantableRolesRequest

• QueryGrantableRolesRequest object: The grantable role query request.
  • fullResourceName string: Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.
  • pageSize integer: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
  • pageToken string: Optional pagination token returned in an earlier QueryGrantableRolesResponse.
  • view string (values: BASIC, FULL)

QueryGrantableRolesResponse

• QueryGrantableRolesResponse object: The grantable role query response.
  • nextPageToken string: To retrieve the next page of results, set QueryGrantableRolesRequest.page_token to this value.
  • roles array: The list of matching roles.
    • items Role

QueryTestablePermissionsRequest

• QueryTestablePermissionsRequest object: A request to get permissions which can be tested on a resource.
  • fullResourceName string: Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.
  • pageSize integer: Optional limit on the number of permissions to include in the response. The default is 100, and the maximum is 1,000.
  • pageToken string: Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

QueryTestablePermissionsResponse

• QueryTestablePermissionsResponse object: The response containing permissions which can be tested on a resource.
  • nextPageToken string: To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.
  • permissions array: The Permissions testable on the requested resource.
    • items Permission

Role

• Role object: A role in the Identity and Access Management API.
  • deleted boolean: The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  • description string: Optional. A human-readable description for the role.
  • etag string: Used to perform a consistent read-modify-write.
  • includedPermissions array: The names of the permissions this role grants when bound in an IAM policy.
    • items string
  • name string: The name of the role. When Role is used in CreateRole, the role name must not be set. When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
  • stage string (values: ALPHA, BETA, GA, DEPRECATED, DISABLED, EAP): The current launch stage of the role. If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.
  • title string: Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

ServiceAccount

• ServiceAccount object: An IAM service account. A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts. When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account.
  • description string: Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.
  • disabled boolean: Output only. Whether the service account is disabled.
  • displayName string: Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.
  • email string: Output only. The email address of the service account.
  • etag string: Deprecated. Do not use.
  • name string: The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
  • oauth2ClientId string: Output only. The OAuth 2.0 client ID for the service account.
  • projectId string: Output only. The ID of the project that owns the service account.
  • uniqueId string: Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.

ServiceAccountKey

• ServiceAccountKey object: Represents a service account key. A service account has two sets of key-pairs: user-managed, and system-managed. User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key. System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime. If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing. Public keys for all service accounts are also published at the OAuth2 Service Account API.
  • keyAlgorithm string (values: KEY_ALG_UNSPECIFIED, KEY_ALG_RSA_1024, KEY_ALG_RSA_2048): Specifies the algorithm (and possibly key size) for the key.
  • keyOrigin string (values: ORIGIN_UNSPECIFIED, USER_PROVIDED, GOOGLE_PROVIDED): The key origin.
  • keyType string (values: KEY_TYPE_UNSPECIFIED, USER_MANAGED, SYSTEM_MANAGED): The key type.
  • name string: The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.
  • privateKeyData string: The private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.
  • privateKeyType string (values: TYPE_UNSPECIFIED, TYPE_PKCS12_FILE, TYPE_GOOGLE_CREDENTIALS_FILE): The output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses. Google never exposes system-managed private keys, and never retains user-managed private keys.
  • publicKeyData string: The public key data. Only provided in GetServiceAccountKey responses.
  • validAfterTime string: The key can be used after this timestamp.
  • validBeforeTime string: The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

SetIamPolicyRequest

• SetIamPolicyRequest object: Request message for SetIamPolicy method.
  • policy Policy
  • updateMask string: OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used: paths: "bindings, etag"

SignBlobRequest

• SignBlobRequest object: Deprecated. Migrate to Service Account Credentials API. The service account sign blob request.
  • bytesToSign string: Required. Deprecated. Migrate to Service Account Credentials API. The bytes to sign.

SignBlobResponse

• SignBlobResponse object: Deprecated. Migrate to Service Account Credentials API. The service account sign blob response.
  • keyId string: Deprecated. Migrate to Service Account Credentials API. The id of the key used to sign the blob.
  • signature string: Deprecated. Migrate to Service Account Credentials API. The signed blob.

SignJwtRequest

• SignJwtRequest object: Deprecated. Migrate to Service Account Credentials API. The service account sign JWT request.
  • payload string: Required. Deprecated. Migrate to Service Account Credentials API. The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435} If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 1 hour in the future. If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

SignJwtResponse

• SignJwtResponse object: Deprecated. Migrate to Service Account Credentials API. The service account sign JWT response.
  • keyId string: Deprecated. Migrate to Service Account Credentials API. The id of the key used to sign the JWT.
  • signedJwt string: Deprecated. Migrate to Service Account Credentials API. The signed JWT.

Status

• Status object: The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
  • code integer: The status code, which should be an enum value of google.rpc.Code.
  • details array: A list of messages that carry the error details. There is a common set of message types for APIs to use.
    • items object
  • message string: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

TestIamPermissionsRequest

• TestIamPermissionsRequest object: Request message for TestIamPermissions method.
  • permissions array: The set of permissions to check for the resource. Permissions with wildcards (such as '' or 'storage.') are not allowed. For more information see IAM Overview.
    • items string

TestIamPermissionsResponse

• TestIamPermissionsResponse object: Response message for TestIamPermissions method.
  • permissions array: A subset of TestPermissionsRequest.permissions that the caller is allowed.
    • items string

UndeleteRoleRequest

• UndeleteRoleRequest object: The request to undelete an existing role.
  • etag string: Used to perform a consistent read-modify-write.

UndeleteServiceAccountRequest

• UndeleteServiceAccountRequest object: The service account undelete request.

UndeleteServiceAccountResponse

• UndeleteServiceAccountResponse object
  • restoredAccount ServiceAccount

UploadServiceAccountKeyRequest

• UploadServiceAccountKeyRequest object: The service account key upload request.
  • publicKeyData string: A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is X509_PEM.