package google.iam.credentials.v1
Get desktop application:
View/edit binary Protocol Buffers messages
A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved. Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
Generates an OAuth 2.0 access token for a service account.
message
common.proto:29string name = 1
The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
repeated string delegates = 2
The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
repeated string scope = 4
Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
optional lifetime = 7
The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
message
common.proto:59string access_token = 1
The OAuth 2.0 access token.
optional expire_time = 3
Token expiration time. The expiration time is always set.
Generates an OpenID Connect ID token for a service account.
message
common.proto:126string name = 1
The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
repeated string delegates = 2
The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
string audience = 3
The audience for the token, such as the API or account that this token grants access to.
bool include_email = 4
Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.
message
common.proto:152string token = 1
The OpenId Connect ID token.
Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
message
common.proto:157string name = 1
The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
repeated string scope = 2
Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
string jwt = 3
Required. Input token. Must be in JWT format according to RFC7523 (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields (along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a discovery document at $iss/.well-known/openid-configuration . The document needs to be formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. - iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens that last shorter than 6 hours to improve security unless business reasons mandate longer expiration times. Shorter token lifetimes are generally more secure since tokens that have been exfiltrated by attackers can be used for a shorter time. you can configure the maximum lifetime of the incoming token in the configuration of the mapper. The resulting Google token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject, identity asserted in the JWT. - aud: Configured in the mapper policy. By default the service account email. Claims from the incoming token can be transferred into the output token accoding to the mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less than 4kB serialized as JSON without whitespace. Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }
message
common.proto:217string access_token = 1
The OAuth 2.0 access token.
optional expire_time = 2
Token expiration time. The expiration time is always set.
rpc SignBlob (, )
iamcredentials.proto:56Signs a blob using a service account's system-managed private key.
message
common.proto:68string name = 1
The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
repeated string delegates = 3
The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
bytes payload = 5
The bytes to sign.
message
common.proto:89string key_id = 1
The ID of the key used to sign the blob.
bytes signed_blob = 4
The signed blob.
rpc SignJwt (, )
iamcredentials.proto:64Signs a JWT using a service account's system-managed private key.
message
common.proto:97string name = 1
The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
repeated string delegates = 3
The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
string payload = 5
The JWT payload to sign: a JSON object that contains a JWT Claims Set.
message
common.proto:118string key_id = 1
The ID of the key used to sign the JWT.
string signed_jwt = 2
The signed JWT.