diff options
Diffstat (limited to 'third_party/googleapis/google/iam/admin/v1/iam.proto')
-rw-r--r-- | third_party/googleapis/google/iam/admin/v1/iam.proto | 469 |
1 files changed, 469 insertions, 0 deletions
diff --git a/third_party/googleapis/google/iam/admin/v1/iam.proto b/third_party/googleapis/google/iam/admin/v1/iam.proto new file mode 100644 index 0000000000..2e2fe2b72f --- /dev/null +++ b/third_party/googleapis/google/iam/admin/v1/iam.proto @@ -0,0 +1,469 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.iam.admin.v1; + +import "google/api/annotations.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin"; +option java_multiple_files = true; +option java_outer_classname = "IamProto"; +option java_package = "com.google.iam.admin.v1"; + + +// Creates and manages service account objects. +// +// Service account is an account that belongs to your project instead +// of to an individual end user. It is used to authenticate calls +// to a Google API. +// +// To create a service account, specify the `project_id` and `account_id` +// for the account. The `account_id` is unique within the project, and used +// to generate the service account email address and a stable +// `unique_id`. +// +// All other methods can identify accounts using the format +// `projects/{project}/serviceAccounts/{account}`. +// Using `-` as a wildcard for the project will infer the project from +// the account. The `account` value can be the `email` address or the +// `unique_id` of the service account. +service IAM { + // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project. + rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) { + option (google.api.http) = { get: "/v1/{name=projects/*}/serviceAccounts" }; + } + + // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) { + option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}" }; + } + + // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount] + // and returns it. + rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) { + option (google.api.http) = { post: "/v1/{name=projects/*}/serviceAccounts" body: "*" }; + } + + // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + // + // Currently, only the following fields are updatable: + // `display_name` . + // The `etag` is mandatory. + rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) { + option (google.api.http) = { put: "/v1/{name=projects/*/serviceAccounts/*}" body: "*" }; + } + + // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*}" }; + } + + // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey]. + rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) { + option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*}/keys" }; + } + + // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] + // by key id. + rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) { + option (google.api.http) = { get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; + } + + // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] + // and returns it. + rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) { + option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}/keys" body: "*" }; + } + + // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. + rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}" }; + } + + // Signs a blob using a service account's system-managed private key. + rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) { + option (google.api.http) = { post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob" body: "*" }; + } + + // Returns the IAM access control policy for a + // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy" body: "" }; + } + + // Sets the IAM access control policy for a + // [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy" body: "*" }; + } + + // Tests the specified permissions against the IAM access control policy + // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions" body: "*" }; + } + + // Queries roles that can be granted on a particular resource. + // A role is grantable if it can be used as the role in a binding for a policy + // for that resource. + rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) { + option (google.api.http) = { post: "/v1/roles:queryGrantableRoles" body: "*" }; + } +} + +// A service account in the Identity and Access Management API. +// +// To create a service account, specify the `project_id` and the `account_id` +// for the account. The `account_id` is unique within the project, and is used +// to generate the service account email address and a stable +// `unique_id`. +// +// If the account already exists, the account's resource name is returned +// in util::Status's ResourceInfo.resource_name in the format of +// projects/{project}/serviceAccounts/{email}. The caller can use the name in +// other methods to access the account. +// +// All other methods can identify the service account using the format +// `projects/{project}/serviceAccounts/{account}`. +// Using `-` as a wildcard for the project will infer the project from +// the account. The `account` value can be the `email` address or the +// `unique_id` of the service account. +message ServiceAccount { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // + // Requests using `-` as a wildcard for the project will infer the project + // from the `account` and the `account` value can be the `email` address or + // the `unique_id` of the service account. + // + // In responses the resource name will always be in the format + // `projects/{project}/serviceAccounts/{email}`. + string name = 1; + + // @OutputOnly The id of the project that owns the service account. + string project_id = 2; + + // @OutputOnly The unique and stable id of the service account. + string unique_id = 4; + + // @OutputOnly The email address of the service account. + string email = 5; + + // Optional. A user-specified description of the service account. Must be + // fewer than 100 UTF-8 bytes. + string display_name = 6; + + // Used to perform a consistent read-modify-write. + bytes etag = 7; + + // @OutputOnly. The OAuth2 client id for the service account. + // This is used in conjunction with the OAuth2 clientconfig API to make + // three legged OAuth2 (3LO) flows to access the data of Google users. + string oauth2_client_id = 9; +} + +// The service account create request. +message CreateServiceAccountRequest { + // Required. The resource name of the project associated with the service + // accounts, such as `projects/my-project-123`. + string name = 1; + + // Required. The account id that is used to generate the service account + // email address and a stable unique id. It is unique within a project, + // must be 6-30 characters long, and match the regular expression + // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. + string account_id = 2; + + // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create. + // Currently, only the following values are user assignable: + // `display_name` . + ServiceAccount service_account = 3; +} + +// The service account list request. +message ListServiceAccountsRequest { + // Required. The resource name of the project associated with the service + // accounts, such as `projects/my-project-123`. + string name = 1; + + // Optional limit on the number of service accounts to include in the + // response. Further accounts can subsequently be obtained by including the + // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] + // in a subsequent request. + int32 page_size = 2; + + // Optional pagination token returned in an earlier + // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]. + string page_token = 3; +} + +// The service account list response. +message ListServiceAccountsResponse { + // The list of matching service accounts. + repeated ServiceAccount accounts = 1; + + // To retrieve the next page of results, set + // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] + // to this value. + string next_page_token = 2; +} + +// The service account get request. +message GetServiceAccountRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; +} + +// The service account delete request. +message DeleteServiceAccountRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; +} + +// The service account keys list request. +message ListServiceAccountKeysRequest { + // `KeyType` filters to selectively retrieve certain varieties + // of keys. + enum KeyType { + // Unspecified key type. The presence of this in the + // message will immediately result in an error. + KEY_TYPE_UNSPECIFIED = 0; + + // User-managed keys (managed and rotated by the user). + USER_MANAGED = 1; + + // System-managed keys (managed and rotated by Google). + SYSTEM_MANAGED = 2; + } + + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // + // Using `-` as a wildcard for the project, will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // Filters the types of keys the user wants to include in the list + // response. Duplicate key types are not allowed. If no key type + // is provided, all keys are returned. + repeated KeyType key_types = 2; +} + +// The service account keys list response. +message ListServiceAccountKeysResponse { + // The public keys for the service account. + repeated ServiceAccountKey keys = 1; +} + +// The service account key get by id request. +message GetServiceAccountKeyRequest { + // The resource name of the service account key in the following format: + // `projects/{project}/serviceAccounts/{account}/keys/{key}`. + // + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // The output format of the public key requested. + // X509_PEM is the default output format. + ServiceAccountPublicKeyType public_key_type = 2; +} + +// Represents a service account key. +// +// A service account has two sets of key-pairs: user-managed, and +// system-managed. +// +// User-managed key-pairs can be created and deleted by users. Users are +// responsible for rotating these keys periodically to ensure security of +// their service accounts. Users retain the private key of these key-pairs, +// and Google retains ONLY the public key. +// +// System-managed key-pairs are managed automatically by Google, and rotated +// daily without user intervention. The private key never leaves Google's +// servers to maximize security. +// +// Public keys for all service accounts are also published at the OAuth2 +// Service Account API. +message ServiceAccountKey { + // The resource name of the service account key in the following format + // `projects/{project}/serviceAccounts/{account}/keys/{key}`. + string name = 1; + + // The output format for the private key. + // Only provided in `CreateServiceAccountKey` responses, not + // in `GetServiceAccountKey` or `ListServiceAccountKey` responses. + // + // Google never exposes system-managed private keys, and never retains + // user-managed private keys. + ServiceAccountPrivateKeyType private_key_type = 2; + + // Specifies the algorithm (and possibly key size) for the key. + ServiceAccountKeyAlgorithm key_algorithm = 8; + + // The private key data. Only provided in `CreateServiceAccountKey` + // responses. + bytes private_key_data = 3; + + // The public key data. Only provided in `GetServiceAccountKey` responses. + bytes public_key_data = 7; + + // The key can be used after this timestamp. + google.protobuf.Timestamp valid_after_time = 4; + + // The key can be used before this timestamp. + google.protobuf.Timestamp valid_before_time = 5; +} + +// The service account key create request. +message CreateServiceAccountKeyRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the + // default output format. + ServiceAccountPrivateKeyType private_key_type = 2; + + // Which type of key and algorithm to use for the key. + // The default is currently a 4K RSA key. However this may change in the + // future. + ServiceAccountKeyAlgorithm key_algorithm = 3; +} + +// The service account key delete request. +message DeleteServiceAccountKeyRequest { + // The resource name of the service account key in the following format: + // `projects/{project}/serviceAccounts/{account}/keys/{key}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; +} + +// The service account sign blob request. +message SignBlobRequest { + // The resource name of the service account in the following format: + // `projects/{project}/serviceAccounts/{account}`. + // Using `-` as a wildcard for the project will infer the project from + // the account. The `account` value can be the `email` address or the + // `unique_id` of the service account. + string name = 1; + + // The bytes to sign. + bytes bytes_to_sign = 2; +} + +// The service account sign blob response. +message SignBlobResponse { + // The id of the key used to sign the blob. + string key_id = 1; + + // The signed blob. + bytes signature = 2; +} + +// A role in the Identity and Access Management API. +message Role { + // The name of the role. + // + // When Role is used in CreateRole, the role name must not be set. + // + // When Role is used in output and other input such as UpdateRole, the role + // name is the complete path, e.g., roles/logging.viewer for curated roles + // and organizations/{organization-id}/roles/logging.viewer for custom roles. + string name = 1; + + // Optional. A human-readable title for the role. Typically this + // is limited to 100 UTF-8 bytes. + string title = 2; + + // Optional. A human-readable description for the role. + string description = 3; +} + +// The grantable role query request. +message QueryGrantableRolesRequest { + // Required. The full resource name to query from the list of grantable roles. + // + // The name follows the Google Cloud Platform resource format. + // For example, a Cloud Platform project with id `my-project` will be named + // `//cloudresourcemanager.googleapis.com/projects/my-project`. + string full_resource_name = 1; +} + +// The grantable role query response. +message QueryGrantableRolesResponse { + // The list of matching roles. + repeated Role roles = 1; +} + +// Supported key algorithms. +enum ServiceAccountKeyAlgorithm { + // An unspecified key algorithm. + KEY_ALG_UNSPECIFIED = 0; + + // 1k RSA Key. + KEY_ALG_RSA_1024 = 1; + + // 2k RSA Key. + KEY_ALG_RSA_2048 = 2; +} + +// Supported private key output formats. +enum ServiceAccountPrivateKeyType { + // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`. + TYPE_UNSPECIFIED = 0; + + // PKCS12 format. + // The password for the PKCS12 file is `notasecret`. + // For more information, see https://tools.ietf.org/html/rfc7292. + TYPE_PKCS12_FILE = 1; + + // Google Credentials File format. + TYPE_GOOGLE_CREDENTIALS_FILE = 2; +} + +// Supported public key output formats. +enum ServiceAccountPublicKeyType { + // Unspecified. Returns nothing here. + TYPE_NONE = 0; + + // X509 PEM format. + TYPE_X509_PEM_FILE = 1; + + // Raw public key. + TYPE_RAW_PUBLIC_KEY = 2; +} |