package google.iam.admin.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Creates and manages service account objects. Service account is an account that belongs to your project instead of to an individual end user. It is used to authenticate calls to a Google API. To create a service account, specify the `project_id` and `account_id` for the account. The `account_id` is unique within the project, and used to generate the service account email address and a stable `unique_id`. All other methods can identify accounts using the format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

• rpc ListServiceAccounts (ListServiceAccountsRequest, ListServiceAccountsResponse)

  iam.proto:56

  Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.

  message ListServiceAccountsRequest

  iam.proto:392

  The service account list request.

  • string name = 1

    Required. The resource name of the project associated with the service accounts, such as `projects/my-project-123`.

  • int32 page_size = 2

    Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] in a subsequent request.

  • string page_token = 3

    Optional pagination token returned in an earlier [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].

  message ListServiceAccountsResponse

  iam.proto:414

  The service account list response.

  • repeated ServiceAccount accounts = 1

    The list of matching service accounts.

  • string next_page_token = 2

    To retrieve the next page of results, set [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] to this value.

• rpc GetServiceAccount (GetServiceAccountRequest, ServiceAccount)

  iam.proto:64

  Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

  message GetServiceAccountRequest

  iam.proto:425

  The service account get request.

  • string name = 1

    Required. The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

• rpc CreateServiceAccount (CreateServiceAccountRequest, ServiceAccount)

  iam.proto:73

  Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] and returns it.

  message CreateServiceAccountRequest

  iam.proto:369

  The service account create request.

  • string name = 1

    Required. The resource name of the project associated with the service accounts, such as `projects/my-project-123`.

  • string account_id = 2

    Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.

  • optional ServiceAccount service_account = 3

    The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create. Currently, only the following values are user assignable: `display_name` and `description`.

• rpc UpdateServiceAccount (ServiceAccount, ServiceAccount)

  iam.proto:85

  Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. Currently, only the following fields are updatable: `display_name` and `description`.

• rpc DeleteServiceAccount (DeleteServiceAccountRequest, protobuf.Empty)

  iam.proto:93

  Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

  message DeleteServiceAccountRequest

  iam.proto:440

  The service account delete request.

  • string name = 1

    Required. The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

• rpc ListServiceAccountKeys (ListServiceAccountKeysRequest, ListServiceAccountKeysResponse)

  iam.proto:101

  Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].

  message ListServiceAccountKeysRequest

  iam.proto:455

  The service account keys list request.

  • string name = 1

    Required. The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

  • repeated ListServiceAccountKeysRequest.KeyType key_types = 2

    Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

  message ListServiceAccountKeysResponse

  iam.proto:490

  The service account keys list response.

  • repeated ServiceAccountKey keys = 1

    The public keys for the service account.

• rpc GetServiceAccountKey (GetServiceAccountKeyRequest, ServiceAccountKey)

  iam.proto:110

  Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] by key id.

  message GetServiceAccountKeyRequest

  iam.proto:496

  The service account key get by id request.

  • string name = 1

    Required. The resource name of the service account key in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

  • ServiceAccountPublicKeyType public_key_type = 2

    The output format of the public key requested. X509_PEM is the default output format.

• rpc CreateServiceAccountKey (CreateServiceAccountKeyRequest, ServiceAccountKey)

  iam.proto:119

  Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] and returns it.

  message CreateServiceAccountKeyRequest

  iam.proto:577

  The service account key create request.

  • string name = 1

    Required. The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

  • ServiceAccountPrivateKeyType private_key_type = 2

    The output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format.

  • ServiceAccountKeyAlgorithm key_algorithm = 3

    Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

• rpc DeleteServiceAccountKey (DeleteServiceAccountKeyRequest, protobuf.Empty)

  iam.proto:128

  Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

  message DeleteServiceAccountKeyRequest

  iam.proto:602

  The service account key delete request.

  • string name = 1

    Required. The resource name of the service account key in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

• rpc SignBlob (SignBlobRequest, SignBlobResponse)

  iam.proto:136

  Signs a blob using a service account's system-managed private key.

  message SignBlobRequest

  iam.proto:617

  The service account sign blob request.

  • string name = 1

    Required. The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

  • bytes bytes_to_sign = 2

    Required. The bytes to sign.

  message SignBlobResponse

  iam.proto:635

  The service account sign blob response.

  • string key_id = 1

    The id of the key used to sign the blob.

  • bytes signature = 2

    The signed blob.

• rpc SignJwt (SignJwtRequest, SignJwtResponse)

  iam.proto:149

  Signs a JWT using a service account's system-managed private key. If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an an expiry time of one hour by default. If you request an expiry time of more than one hour, the request will fail.

  message SignJwtRequest

  iam.proto:644

  The service account sign JWT request.

  • string name = 1

    Required. The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

  • string payload = 2

    Required. The JWT payload to sign, a JSON JWT Claim set.

  message SignJwtResponse

  iam.proto:662

  The service account sign JWT response.

  • string key_id = 1

    The id of the key used to sign the JWT.

  • string signed_jwt = 2

    The signed JWT.

• rpc GetIamPolicy (v1.GetIamPolicyRequest, v1.Policy)

  iam.proto:172

  Returns the Cloud IAM access control policy for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. Note: Service accounts are both [resources and identities](/iam/docs/service-accounts#service_account_permissions). This method treats the service account as a resource. It returns the Cloud IAM policy that reflects what members have access to the service account. This method does not return what resources the service account has access to. To see if a service account has access to a resource, call the `getIamPolicy` method on the target resource. For example, to view grants for a project, call the [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy) method.

• rpc SetIamPolicy (v1.SetIamPolicyRequest, v1.Policy)

  iam.proto:195

  Sets the Cloud IAM access control policy for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. Note: Service accounts are both [resources and identities](/iam/docs/service-accounts#service_account_permissions). This method treats the service account as a resource. Use it to grant members access to the service account, such as when they need to impersonate it. This method does not grant the service account access to other resources, such as projects. To grant a service account access to resources, include the service account in the Cloud IAM policy for the desired resource, then call the appropriate `setIamPolicy` method on the target resource. For example, to grant a service account access to a project, call the [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy) method.

• rpc TestIamPermissions (v1.TestIamPermissionsRequest, v1.TestIamPermissionsResponse)

  iam.proto:205

  Tests the specified permissions against the IAM access control policy for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

• rpc QueryGrantableRoles (QueryGrantableRolesRequest, QueryGrantableRolesResponse)

  iam.proto:216

  Queries roles that can be granted on a particular resource. A role is grantable if it can be used as the role in a binding for a policy for that resource.

  message QueryGrantableRolesRequest

  iam.proto:729

  The grantable role query request.

  • string full_resource_name = 1

    Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my-project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`.

  • RoleView view = 2

  • int32 page_size = 3

    Optional limit on the number of roles to include in the response.

  • string page_token = 4

    Optional pagination token returned in an earlier QueryGrantableRolesResponse.

  message QueryGrantableRolesResponse

  iam.proto:748

  The grantable role query response.

  • repeated Role roles = 1

    The list of matching roles.

  • string next_page_token = 2

    To retrieve the next page of results, set `QueryGrantableRolesRequest.page_token` to this value.

• rpc ListRoles (ListRolesRequest, ListRolesResponse)

  iam.proto:225

  Lists the Roles defined on a resource.

  message ListRolesRequest

  iam.proto:758

  The request to get all roles defined under a resource.

  • string parent = 1

    The `parent` parameter's value depends on the target resource for the request, namely [`roles`](/iam/reference/rest/v1/roles), [`projects`](/iam/reference/rest/v1/projects.roles), or [`organizations`](/iam/reference/rest/v1/organizations.roles). Each resource type's `parent` value format is described below: * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string. This method doesn't require a resource; it simply returns all [predefined roles](/iam/docs/understanding-roles#predefined_roles) in Cloud IAM. Example request URL: `https://iam.googleapis.com/v1/roles` * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list): `projects/{PROJECT_ID}`. This method lists all project-level [custom roles](/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method lists all organization-level [custom roles](/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

  • int32 page_size = 2

    Optional limit on the number of roles to include in the response.

  • string page_token = 3

    Optional pagination token returned in an earlier ListRolesResponse.

  • RoleView view = 4

    Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field.

  • bool show_deleted = 6

    Include Roles that have been deleted.

  message ListRolesResponse

  iam.proto:805

  The response containing the roles defined under a resource.

  • repeated Role roles = 1

    The Roles defined on this resource.

  • string next_page_token = 2

    To retrieve the next page of results, set `ListRolesRequest.page_token` to this value.

• rpc GetRole (GetRoleRequest, Role)

  iam.proto:238

  Gets a Role definition.

  message GetRoleRequest

  iam.proto:815

  The request to get the definition of an existing role.

  • string name = 1

    The `name` parameter's value depends on the target resource for the request, namely [`roles`](/iam/reference/rest/v1/roles), [`projects`](/iam/reference/rest/v1/projects.roles), or [`organizations`](/iam/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results from all [predefined roles](/iam/docs/understanding-roles#predefined_roles) in Cloud IAM. Example request URL: `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

• rpc CreateRole (CreateRoleRequest, Role)

  iam.proto:251

  Creates a new Role.

  message CreateRoleRequest

  iam.proto:847

  The request to create a new role.

  • string parent = 1

    The `parent` parameter's value depends on the target resource for the request, namely [`projects`](/iam/reference/rest/v1/projects.roles) or [`organizations`](/iam/reference/rest/v1/organizations.roles). Each resource type's `parent` value format is described below: * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create): `projects/{PROJECT_ID}`. This method creates project-level [custom roles](/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create): `organizations/{ORGANIZATION_ID}`. This method creates organization-level [custom roles](/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

  • string role_id = 2

    The role ID to use for this role.

  • optional Role role = 3

    The Role resource to create.

• rpc UpdateRole (UpdateRoleRequest, Role)

  iam.proto:263

  Updates a Role definition.

  message UpdateRoleRequest

  iam.proto:878

  The request to update a role.

  • string name = 1

    The `name` parameter's value depends on the target resource for the request, namely [`projects`](/iam/reference/rest/v1/projects.roles) or [`organizations`](/iam/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

  • optional Role role = 2

    The updated role.

  • optional protobuf.FieldMask update_mask = 3

    A mask describing which fields in the Role have changed.

• rpc DeleteRole (DeleteRoleRequest, Role)

  iam.proto:281

  Soft deletes a role. The role is suspended and cannot be used to create new IAM Policy Bindings. The Role will not be included in `ListRoles()` unless `show_deleted` is set in the `ListRolesRequest`. The Role contains the deleted boolean set. Existing Bindings remains, but are inactive. The Role can be undeleted within 7 days. After 7 days the Role is deleted and all Bindings associated with the role are removed.

  message DeleteRoleRequest

  iam.proto:909

  The request to delete an existing role.

  • string name = 1

    The `name` parameter's value depends on the target resource for the request, namely [`projects`](/iam/reference/rest/v1/projects.roles) or [`organizations`](/iam/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

  • bytes etag = 2

    Used to perform a consistent read-modify-write.

• rpc UndeleteRole (UndeleteRoleRequest, Role)

  iam.proto:291

  Undelete a Role, bringing it back in its previous state.

  message UndeleteRoleRequest

  iam.proto:937

  The request to undelete an existing role.

  • string name = 1

    The `name` parameter's value depends on the target resource for the request, namely [`projects`](/iam/reference/rest/v1/projects.roles) or [`organizations`](/iam/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

  • bytes etag = 2

    Used to perform a consistent read-modify-write.

• rpc QueryTestablePermissions (QueryTestablePermissionsRequest, QueryTestablePermissionsResponse)

  iam.proto:304

  Lists the permissions testable on a resource. A permission is testable if it can be tested for an identity on a resource.

  message QueryTestablePermissionsRequest

  iam.proto:1014

  A request to get permissions which can be tested on a resource.

  • string full_resource_name = 1

    Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my-project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`.

  • int32 page_size = 2

    Optional limit on the number of permissions to include in the response.

  • string page_token = 3

    Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

  message QueryTestablePermissionsResponse

  iam.proto:1032

  The response containing permissions which can be tested on a resource.

  • repeated Permission permissions = 1

    The Permissions testable on the requested resource.

  • string next_page_token = 2

    To retrieve the next page of results, set `QueryTestableRolesRequest.page_token` to this value.

`KeyType` filters to selectively retrieve certain varieties of keys.

Used in: ListServiceAccountKeysRequest

• KEY_TYPE_UNSPECIFIED = 0

  Unspecified key type. The presence of this in the message will immediately result in an error.

• USER_MANAGED = 1

  User-managed keys (managed and rotated by the user).

• SYSTEM_MANAGED = 2

  System-managed keys (managed and rotated by Google).

A permission which can be included by a role.

Used in: QueryTestablePermissionsResponse

• string name = 1

  The name of this Permission.

• string title = 2

  The title of this Permission.

• string description = 3

  A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.

• bool only_in_predefined_roles = 4

  This permission can ONLY be used in predefined roles.

• Permission.PermissionLaunchStage stage = 5

  The current launch stage of the permission.

• Permission.CustomRolesSupportLevel custom_roles_support_level = 6

  The current custom role support level.

The state of the permission with regards to custom roles.

Used in: Permission

• SUPPORTED = 0

  Permission is fully supported for custom role use.

• TESTING = 1

  Permission is being tested to check custom role compatibility.

• NOT_SUPPORTED = 2

  Permission is not supported for custom role use.

A stage representing a permission's lifecycle phase.

Used in: Permission

• ALPHA = 0

  The permission is currently in an alpha phase.

• BETA = 1

  The permission is currently in a beta phase.

• GA = 2

  The permission is generally available.

• DEPRECATED = 3

  The permission is being deprecated.

A role in the Identity and Access Management API.

Used as response type in: IAM.CreateRole, IAM.DeleteRole, IAM.GetRole, IAM.UndeleteRole, IAM.UpdateRole

Used as field type in: CreateRoleRequest, ListRolesResponse, QueryGrantableRolesResponse, UpdateRoleRequest

• string name = 1

  The name of the role. When Role is used in CreateRole, the role name must not be set. When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

• string title = 2

  Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

• string description = 3

  Optional. A human-readable description for the role.

• repeated string included_permissions = 7

  The names of the permissions this role grants when bound in an IAM policy.

• Role.RoleLaunchStage stage = 8

  The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.

• bytes etag = 9

  Used to perform a consistent read-modify-write.

• bool deleted = 11

  The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

A stage representing a role's lifecycle phase.

Used in: Role

• ALPHA = 0

  The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the `stage` field will not be included when requesting the definition for a given role.

• BETA = 1

  The user has indicated this role is currently in a Beta phase.

• GA = 2

  The user has indicated this role is generally available.

• DEPRECATED = 4

  The user has indicated this role is being deprecated.

• DISABLED = 5

  This role is disabled and will not contribute permissions to any members it is granted to in policies.

• EAP = 6

  The user has indicated this role is currently in an EAP phase.

A view for Role objects.

Used in: ListRolesRequest, QueryGrantableRolesRequest

• BASIC = 0

  Omits the `included_permissions` field. This is the default value.

• FULL = 1

  Returns all fields.

A service account in the Identity and Access Management API. To create a service account, specify the `project_id` and the `account_id` for the account. The `account_id` is unique within the project, and is used to generate the service account email address and a stable `unique_id`. If the account already exists, the account's resource name is returned in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller can use the name in other methods to access the account. All other methods can identify the service account using the format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can be the `email` address or the `unique_id` of the service account.

Used as request type in: IAM.UpdateServiceAccount

Used as response type in: IAM.CreateServiceAccount, IAM.GetServiceAccount, IAM.UpdateServiceAccount

Used as field type in: CreateServiceAccountRequest, ListServiceAccountsResponse

• string name = 1

  The resource name of the service account in the following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Requests using `-` as a wildcard for the `PROJECT_ID` will infer the project from the `account` and the `ACCOUNT` value can be the `email` address or the `unique_id` of the service account. In responses the resource name will always be in the format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

• string project_id = 2

  @OutputOnly The id of the project that owns the service account.

• string unique_id = 4

  @OutputOnly The unique and stable id of the service account.

• string email = 5

  @OutputOnly The email address of the service account.

• string display_name = 6

  Optional. A user-specified name for the service account. Must be less than or equal to 100 UTF-8 bytes.

• bytes etag = 7

  Optional. Note: `etag` is an inoperable legacy field that is only returned for backwards compatibility.

• string oauth2_client_id = 9

  @OutputOnly. The OAuth2 client id for the service account. This is used in conjunction with the OAuth2 clientconfig API to make three legged OAuth2 (3LO) flows to access the data of Google users.

Represents a service account key. A service account has two sets of key-pairs: user-managed, and system-managed. User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key. System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime. We recommend caching the public key set for a service account for no more than 24 hours to ensure you have access to the latest keys. Public keys for all service accounts are also published at the OAuth2 Service Account API.

Used as response type in: IAM.CreateServiceAccountKey, IAM.GetServiceAccountKey

Used as field type in: ListServiceAccountKeysResponse

• string name = 1

  The resource name of the service account key in the following format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.

• ServiceAccountPrivateKeyType private_key_type = 2

  The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys.

• ServiceAccountKeyAlgorithm key_algorithm = 8

  Specifies the algorithm (and possibly key size) for the key.

• bytes private_key_data = 3

  The private key data. Only provided in `CreateServiceAccountKey` responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud auth activate-service-account</a>.

• bytes public_key_data = 7

  The public key data. Only provided in `GetServiceAccountKey` responses.

• optional protobuf.Timestamp valid_after_time = 4

  The key can be used after this timestamp.

• optional protobuf.Timestamp valid_before_time = 5

  The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

Supported key algorithms.

Used in: CreateServiceAccountKeyRequest, ServiceAccountKey

• KEY_ALG_UNSPECIFIED = 0

  An unspecified key algorithm.

• KEY_ALG_RSA_1024 = 1

  1k RSA Key.

• KEY_ALG_RSA_2048 = 2

  2k RSA Key.

Supported private key output formats.

Used in: CreateServiceAccountKeyRequest, ServiceAccountKey

• TYPE_UNSPECIFIED = 0

  Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.

• TYPE_PKCS12_FILE = 1

  PKCS12 format. The password for the PKCS12 file is `notasecret`. For more information, see https://tools.ietf.org/html/rfc7292.

• TYPE_GOOGLE_CREDENTIALS_FILE = 2

  Google Credentials File format.

Supported public key output formats.

Used in: GetServiceAccountKeyRequest

• TYPE_NONE = 0

  Unspecified. Returns nothing here.

• TYPE_X509_PEM_FILE = 1

  X509 PEM format.

• TYPE_RAW_PUBLIC_KEY = 2

  Raw public key.