package google.iam.admin.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Creates and manages service account objects. Service account is an account that belongs to your project instead of to an individual end user. It is used to authenticate calls to a Google API. To create a service account, specify the `project_id` and `account_id` for the account. The `account_id` is unique within the project, and used to generate the service account email address and a stable `unique_id`. All other methods can identify accounts using the format `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

• rpc ListServiceAccounts (ListServiceAccountsRequest, ListServiceAccountsResponse)

  iam.proto:50

  Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.

  message ListServiceAccountsRequest

  iam.proto:322

  The service account list request.

  • string name = 1

    Required. The resource name of the project associated with the service accounts, such as `projects/my-project-123`.

  • int32 page_size = 2

    Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] in a subsequent request.

  • string page_token = 3

    Optional pagination token returned in an earlier [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].

  message ListServiceAccountsResponse

  iam.proto:339

  The service account list response.

  • repeated ServiceAccount accounts = 1

    The list of matching service accounts.

  • string next_page_token = 2

    To retrieve the next page of results, set [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] to this value.

• rpc GetServiceAccount (GetServiceAccountRequest, ServiceAccount)

  iam.proto:58

  Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

  message GetServiceAccountRequest

  iam.proto:350

  The service account get request.

  • string name = 1

    The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

• rpc CreateServiceAccount (CreateServiceAccountRequest, ServiceAccount)

  iam.proto:66

  Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] and returns it.

  message CreateServiceAccountRequest

  iam.proto:304

  The service account create request.

  • string name = 1

    Required. The resource name of the project associated with the service accounts, such as `projects/my-project-123`.

  • string account_id = 2

    Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.

  • optional ServiceAccount service_account = 3

    The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create. Currently, only the following values are user assignable: `display_name` .

• rpc UpdateServiceAccount (ServiceAccount, ServiceAccount)

  iam.proto:79

  Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. Currently, only the following fields are updatable: `display_name` . The `etag` is mandatory.

• rpc DeleteServiceAccount (DeleteServiceAccountRequest, protobuf.Empty)

  iam.proto:87

  Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

  message DeleteServiceAccountRequest

  iam.proto:360

  The service account delete request.

  • string name = 1

    The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

• rpc ListServiceAccountKeys (ListServiceAccountKeysRequest, ListServiceAccountKeysResponse)

  iam.proto:95

  Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].

  message ListServiceAccountKeysRequest

  iam.proto:370

  The service account keys list request.

  • string name = 1

    The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project, will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

  • repeated ListServiceAccountKeysRequest.KeyType key_types = 2

    Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

  message ListServiceAccountKeysResponse

  iam.proto:400

  The service account keys list response.

  • repeated ServiceAccountKey keys = 1

    The public keys for the service account.

• rpc GetServiceAccountKey (GetServiceAccountKeyRequest, ServiceAccountKey)

  iam.proto:104

  Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] by key id.

  message GetServiceAccountKeyRequest

  iam.proto:406

  The service account key get by id request.

  • string name = 1

    The resource name of the service account key in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

  • ServiceAccountPublicKeyType public_key_type = 2

    The output format of the public key requested. X509_PEM is the default output format.

• rpc CreateServiceAccountKey (CreateServiceAccountKeyRequest, ServiceAccountKey)

  iam.proto:113

  Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] and returns it.

  message CreateServiceAccountKeyRequest

  iam.proto:472

  The service account key create request.

  • string name = 1

    The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

  • ServiceAccountPrivateKeyType private_key_type = 2

    The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the default output format.

  • ServiceAccountKeyAlgorithm key_algorithm = 3

    Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

• rpc DeleteServiceAccountKey (DeleteServiceAccountKeyRequest, protobuf.Empty)

  iam.proto:122

  Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

  message DeleteServiceAccountKeyRequest

  iam.proto:491

  The service account key delete request.

  • string name = 1

    The resource name of the service account key in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

• rpc SignBlob (SignBlobRequest, SignBlobResponse)

  iam.proto:130

  Signs a blob using a service account's system-managed private key.

  message SignBlobRequest

  iam.proto:501

  The service account sign blob request.

  • string name = 1

    The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

  • bytes bytes_to_sign = 2

    The bytes to sign.

  message SignBlobResponse

  iam.proto:514

  The service account sign blob response.

  • string key_id = 1

    The id of the key used to sign the blob.

  • bytes signature = 2

    The signed blob.

• rpc SignJwt (SignJwtRequest, SignJwtResponse)

  iam.proto:142

  Signs a JWT using a service account's system-managed private key. If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an an expiry time of one hour by default. If you request an expiry time of more than one hour, the request will fail.

  message SignJwtRequest

  iam.proto:523

  The service account sign JWT request.

  • string name = 1

    The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

  • string payload = 2

    The JWT payload to sign, a JSON JWT Claim set.

  message SignJwtResponse

  iam.proto:536

  The service account sign JWT response.

  • string key_id = 1

    The id of the key used to sign the JWT.

  • string signed_jwt = 2

    The signed JWT.

• rpc GetIamPolicy (v1.GetIamPolicyRequest, v1.Policy)

  iam.proto:151

  Returns the IAM access control policy for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

• rpc SetIamPolicy (v1.SetIamPolicyRequest, v1.Policy)

  iam.proto:161

  Sets the IAM access control policy for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

• rpc TestIamPermissions (v1.TestIamPermissionsRequest, v1.TestIamPermissionsResponse)

  iam.proto:171

  Tests the specified permissions against the IAM access control policy for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

• rpc QueryGrantableRoles (QueryGrantableRolesRequest, QueryGrantableRolesResponse)

  iam.proto:182

  Queries roles that can be granted on a particular resource. A role is grantable if it can be used as the role in a binding for a policy for that resource.

  message QueryGrantableRolesRequest

  iam.proto:599

  The grantable role query request.

  • string full_resource_name = 1

    Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my-project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`.

  • RoleView view = 2

  • int32 page_size = 3

    Optional limit on the number of roles to include in the response.

  • string page_token = 4

    Optional pagination token returned in an earlier QueryGrantableRolesResponse.

  message QueryGrantableRolesResponse

  iam.proto:618

  The grantable role query response.

  • repeated Role roles = 1

    The list of matching roles.

  • string next_page_token = 2

    To retrieve the next page of results, set `QueryGrantableRolesRequest.page_token` to this value.

• rpc ListRoles (ListRolesRequest, ListRolesResponse)

  iam.proto:191

  Lists the Roles defined on a resource.

  message ListRolesRequest

  iam.proto:628

  The request to get all roles defined under a resource.

  • string parent = 1

    The resource name of the parent resource in one of the following formats: `` (empty string) -- this refers to curated roles. `organizations/{ORGANIZATION_ID}` `projects/{PROJECT_ID}`

  • int32 page_size = 2

    Optional limit on the number of roles to include in the response.

  • string page_token = 3

    Optional pagination token returned in an earlier ListRolesResponse.

  • RoleView view = 4

    Optional view for the returned Role objects.

  • bool show_deleted = 6

    Include Roles that have been deleted.

  message ListRolesResponse

  iam.proto:649

  The response containing the roles defined under a resource.

  • repeated Role roles = 1

    The Roles defined on this resource.

  • string next_page_token = 2

    To retrieve the next page of results, set `ListRolesRequest.page_token` to this value.

• rpc GetRole (GetRoleRequest, Role)

  iam.proto:198

  Gets a Role definition.

  message GetRoleRequest

  iam.proto:659

  The request to get the definition of an existing role.

  • string name = 1

    The resource name of the role in one of the following formats: `roles/{ROLE_NAME}` `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` `projects/{PROJECT_ID}/roles/{ROLE_NAME}`

• rpc CreateRole (CreateRoleRequest, Role)

  iam.proto:205

  Creates a new Role.

  message CreateRoleRequest

  iam.proto:668

  The request to create a new role.

  • string parent = 1

    The resource name of the parent resource in one of the following formats: `organizations/{ORGANIZATION_ID}` `projects/{PROJECT_ID}`

  • string role_id = 2

    The role id to use for this role.

  • optional Role role = 3

    The Role resource to create.

• rpc UpdateRole (UpdateRoleRequest, Role)

  iam.proto:213

  Updates a Role definition.

  message UpdateRoleRequest

  iam.proto:682

  The request to update a role.

  • string name = 1

    The resource name of the role in one of the following formats: `roles/{ROLE_NAME}` `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` `projects/{PROJECT_ID}/roles/{ROLE_NAME}`

  • optional Role role = 2

    The updated role.

  • optional protobuf.FieldMask update_mask = 3

    A mask describing which fields in the Role have changed.

• rpc DeleteRole (DeleteRoleRequest, Role)

  iam.proto:227

  Soft deletes a role. The role is suspended and cannot be used to create new IAM Policy Bindings. The Role will not be included in `ListRoles()` unless `show_deleted` is set in the `ListRolesRequest`. The Role contains the deleted boolean set. Existing Bindings remains, but are inactive. The Role can be undeleted within 7 days. After 7 days the Role is deleted and all Bindings associated with the role are removed.

  message DeleteRoleRequest

  iam.proto:697

  The request to delete an existing role.

  • string name = 1

    The resource name of the role in one of the following formats: `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` `projects/{PROJECT_ID}/roles/{ROLE_NAME}`

  • bytes etag = 2

    Used to perform a consistent read-modify-write.

• rpc UndeleteRole (UndeleteRoleRequest, Role)

  iam.proto:234

  Undelete a Role, bringing it back in its previous state.

  message UndeleteRoleRequest

  iam.proto:708

  The request to undelete an existing role.

  • string name = 1

    The resource name of the role in one of the following formats: `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}` `projects/{PROJECT_ID}/roles/{ROLE_NAME}`

  • bytes etag = 2

    Used to perform a consistent read-modify-write.

• rpc QueryTestablePermissions (QueryTestablePermissionsRequest, QueryTestablePermissionsResponse)

  iam.proto:243

  Lists the permissions testable on a resource. A permission is testable if it can be tested for an identity on a resource.

  message QueryTestablePermissionsRequest

  iam.proto:767

  A request to get permissions which can be tested on a resource.

  • string full_resource_name = 1

    Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my-project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`.

  • int32 page_size = 2

    Optional limit on the number of permissions to include in the response.

  • string page_token = 3

    Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

  message QueryTestablePermissionsResponse

  iam.proto:785

  The response containing permissions which can be tested on a resource.

  • repeated Permission permissions = 1

    The Permissions testable on the requested resource.

  • string next_page_token = 2

    To retrieve the next page of results, set `QueryTestableRolesRequest.page_token` to this value.

`KeyType` filters to selectively retrieve certain varieties of keys.

Used in: ListServiceAccountKeysRequest

• KEY_TYPE_UNSPECIFIED = 0

  Unspecified key type. The presence of this in the message will immediately result in an error.

• USER_MANAGED = 1

  User-managed keys (managed and rotated by the user).

• SYSTEM_MANAGED = 2

  System-managed keys (managed and rotated by Google).

A permission which can be included by a role.

Used in: QueryTestablePermissionsResponse

• string name = 1

  The name of this Permission.

• string title = 2

  The title of this Permission.

• string description = 3

  A brief description of what this Permission is used for.

• bool only_in_predefined_roles = 4

  This permission can ONLY be used in predefined roles.

• Permission.PermissionLaunchStage stage = 5

  The current launch stage of the permission.

• Permission.CustomRolesSupportLevel custom_roles_support_level = 6

  The current custom role support level.

The state of the permission with regards to custom roles.

Used in: Permission

• SUPPORTED = 0

  Permission is fully supported for custom role use.

• TESTING = 1

  Permission is being tested to check custom role compatibility.

• NOT_SUPPORTED = 2

  Permission is not supported for custom role use.

A stage representing a permission's lifecycle phase.

Used in: Permission

• ALPHA = 0

  The permission is currently in an alpha phase.

• BETA = 1

  The permission is currently in a beta phase.

• GA = 2

  The permission is generally available.

• DEPRECATED = 3

  The permission is being deprecated.

A role in the Identity and Access Management API.

Used as response type in: IAM.CreateRole, IAM.DeleteRole, IAM.GetRole, IAM.UndeleteRole, IAM.UpdateRole

Used as field type in: CreateRoleRequest, ListRolesResponse, QueryGrantableRolesResponse, UpdateRoleRequest

• string name = 1

  The name of the role. When Role is used in CreateRole, the role name must not be set. When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for curated roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

• string title = 2

  Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

• string description = 3

  Optional. A human-readable description for the role.

• repeated string included_permissions = 7

  The names of the permissions this role grants when bound in an IAM policy.

• Role.RoleLaunchStage stage = 8

  The current launch stage of the role.

• bytes etag = 9

  Used to perform a consistent read-modify-write.

• bool deleted = 11

  The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

A stage representing a role's lifecycle phase.

Used in: Role

• ALPHA = 0

  The user has indicated this role is currently in an alpha phase.

• BETA = 1

  The user has indicated this role is currently in a beta phase.

• GA = 2

  The user has indicated this role is generally available.

• DEPRECATED = 4

  The user has indicated this role is being deprecated.

• DISABLED = 5

  This role is disabled and will not contribute permissions to any members it is granted to in policies.

• EAP = 6

  The user has indicated this role is currently in an eap phase.

A view for Role objects.

Used in: ListRolesRequest, QueryGrantableRolesRequest

• BASIC = 0

  Omits the `included_permissions` field. This is the default value.

• FULL = 1

  Returns all fields.

A service account in the Identity and Access Management API. To create a service account, specify the `project_id` and the `account_id` for the account. The `account_id` is unique within the project, and is used to generate the service account email address and a stable `unique_id`. If the account already exists, the account's resource name is returned in util::Status's ResourceInfo.resource_name in the format of projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can use the name in other methods to access the account. All other methods can identify the service account using the format `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Using `-` as a wildcard for the project will infer the project from the account. The `account` value can be the `email` address or the `unique_id` of the service account.

Used as request type in: IAM.UpdateServiceAccount

Used as response type in: IAM.CreateServiceAccount, IAM.GetServiceAccount, IAM.UpdateServiceAccount

Used as field type in: CreateServiceAccountRequest, ListServiceAccountsResponse

• string name = 1

  The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. Requests using `-` as a wildcard for the project will infer the project from the `account` and the `account` value can be the `email` address or the `unique_id` of the service account. In responses the resource name will always be in the format `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.

• string project_id = 2

  @OutputOnly The id of the project that owns the service account.

• string unique_id = 4

  @OutputOnly The unique and stable id of the service account.

• string email = 5

  @OutputOnly The email address of the service account.

• string display_name = 6

  Optional. A user-specified description of the service account. Must be fewer than 100 UTF-8 bytes.

• bytes etag = 7

  Used to perform a consistent read-modify-write.

• string oauth2_client_id = 9

  @OutputOnly. The OAuth2 client id for the service account. This is used in conjunction with the OAuth2 clientconfig API to make three legged OAuth2 (3LO) flows to access the data of Google users.

Represents a service account key. A service account has two sets of key-pairs: user-managed, and system-managed. User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key. System-managed key-pairs are managed automatically by Google, and rotated daily without user intervention. The private key never leaves Google's servers to maximize security. Public keys for all service accounts are also published at the OAuth2 Service Account API.

Used as response type in: IAM.CreateServiceAccountKey, IAM.GetServiceAccountKey

Used as field type in: ListServiceAccountKeysResponse

• string name = 1

  The resource name of the service account key in the following format `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.

• ServiceAccountPrivateKeyType private_key_type = 2

  The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys.

• ServiceAccountKeyAlgorithm key_algorithm = 8

  Specifies the algorithm (and possibly key size) for the key.

• bytes private_key_data = 3

  The private key data. Only provided in `CreateServiceAccountKey` responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When decoded, the private key data can be used to authenticate with Google API client libraries and with <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud auth activate-service-account</a>.

• bytes public_key_data = 7

  The public key data. Only provided in `GetServiceAccountKey` responses.

• optional protobuf.Timestamp valid_after_time = 4

  The key can be used after this timestamp.

• optional protobuf.Timestamp valid_before_time = 5

  The key can be used before this timestamp.

Supported key algorithms.

Used in: CreateServiceAccountKeyRequest, ServiceAccountKey

• KEY_ALG_UNSPECIFIED = 0

  An unspecified key algorithm.

• KEY_ALG_RSA_1024 = 1

  1k RSA Key.

• KEY_ALG_RSA_2048 = 2

  2k RSA Key.

Supported private key output formats.

Used in: CreateServiceAccountKeyRequest, ServiceAccountKey

• TYPE_UNSPECIFIED = 0

  Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.

• TYPE_PKCS12_FILE = 1

  PKCS12 format. The password for the PKCS12 file is `notasecret`. For more information, see https://tools.ietf.org/html/rfc7292.

• TYPE_GOOGLE_CREDENTIALS_FILE = 2

  Google Credentials File format.

Supported public key output formats.

Used in: GetServiceAccountKeyRequest

• TYPE_NONE = 0

  Unspecified. Returns nothing here.

• TYPE_X509_PEM_FILE = 1

  X509 PEM format.

• TYPE_RAW_PUBLIC_KEY = 2

  Raw public key.