Google Git
Sign in
bazel / bazel / d71164547cd6c4628a83ac97505584bb21d35d9e / . / third_party / googleapis / google / iam / admin / v1 / iam.proto
blob: 2e2fe2b72fc7aeee685f040471bda9fe1707ea15 [file] [log] [blame]
// Copyright 2016 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.iam.admin.v1;
import "google/api/annotations.proto";
import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/policy.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";
option cc_enable_arenas = true;
option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin";
option java_multiple_files = true;
option java_outer_classname = "IamProto";
option java_package = "com.google.iam.admin.v1";
// Creates and manages service account objects.
//
// Service account is an account that belongs to your project instead
// of to an individual end user. It is used to authenticate calls
// to a Google API.
//
// To create a service account, specify the `project_id` and `account_id`
// for the account. The `account_id` is unique within the project, and used
// to generate the service account email address and a stable
// `unique_id`.
//
// All other methods can identify accounts using the format
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
service IAM {
// Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" };
}
// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" };
}
// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
// and returns it.
rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" };
}
// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
//
// Currently, only the following fields are updatable:
// `display_name` .
// The `etag` is mandatory.
rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" body: "*" };
}
// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" };
}
// Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" };
}
// Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
// by key id.
rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" };
}
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
// and returns it.
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" };
}
// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" };
}
// Signs a blob using a service account's system-managed private key.
rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" };
}
// Returns the IAM access control policy for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" body: "" };
}
// Sets the IAM access control policy for a
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" };
}
// Tests the specified permissions against the IAM access control policy
// for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" };
}
// Queries roles that can be granted on a particular resource.
// A role is grantable if it can be used as the role in a binding for a policy
// for that resource.
rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" };
}
}
// A service account in the Identity and Access Management API.
//
// To create a service account, specify the `project_id` and the `account_id`
// for the account. The `account_id` is unique within the project, and is used
// to generate the service account email address and a stable
// `unique_id`.
//
// If the account already exists, the account's resource name is returned
// in util::Status's ResourceInfo.resource_name in the format of
// projects/{project}/serviceAccounts/{email}. The caller can use the name in
// other methods to access the account.
//
// All other methods can identify the service account using the format
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
message ServiceAccount {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
//
// Requests using `-` as a wildcard for the project will infer the project
// from the `account` and the `account` value can be the `email` address or
// the `unique_id` of the service account.
//
// In responses the resource name will always be in the format
// `projects/{project}/serviceAccounts/{email}`.
string name = 1;
// @OutputOnly The id of the project that owns the service account.
string project_id = 2;
// @OutputOnly The unique and stable id of the service account.
string unique_id = 4;
// @OutputOnly The email address of the service account.
string email = 5;
// Optional. A user-specified description of the service account. Must be
// fewer than 100 UTF-8 bytes.
string display_name = 6;
// Used to perform a consistent read-modify-write.
bytes etag = 7;
// @OutputOnly. The OAuth2 client id for the service account.
// This is used in conjunction with the OAuth2 clientconfig API to make
// three legged OAuth2 (3LO) flows to access the data of Google users.
string oauth2_client_id = 9;
}
// The service account create request.
message CreateServiceAccountRequest {
// Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`.
string name = 1;
// Required. The account id that is used to generate the service account
// email address and a stable unique id. It is unique within a project,
// must be 6-30 characters long, and match the regular expression
// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
string account_id = 2;
// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create.
// Currently, only the following values are user assignable:
// `display_name` .
ServiceAccount service_account = 3;
}
// The service account list request.
message ListServiceAccountsRequest {
// Required. The resource name of the project associated with the service
// accounts, such as `projects/my-project-123`.
string name = 1;
// Optional limit on the number of service accounts to include in the
// response. Further accounts can subsequently be obtained by including the
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
// in a subsequent request.
int32 page_size = 2;
// Optional pagination token returned in an earlier
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
string page_token = 3;
}
// The service account list response.
message ListServiceAccountsResponse {
// The list of matching service accounts.
repeated ServiceAccount accounts = 1;
// To retrieve the next page of results, set
// [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
// to this value.
string next_page_token = 2;
}
// The service account get request.
message GetServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account delete request.
message DeleteServiceAccountRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account keys list request.
message ListServiceAccountKeysRequest {
// `KeyType` filters to selectively retrieve certain varieties
// of keys.
enum KeyType {
// Unspecified key type. The presence of this in the
// message will immediately result in an error.
KEY_TYPE_UNSPECIFIED = 0;
// User-managed keys (managed and rotated by the user).
USER_MANAGED = 1;
// System-managed keys (managed and rotated by Google).
SYSTEM_MANAGED = 2;
}
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
//
// Using `-` as a wildcard for the project, will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// Filters the types of keys the user wants to include in the list
// response. Duplicate key types are not allowed. If no key type
// is provided, all keys are returned.
repeated KeyType key_types = 2;
}
// The service account keys list response.
message ListServiceAccountKeysResponse {
// The public keys for the service account.
repeated ServiceAccountKey keys = 1;
}
// The service account key get by id request.
message GetServiceAccountKeyRequest {
// The resource name of the service account key in the following format:
// `projects/{project}/serviceAccounts/{account}/keys/{key}`.
//
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// The output format of the public key requested.
// X509_PEM is the default output format.
ServiceAccountPublicKeyType public_key_type = 2;
}
// Represents a service account key.
//
// A service account has two sets of key-pairs: user-managed, and
// system-managed.
//
// User-managed key-pairs can be created and deleted by users. Users are
// responsible for rotating these keys periodically to ensure security of
// their service accounts. Users retain the private key of these key-pairs,
// and Google retains ONLY the public key.
//
// System-managed key-pairs are managed automatically by Google, and rotated
// daily without user intervention. The private key never leaves Google's
// servers to maximize security.
//
// Public keys for all service accounts are also published at the OAuth2
// Service Account API.
message ServiceAccountKey {
// The resource name of the service account key in the following format
// `projects/{project}/serviceAccounts/{account}/keys/{key}`.
string name = 1;
// The output format for the private key.
// Only provided in `CreateServiceAccountKey` responses, not
// in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
//
// Google never exposes system-managed private keys, and never retains
// user-managed private keys.
ServiceAccountPrivateKeyType private_key_type = 2;
// Specifies the algorithm (and possibly key size) for the key.
ServiceAccountKeyAlgorithm key_algorithm = 8;
// The private key data. Only provided in `CreateServiceAccountKey`
// responses.
bytes private_key_data = 3;
// The public key data. Only provided in `GetServiceAccountKey` responses.
bytes public_key_data = 7;
// The key can be used after this timestamp.
google.protobuf.Timestamp valid_after_time = 4;
// The key can be used before this timestamp.
google.protobuf.Timestamp valid_before_time = 5;
}
// The service account key create request.
message CreateServiceAccountKeyRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the
// default output format.
ServiceAccountPrivateKeyType private_key_type = 2;
// Which type of key and algorithm to use for the key.
// The default is currently a 4K RSA key. However this may change in the
// future.
ServiceAccountKeyAlgorithm key_algorithm = 3;
}
// The service account key delete request.
message DeleteServiceAccountKeyRequest {
// The resource name of the service account key in the following format:
// `projects/{project}/serviceAccounts/{account}/keys/{key}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
}
// The service account sign blob request.
message SignBlobRequest {
// The resource name of the service account in the following format:
// `projects/{project}/serviceAccounts/{account}`.
// Using `-` as a wildcard for the project will infer the project from
// the account. The `account` value can be the `email` address or the
// `unique_id` of the service account.
string name = 1;
// The bytes to sign.
bytes bytes_to_sign = 2;
}
// The service account sign blob response.
message SignBlobResponse {
// The id of the key used to sign the blob.
string key_id = 1;
// The signed blob.
bytes signature = 2;
}
// A role in the Identity and Access Management API.
message Role {
// The name of the role.
//
// When Role is used in CreateRole, the role name must not be set.
//
// When Role is used in output and other input such as UpdateRole, the role
// name is the complete path, e.g., roles/logging.viewer for curated roles
// and organizations/{organization-id}/roles/logging.viewer for custom roles.
string name = 1;
// Optional. A human-readable title for the role. Typically this
// is limited to 100 UTF-8 bytes.
string title = 2;
// Optional. A human-readable description for the role.
string description = 3;
}
// The grantable role query request.
message QueryGrantableRolesRequest {
// Required. The full resource name to query from the list of grantable roles.
//
// The name follows the Google Cloud Platform resource format.
// For example, a Cloud Platform project with id `my-project` will be named
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
string full_resource_name = 1;
}
// The grantable role query response.
message QueryGrantableRolesResponse {
// The list of matching roles.
repeated Role roles = 1;
}
// Supported key algorithms.
enum ServiceAccountKeyAlgorithm {
// An unspecified key algorithm.
KEY_ALG_UNSPECIFIED = 0;
// 1k RSA Key.
KEY_ALG_RSA_1024 = 1;
// 2k RSA Key.
KEY_ALG_RSA_2048 = 2;
}
// Supported private key output formats.
enum ServiceAccountPrivateKeyType {
// Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
TYPE_UNSPECIFIED = 0;
// PKCS12 format.
// The password for the PKCS12 file is `notasecret`.
// For more information, see https://tools.ietf.org/html/rfc7292.
TYPE_PKCS12_FILE = 1;
// Google Credentials File format.
TYPE_GOOGLE_CREDENTIALS_FILE = 2;
}
// Supported public key output formats.
enum ServiceAccountPublicKeyType {
// Unspecified. Returns nothing here.
TYPE_NONE = 0;
// X509 PEM format.
TYPE_X509_PEM_FILE = 1;
// Raw public key.
TYPE_RAW_PUBLIC_KEY = 2;
}