Console
    Contact Us Start free

    Package google.iam.admin.v1

    Index

    IAM

    Creates and manages Identity and Access Management (IAM) resources.

    You can use this service to work with all of the following resources:

    • Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
    • Service account keys, which service accounts use to authenticate with Google APIs
    • IAM policies for service accounts, which specify the roles that a principal has for the service account
    • IAM custom roles, which help you limit the number of permissions that you grant to principals

    In addition, you can use this service to complete the following tasks, among others:

    • Test whether a service account can use specific permissions
    • Check which roles you can grant for a specific resource
    • Lint, or validate, condition expressions in an IAM policy

    When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

    In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

    CreateRole

    rpc CreateRole( CreateRoleRequest ) returns ( Role )

    Creates a new custom Role .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    CreateServiceAccount

    rpc CreateServiceAccount( CreateServiceAccountRequest ) returns ( ServiceAccount )

    Creates a ServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    CreateServiceAccountKey

    rpc CreateServiceAccountKey( CreateServiceAccountKeyRequest ) returns ( ServiceAccountKey )

    Creates a ServiceAccountKey .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DeleteRole

    rpc DeleteRole( DeleteRoleRequest ) returns ( Role )

    Deletes a custom Role .

    When you delete a custom role, the following changes occur immediately:

    • You cannot bind a principal to the custom role in an IAM Policy .
    • Existing bindings to the custom role are not changed, but they have no effect.
    • By default, the response from ListRoles does not include the custom role.

    A deleted custom role still counts toward the custom role limit until it is permanently deleted. You have 7 days to undelete the custom role. After 7 days, the following changes occur:

    • The custom role is permanently deleted and cannot be recovered.
    • If an IAM policy contains a binding to the custom role, the binding is permanently removed.
    • The custom role no longer counts toward your custom role limit.
    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DeleteServiceAccount

    rpc DeleteServiceAccount( DeleteServiceAccountRequest ) returns ( Empty )

    Deletes a ServiceAccount .

    Warning:After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

    If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

    To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DeleteServiceAccountKey

    rpc DeleteServiceAccountKey( DeleteServiceAccountKeyRequest ) returns ( Empty )

    Deletes a ServiceAccountKey . Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DisableServiceAccount

    rpc DisableServiceAccount( DisableServiceAccountRequest ) returns ( Empty )

    Disables a ServiceAccount immediately.

    If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

    To re-enable the service account, use EnableServiceAccount . After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

    To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DisableServiceAccountKey

    rpc DisableServiceAccountKey( DisableServiceAccountKeyRequest ) returns ( Empty )

    Disable a ServiceAccountKey . A disabled service account key can be re-enabled with EnableServiceAccountKey .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    EnableServiceAccount

    rpc EnableServiceAccount( EnableServiceAccountRequest ) returns ( Empty )

    Enables a ServiceAccount that was disabled by DisableServiceAccount .

    If the service account is already enabled, then this method has no effect.

    If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    EnableServiceAccountKey

    rpc EnableServiceAccountKey( EnableServiceAccountKeyRequest ) returns ( Empty )

    Enable a ServiceAccountKey .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetIamPolicy

    rpc GetIamPolicy( GetIamPolicyRequest ) returns ( Policy )

    Gets the IAM policy that is attached to a ServiceAccount . This IAM policy specifies which principals have access to the service account.

    This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetRole

    rpc GetRole( GetRoleRequest ) returns ( Role )

    Gets the definition of a Role .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetServiceAccount

    rpc GetServiceAccount( GetServiceAccountRequest ) returns ( ServiceAccount )

    Gets a ServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetServiceAccountKey

    rpc GetServiceAccountKey( GetServiceAccountKeyRequest ) returns ( ServiceAccountKey )

    Gets a ServiceAccountKey .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    LintPolicy

    rpc LintPolicy( LintPolicyRequest ) returns ( LintPolicyResponse )

    Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

    Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    ListRoles

    rpc ListRoles( ListRolesRequest ) returns ( ListRolesResponse )

    Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    ListServiceAccountKeys

    rpc ListServiceAccountKeys( ListServiceAccountKeysRequest ) returns ( ListServiceAccountKeysResponse )

    Lists every ServiceAccountKey for a service account.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    ListServiceAccounts

    rpc ListServiceAccounts( ListServiceAccountsRequest ) returns ( ListServiceAccountsResponse )

    Lists every ServiceAccount that belongs to a specific project.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    PatchServiceAccount

    rpc PatchServiceAccount( PatchServiceAccountRequest ) returns ( ServiceAccount )

    Patches a ServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    QueryAuditableServices

    rpc QueryAuditableServices( QueryAuditableServicesRequest ) returns ( QueryAuditableServicesResponse )

    Returns a list of services that allow you to opt into audit logs that are not generated by default.

    To learn more about audit logs, see the Logging documentation .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    QueryGrantableRoles

    rpc QueryGrantableRoles( QueryGrantableRolesRequest ) returns ( QueryGrantableRolesResponse )

    Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    QueryTestablePermissions

    rpc QueryTestablePermissions( QueryTestablePermissionsRequest ) returns ( QueryTestablePermissionsResponse )

    Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    SetIamPolicy

    rpc SetIamPolicy( SetIamPolicyRequest ) returns ( Policy )

    Sets the IAM policy that is attached to a ServiceAccount .

    Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

    This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

    1. Call the resource's getIamPolicy method to get its current IAM policy.
    2. Edit the policy so that it binds the service account to an IAM role for the resource.
    3. Call the resource's setIamPolicy method to update its IAM policy.

    For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    SignBlob

    rpc SignBlob( SignBlobRequest ) returns ( SignBlobResponse )

    Signs a blob using the system-managed private key for a ServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    SignJwt

    rpc SignJwt( SignJwtRequest ) returns ( SignJwtResponse )

    Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    TestIamPermissions

    rpc TestIamPermissions( TestIamPermissionsRequest ) returns ( TestIamPermissionsResponse )

    Tests whether the caller has the specified permissions on a ServiceAccount .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    UndeleteRole

    rpc UndeleteRole( UndeleteRoleRequest ) returns ( Role )

    Undeletes a custom Role .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    UndeleteServiceAccount

    rpc UndeleteServiceAccount( UndeleteServiceAccountRequest ) returns ( UndeleteServiceAccountResponse )

    Restores a deleted ServiceAccount .

    Important:It is not always possible to restore a deleted service account. Use this method only as a last resort.

    After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    UpdateRole

    rpc UpdateRole( UpdateRoleRequest ) returns ( Role )

    Updates the definition of a custom Role .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    UpdateServiceAccount

    rpc UpdateServiceAccount( ServiceAccount ) returns ( ServiceAccount )

    Note:We are in the process of deprecating this method. Use PatchServiceAccount instead.

    Updates a ServiceAccount .

    You can update only the display_name field.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    UploadServiceAccountKey

    rpc UploadServiceAccountKey( UploadServiceAccountKeyRequest ) returns ( ServiceAccountKey )

    Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount .

    After you upload the public key, you can use the private key from the key pair as a service account key.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    OauthClients

    Manages OauthClient s. An OauthClient represents a third-party application that can access Google Cloud resources.

    CreateOauthClient

    rpc CreateOauthClient( CreateOauthClientRequest ) returns ( OauthClient )

    Creates a new OauthClient .

    You cannot reuse the name of a deleted OauthClient until 30 days after deletion.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    CreateOauthClientCredential

    rpc CreateOauthClientCredential( CreateOauthClientCredentialRequest ) returns ( OauthClientCredential )

    Creates a new OauthClientCredential .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    DeleteOauthClient

    rpc DeleteOauthClient( DeleteOauthClientRequest ) returns ( OauthClient )

    Deletes an OauthClient .

    You cannot use a deleted OauthClient . However, deletion does not revoke access tokens that have already been issued. They continue to grant access. Deletion does revoke refresh tokens that have already been issued. They cannot be used to renew an access token. If the OauthClient is undeleted, and the refresh tokens are not expired, they are valid for token exchange again. You can undelete an OauthClient for 30 days. After 30 days, deletion is permanent. You cannot update deleted OauthClient s. However, you can view and list them.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    DeleteOauthClientCredential

    rpc DeleteOauthClientCredential( DeleteOauthClientCredentialRequest ) returns ( Empty )

    Deletes an OauthClientCredential .

    Before deleting an OauthClientCredential , it should first be disabled.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    GetOauthClient

    rpc GetOauthClient( GetOauthClientRequest ) returns ( OauthClient )

    Gets an individual OauthClient .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    GetOauthClientCredential

    rpc GetOauthClientCredential( GetOauthClientCredentialRequest ) returns ( OauthClientCredential )

    Gets an individual OauthClientCredential .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    ListOauthClientCredentials

    rpc ListOauthClientCredentials( ListOauthClientCredentialsRequest ) returns ( ListOauthClientCredentialsResponse )

    Lists all OauthClientCredential s in an OauthClient .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    ListOauthClients

    rpc ListOauthClients( ListOauthClientsRequest ) returns ( ListOauthClientsResponse )

    Lists all non-deleted OauthClient s in a project. If show_deleted is set to true , then deleted OauthClient s are also listed.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UndeleteOauthClient

    rpc UndeleteOauthClient( UndeleteOauthClientRequest ) returns ( OauthClient )

    Undeletes an OauthClient , as long as it was deleted fewer than 30 days ago.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UpdateOauthClient

    rpc UpdateOauthClient( UpdateOauthClientRequest ) returns ( OauthClient )

    Updates an existing OauthClient .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UpdateOauthClientCredential

    rpc UpdateOauthClientCredential( UpdateOauthClientCredentialRequest ) returns ( OauthClientCredential )

    Updates an existing OauthClientCredential .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    WorkforcePools

    Manages WorkforcePools.

    CreateWorkforcePool

    rpc CreateWorkforcePool( CreateWorkforcePoolRequest ) returns ( Operation )

    Creates a new WorkforcePool .

    You cannot reuse the name of a deleted pool until 30 days after deletion.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    CreateWorkforcePoolProvider

    rpc CreateWorkforcePoolProvider( CreateWorkforcePoolProviderRequest ) returns ( Operation )

    Creates a new WorkforcePoolProvider in a WorkforcePool .

    You cannot reuse the name of a deleted provider until 30 days after deletion.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    CreateWorkforcePoolProviderKey

    rpc CreateWorkforcePoolProviderKey( CreateWorkforcePoolProviderKeyRequest ) returns ( Operation )

    Creates a new WorkforcePoolProviderKey in a WorkforcePoolProvider .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    DeleteWorkforcePool

    rpc DeleteWorkforcePool( DeleteWorkforcePoolRequest ) returns ( Operation )

    Deletes a WorkforcePool .

    You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    DeleteWorkforcePoolProvider

    rpc DeleteWorkforcePoolProvider( DeleteWorkforcePoolProviderRequest ) returns ( Operation )

    Deletes a WorkforcePoolProvider .

    Deleting a provider does not revoke credentials that have already been issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    DeleteWorkforcePoolProviderKey

    rpc DeleteWorkforcePoolProviderKey( DeleteWorkforcePoolProviderKeyRequest ) returns ( Operation )

    Deletes a WorkforcePoolProviderKey . You can undelete a key for 30 days. After 30 days, deletion is permanent.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    DeleteWorkforcePoolSubject

    rpc DeleteWorkforcePoolSubject( DeleteWorkforcePoolSubjectRequest ) returns ( Operation )

    Deletes a WorkforcePoolSubject .

    Subject must not already be in a deleted state.

    A WorkforcePoolSubject is automatically created the first time an external credential is exchanged for a Google Cloud credential using a mapped google.subject attribute. There is no endpoint to manually create a WorkforcePoolSubject .

    For 30 days after a WorkforcePoolSubject is deleted, using the same google.subject attribute in token exchanges with Google Cloud STS fails.

    Call UndeleteWorkforcePoolSubject to undelete a WorkforcePoolSubject that has been deleted, within within 30 days of deleting it.

    After 30 days, the WorkforcePoolSubject is permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mapped google.subject attribute automatically creates a new WorkforcePoolSubject that is unrelated to the previously deleted WorkforcePoolSubject but has the same google.subject value.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    GetIamPolicy

    rpc GetIamPolicy( GetIamPolicyRequest ) returns ( Policy )

    Gets IAM policies on a WorkforcePool .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    GetWorkforcePool

    rpc GetWorkforcePool( GetWorkforcePoolRequest ) returns ( WorkforcePool )

    Gets an individual WorkforcePool .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    GetWorkforcePoolProvider

    rpc GetWorkforcePoolProvider( GetWorkforcePoolProviderRequest ) returns ( WorkforcePoolProvider )

    Gets an individual WorkforcePoolProvider .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    GetWorkforcePoolProviderKey

    rpc GetWorkforcePoolProviderKey( GetWorkforcePoolProviderKeyRequest ) returns ( WorkforcePoolProviderKey )

    Gets a WorkforcePoolProviderKey .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    ListWorkforcePoolProviderKeys

    rpc ListWorkforcePoolProviderKeys( ListWorkforcePoolProviderKeysRequest ) returns ( ListWorkforcePoolProviderKeysResponse )

    Lists all non-deleted WorkforcePoolProviderKey s in a WorkforcePoolProvider . If show_deleted is set to true , then deleted keys are also listed.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    ListWorkforcePoolProviders

    rpc ListWorkforcePoolProviders( ListWorkforcePoolProvidersRequest ) returns ( ListWorkforcePoolProvidersResponse )

    Lists all non-deleted WorkforcePoolProvider s in a WorkforcePool . If show_deleted is set to true , then deleted providers are also listed.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    ListWorkforcePools

    rpc ListWorkforcePools( ListWorkforcePoolsRequest ) returns ( ListWorkforcePoolsResponse )

    Lists all non-deleted WorkforcePool s under the specified parent. If show_deleted is set to true , then deleted pools are also listed.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    SetIamPolicy

    rpc SetIamPolicy( SetIamPolicyRequest ) returns ( Policy )

    Sets IAM policies on a WorkforcePool .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    TestIamPermissions

    rpc TestIamPermissions( TestIamPermissionsRequest ) returns ( TestIamPermissionsResponse )

    Returns the caller's permissions on the WorkforcePool . If the pool doesn't exist, this call returns an empty set of permissions. It doesn't return a NOT_FOUND error.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UndeleteWorkforcePool

    rpc UndeleteWorkforcePool( UndeleteWorkforcePoolRequest ) returns ( Operation )

    Undeletes a WorkforcePool , as long as it was deleted fewer than 30 days ago.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UndeleteWorkforcePoolProvider

    rpc UndeleteWorkforcePoolProvider( UndeleteWorkforcePoolProviderRequest ) returns ( Operation )

    Undeletes a WorkforcePoolProvider , as long as it was deleted fewer than 30 days ago.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UndeleteWorkforcePoolProviderKey

    rpc UndeleteWorkforcePoolProviderKey( UndeleteWorkforcePoolProviderKeyRequest ) returns ( Operation )

    Undeletes a WorkforcePoolProviderKey , as long as it was deleted fewer than 30 days ago.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UndeleteWorkforcePoolSubject

    rpc UndeleteWorkforcePoolSubject( UndeleteWorkforcePoolSubjectRequest ) returns ( Operation )

    Undeletes a WorkforcePoolSubject , as long as it was deleted fewer than 30 days ago.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UpdateWorkforcePool

    rpc UpdateWorkforcePool( UpdateWorkforcePoolRequest ) returns ( Operation )

    Updates an existing WorkforcePool .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    UpdateWorkforcePoolProvider

    rpc UpdateWorkforcePoolProvider( UpdateWorkforcePoolProviderRequest ) returns ( Operation )

    Updates an existing WorkforcePoolProvider .

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/iam

    For more information, see the Authentication Overview .

    AuditData

    Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any type in the ServiceData message of an AuditLog message.

    Fields
    permission_delta

    PermissionDelta

    The permission_delta when when creating or updating a Role.

    PermissionDelta

    A PermissionDelta message to record the added_permissions and removed_permissions inside a role.

    Fields
    added_permissions[]

    string

    Added permissions.
    removed_permissions[]

    string

    Removed permissions.

    CreateOauthClientCredentialRequest

    Request message for CreateOauthClientCredential.

    Fields
    parent

    string

    Required. The parent resource to create the OauthClientCredential in.
    oauth_client_credential

    OauthClientCredential

    Required. The OauthClientCredential to create.
    oauth_client_credential_id

    string

    Required. The ID to use for the OauthClientCredential , which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

    CreateOauthClientRequest

    Request message for CreateOauthClient.

    Fields
    parent

    string

    Required. The parent resource to create the OauthClient in. The only supported location is global .
    oauth_client

    OauthClient

    Required. The OauthClient to create.
    oauth_client_id

    string

    Required. The ID to use for the OauthClient , which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

    CreateRoleRequest

    The request to create a new role.

    Fields
    parent

    string

    The parent parameter's value depends on the target resource for the request, namely projects or organizations . Each resource type's parent value format is described below:

    • projects.roles.create : projects/{PROJECT_ID} . This method creates project-level custom roles . Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

    • organizations.roles.create : organizations/{ORGANIZATION_ID} . This method creates organization-level custom roles . Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

    Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

    Authorization requires the following IAM permission on the specified resource parent :

    • iam.roles.create
    role_id

    string

    The role ID to use for this role.

    A role ID may contain alphanumeric characters, underscores ( _ ), and periods ( . ). It must contain a minimum of 3 characters and a maximum of 64 characters.

    role

    Role

    The Role resource to create.

    CreateServiceAccountKeyRequest

    The service account key create request.

    Fields
    name

    string

    Required. The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.create
    private_key_type

    ServiceAccountPrivateKeyType

    The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE , which is the Google Credentials File format.

    key_algorithm

    ServiceAccountKeyAlgorithm

    Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

    CreateServiceAccountRequest

    The service account create request.

    Fields
    name

    string

    Required. The resource name of the project associated with the service accounts, such as projects/my-project-123 .

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.create
    account_id

    string

    Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.

    CreateWorkforcePoolProviderKeyRequest

    Request message for CreateWorkforcePoolProviderKey.

    Fields
    parent

    string

    Required. The provider to create this key in.
    workforce_pool_provider_key

    WorkforcePoolProviderKey

    Required. The WorkforcePoolProviderKey to create.
    workforce_pool_provider_key_id

    string

    Required. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-].

    CreateWorkforcePoolProviderRequest

    Request message for CreateWorkforcePoolProvider.

    Fields
    parent

    string

    Required. The pool to create this provider in.

    Format: locations/{location}/workforcePools/{workforce_pool_id}

    workforce_pool_provider

    WorkforcePoolProvider

    Required. The provider to create.
    workforce_pool_provider_id

    string

    Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

    CreateWorkforcePoolRequest

    Request message for CreateWorkforcePool.

    Fields
    workforce_pool

    WorkforcePool

    Required. The pool to create.
    location

    string

    Optional. The location of the pool to create.

    Format: locations/{location} .
    workforce_pool_id

    string

    Optional. The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

    DeleteOauthClientCredentialRequest

    Request message for DeleteOauthClientCredential.

    Fields
    name

    string

    Required. The name of the OauthClientCredential to delete.

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential} .

    DeleteOauthClientRequest

    Request message for DeleteOauthClient.

    Fields
    name

    string

    Required. The name of the OauthClient to delete.

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client} .

    DeleteRoleRequest

    The request to delete an existing role.

    Fields
    name

    string

    The name parameter's value depends on the target resource for the request, namely projects or organizations . Each resource type's name value format is described below:

    • projects.roles.delete : projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} . This method deletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

    • organizations.roles.delete : organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID} . This method deletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

    Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.roles.delete
    etag

    bytes

    Used to perform a consistent read-modify-write.

    DeleteServiceAccountKeyRequest

    The service account key delete request.

    Fields
    name

    string

    Required. The resource name of the service account key.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.delete

    DeleteServiceAccountRequest

    The service account delete request.

    Fields
    name

    string

    Required. The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.delete

    DeleteWorkforcePoolProviderKeyRequest

    Request message for DeleteWorkforcePoolProviderKey.

    Fields
    name

    string

    Required. The name of the key to delete.

    DeleteWorkforcePoolProviderRequest

    Request message for DeleteWorkforcePoolProvider.

    Fields
    name

    string

    Required. The name of the provider to delete.

    Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

    DeleteWorkforcePoolRequest

    Request message for DeleteWorkforcePool.

    Fields
    name

    string

    Required. The name of the pool to delete.

    Format: locations/{location}/workforcePools/{workforce_pool_id}

    DeleteWorkforcePoolSubjectRequest

    Request message for [DeleteWorkforcePoolSubject][].

    Fields
    name

    string

    Required. The resource name of the WorkforcePoolSubject . Special characters, like / and : , must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986 .

    Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

    DisableServiceAccountKeyRequest

    The service account key disable request.

    Fields
    name

    string

    Required. The resource name of the service account key.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.disable
    extended_status_message

    string

    Optional. Usable by internal google services only. An extended_status_message can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub.

    DisableServiceAccountRequest

    The service account disable request.

    Fields
    name

    string

    The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.disable

    EnableServiceAccountKeyRequest

    The service account key enable request.

    Fields
    name

    string

    Required. The resource name of the service account key.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.enable

    EnableServiceAccountRequest

    The service account enable request.

    Fields
    name

    string

    The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.enable

    GetOauthClientCredentialRequest

    Request message for GetOauthClientCredential.

    Fields
    name

    string

    Required. The name of the OauthClientCredential to retrieve.

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential} .

    GetOauthClientRequest

    Request message for GetOauthClient.

    Fields
    name

    string

    Required. The name of the OauthClient to retrieve.

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client} .

    GetRoleRequest

    The request to get the definition of an existing role.

    Fields
    name

    string

    The name parameter's value depends on the target resource for the request, namely roles , projects , or organizations . Each resource type's name value format is described below:

    • roles.get : roles/{ROLE_NAME} . This method returns results from all predefined roles in IAM. Example request URL: https://iam.googleapis.com/v1/roles/{ROLE_NAME}

    • projects.roles.get : projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} . This method returns only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

    • organizations.roles.get : organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID} . This method returns only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

    Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.roles.get

    GetServiceAccountKeyRequest

    The service account key get by id request.

    Fields
    name

    string

    Required. The resource name of the service account key.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
    • projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.get
    public_key_type

    ServiceAccountPublicKeyType

    Optional. The output format of the public key. The default is TYPE_NONE , which means that the public key is not returned.

    GetServiceAccountRequest

    The service account get request.

    Fields
    name

    string

    Required. The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.get

    GetWorkforcePoolProviderKeyRequest

    Request message for GetWorkforcePoolProviderKey.

    Fields
    name

    string

    Required. The name of the key to retrieve.

    GetWorkforcePoolProviderRequest

    Request message for GetWorkforcePoolProvider.

    Fields
    name

    string

    Required. The name of the provider to retrieve.

    Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

    GetWorkforcePoolRequest

    Request message for GetWorkforcePool.

    Fields
    name

    string

    Required. The name of the pool to retrieve.

    Format: locations/{location}/workforcePools/{workforce_pool_id}

    KeyData

    Represents a public key data along with its format.

    Fields
    format

    KeyFormat

    Output only. The format of the key.
    not_before_time

    Timestamp

    Output only. Earliest timestamp when this key is valid. Attempts to use this key before this time will fail. Only present if the key data represents a X.509 certificate.
    not_after_time

    Timestamp

    Output only. Latest timestamp when this key is valid. Attempts to use this key after this time will fail. Only present if the key data represents a X.509 certificate.
    key

    string

    Output only. The key data. The format of the key is represented by the format field.
    key_spec

    KeySpec

    Required. The specifications for the key.

    KeyFormat

    The supported formats for the public key.

    Enums
    KEY_FORMAT_UNSPECIFIED No format has been specified. This is an invalid format and must not be used.
    RSA_X509_PEM A RSA public key wrapped in an X.509v3 certificate ( RFC5280 ), encoded in base64, and wrapped in public certificate label .

    KeySpec

    Allowed list of specifications for the key.

    Enums
    KEY_SPEC_UNSPECIFIED No key specification specified.
    RSA_2048 A 2048 bit RSA key.
    RSA_3072 A 3072 bit RSA key.
    RSA_4096 A 4096 bit RSA key.

    LintPolicyRequest

    The request to lint an IAM policy object.

    Fields
    full_resource_name

    string

    The full resource name of the policy this lint request is about.

    The name follows the Google Cloud format for full resource names. For example, a Google Cloud project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project .

    The resource name is not used to read a policy from IAM. Only the data in the request object is linted.

    Union field lint_object . Required. The IAM object to be linted. lint_object can be only one of the following:
    condition

    Expr

    google.iam.v1.Binding.condition object to be linted.

    LintPolicyResponse

    The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.

    Fields
    lint_results[]

    LintResult

    List of lint results sorted by severity in descending order.

    LintResult

    Structured response of a single validation unit.

    Fields
    level

    Level

    The validation unit level.
    validation_unit_name

    string

    The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck".
    severity

    Severity

    The validation unit severity.
    field_name

    string

    The name of the field for which this lint result is about.

    For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.
    location_offset

    int32

    0-based character position of problematic construct within the object identified by field_name . Currently, this is populated only for condition expression.
    debug_message

    string

    Human readable debug message associated with the issue.

    Level

    Possible Level values of a validation unit corresponding to its domain of discourse.

    Enums
    LEVEL_UNSPECIFIED Level is unspecified.
    CONDITION A validation unit which operates on an individual condition within a binding.

    Severity

    Possible Severity values of an issued result.

    Enums
    SEVERITY_UNSPECIFIED
    Severity is unspecified.
    ERROR
    A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail.
    WARNING

    Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail setPolicy , but there is a high likelihood that they won't behave as expected during policy evaluation in checkPolicy . This includes the following common scenarios:

    • Unsatisfiable condition: Expired timestamp in date/time condition.
    • Ineffective condition: Condition on a <principal, role> pair which is granted unconditionally in another binding of the same policy.
    NOTICE
    Reserved for the issues that are not severe as ERROR / WARNING , but need special handling. For instance, messages about skipped validation units are issued as NOTICE .
    INFO
    Any informative statement which is not severe enough to raise ERROR / WARNING / NOTICE , like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO .
    DEPRECATED
    Deprecated severity level.

    ListOauthClientCredentialsRequest

    Request message for ListOauthClientCredentials.

    Fields
    parent

    string

    Required. The parent to list OauthClientCredential s for.

    ListOauthClientCredentialsResponse

    Response message for ListOauthClientCredentials.

    Fields
    oauth_client_credentials[]

    OauthClientCredential

    A list of OauthClientCredential s.

    ListOauthClientsRequest

    Request message for ListOauthClients.

    Fields
    parent

    string

    Required. The parent to list OauthClient s for.
    page_size

    int32

    Optional. The maximum number of OauthClient s to return. If unspecified, at most 50 OauthClient s will be returned. The maximum value is 100; values above 100 are truncated to 100.
    page_token

    string

    Optional. A page token, received from a previous ListOauthClients call. Provide this to retrieve the subsequent page.
    show_deleted

    bool

    Optional. Whether to return soft-deleted OauthClient s.

    ListOauthClientsResponse

    Response message for ListOauthClients.

    Fields
    oauth_clients[]

    OauthClient

    A list of OauthClient s.
    next_page_token

    string

    Optional. A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

    ListRolesRequest

    The request to get all roles defined under a resource.

    Fields
    parent

    string

    The parent parameter's value depends on the target resource for the request, namely roles , projects , or organizations . Each resource type's parent value format is described below:

    • roles.list : An empty string. This method doesn't require a resource; it simply returns all predefined roles in IAM. Example request URL: https://iam.googleapis.com/v1/roles

    • projects.roles.list : projects/{PROJECT_ID} . This method lists all project-level custom roles . Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles

    • organizations.roles.list : organizations/{ORGANIZATION_ID} . This method lists all organization-level custom roles . Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles

    Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

    Authorization requires the following IAM permission on the specified resource parent :

    • iam.roles.list
    page_size

    int32

    Optional limit on the number of roles to include in the response.

    The default is 300, and the maximum is 1,000.

    page_token

    string

    Optional pagination token returned in an earlier ListRolesResponse.

    view

    RoleView

    Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC , which does not return the includedPermissions field.

    show_deleted

    bool

    Include Roles that have been deleted.

    ListRolesResponse

    The response containing the roles defined under a resource.

    Fields
    roles[]

    Role

    The Roles defined on this resource.
    next_page_token

    string

    To retrieve the next page of results, set ListRolesRequest.page_token to this value.

    ListServiceAccountKeysRequest

    The service account keys list request.

    Fields
    name

    string

    Required. The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.list
    key_types[]

    KeyType

    Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

    KeyType

    KeyType filters to selectively retrieve certain varieties of keys.

    Enums
    KEY_TYPE_UNSPECIFIED Unspecified key type. The presence of this in the message will immediately result in an error.
    USER_MANAGED User-managed keys (managed and rotated by the user).
    SYSTEM_MANAGED System-managed keys (managed and rotated by Google).

    ListServiceAccountKeysResponse

    The service account keys list response.

    Fields
    keys[]

    ServiceAccountKey

    The public keys for the service account.

    ListServiceAccountsRequest

    The service account list request.

    Fields
    name

    string

    Required. The resource name of the project associated with the service accounts, such as projects/my-project-123 .

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.list
    page_size

    int32

    Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request.

    The default is 20, and the maximum is 100.

    page_token

    string

    Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token .

    ListServiceAccountsResponse

    The service account list response.

    Fields
    accounts[]

    ServiceAccount

    The list of matching service accounts.
    next_page_token

    string

    To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value.

    ListWorkforcePoolProviderKeysRequest

    Request message for ListWorkforcePoolProviderKeys.

    Fields
    parent

    string

    Required. The provider resource to list encryption keys for.

    Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

    page_size

    int32

    The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10.
    page_token

    string

    A page token, received from a previous ListWorkforcePoolProviderKeys call. Provide this to retrieve the subsequent page.
    show_deleted

    bool

    Whether to return soft-deleted keys.

    ListWorkforcePoolProviderKeysResponse

    Response message for ListWorkforcePoolProviderKeys.

    Fields
    workforce_pool_provider_keys[]

    WorkforcePoolProviderKey

    A list of WorkforcePoolProviderKeys.
    next_page_token

    string

    A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

    ListWorkforcePoolProvidersRequest

    Request message for ListWorkforcePoolProviders.

    Fields
    parent

    string

    Required. The pool to list providers for.

    Format: locations/{location}/workforcePools/{workforce_pool_id}

    page_size

    int32

    The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100.
    page_token

    string

    A page token, received from a previous ListWorkforcePoolProviders call. Provide this to retrieve the subsequent page.
    show_deleted

    bool

    Whether to return soft-deleted providers.

    ListWorkforcePoolProvidersResponse

    Response message for ListWorkforcePoolProviders.

    Fields
    workforce_pool_providers[]

    WorkforcePoolProvider

    A list of providers.
    next_page_token

    string

    A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

    ListWorkforcePoolsRequest

    Request message for ListWorkforcePools.

    Fields
    parent

    string

    Required. The parent resource to list pools for.

    Format: organizations/{org-id} .
    page_size

    int32

    The maximum number of pools to return. The default value is 50. The maximum value is 100.
    page_token

    string

    A page token, received from a previous ListWorkforcePools call. Provide this to retrieve the subsequent page.
    show_deleted

    bool

    Whether to return soft-deleted pools.
    location

    string

    The location of the pool.

    Format: locations/{location} .

    ListWorkforcePoolsResponse

    Response message for ListWorkforcePools.

    Fields
    workforce_pools[]

    WorkforcePool

    A list of pools.
    next_page_token

    string

    A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

    OauthClient

    Represents an OauthClient . Used to access Google Cloud resources on behalf of a Workforce Identity Federation user by using OAuth 2.0 Protocol to obtain an access token from Google Cloud.

    Fields
    name

    string

    Immutable. Identifier. The resource name of the OauthClient .

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client} .

    state

    State

    Output only. The state of the OauthClient .

    disabled

    bool

    Optional. Whether the OauthClient is disabled. You cannot use a disabled OAuth client.

    client_id

    string

    Output only. The system-generated OauthClient id.

    display_name

    string

    Optional. A user-specified display name of the OauthClient .

    Cannot exceed 32 characters.

    description

    string

    Optional. A user-specified description of the OauthClient .

    Cannot exceed 256 characters.

    client_type

    ClientType

    Immutable. The type of OauthClient . Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource.

    allowed_grant_types[]

    GrantType

    Required. The list of OAuth grant types is allowed for the OauthClient .

    allowed_scopes[]

    string

    Required. The list of scopes that the OauthClient is allowed to request during OAuth flows.

    The following scopes are supported:

    • https://www.googleapis.com/auth/cloud-platform : See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account.
    • openid : The OAuth client can associate you with your personal information on Google Cloud.
    • email : The OAuth client can read a federated identity's email address.
    • groups : The OAuth client can read a federated identity's groups.
    allowed_redirect_uris[]

    string

    Required. The list of redirect uris that is allowed to redirect back when authorization process is completed.

    expire_time

    Timestamp

    Output only. Time after which the OauthClient will be permanently purged and cannot be recovered.

    ClientType

    The type of OauthClient .

    Enums
    CLIENT_TYPE_UNSPECIFIED Should not be used.
    PUBLIC_CLIENT Public client has no secret.
    CONFIDENTIAL_CLIENT Private client.

    GrantType

    The OAuth grant type.

    Enums
    GRANT_TYPE_UNSPECIFIED Should not be used.
    AUTHORIZATION_CODE_GRANT Authorization code grant.
    REFRESH_TOKEN_GRANT Refresh token grant.

    State

    The current state of the OauthClient .

    Enums
    STATE_UNSPECIFIED Default value. This value is unused.
    ACTIVE The OauthClient is active.
    DELETED The OauthClient is soft-deleted. Soft-deleted OauthClient is permanently deleted after approximately 30 days unless restored via UndeleteOauthClient .

    OauthClientCredential

    Represents an OauthClientCredential . Used to authenticate an OauthClient while accessing Google Cloud resources on behalf of a user by using OAuth 2.0 Protocol.

    Fields
    name

    string

    Immutable. Identifier. The resource name of the OauthClientCredential .

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential}

    disabled

    bool

    Optional. Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential .

    display_name

    string

    Optional. A user-specified display name of the OauthClientCredential .

    Cannot exceed 32 characters.

    Union field credential .

    credential can be only one of the following:

    client_secret

    string

    Output only. The system-generated OAuth client secret.

    The client secret must be stored securely. If the client secret is leaked, you must delete and re-create the client credential. To learn more, see OAuth client and credential security risks and mitigations

    PatchServiceAccountRequest

    The service account patch request.

    You can patch only the display_name and description fields. You must use the update_mask field to specify which of these fields you want to patch.

    Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.

    Fields
    update_mask

    FieldMask

    Permission

    A permission which can be included by a role.

    Fields
    name

    string

    The name of this Permission.
    title

    string

    The title of this Permission.
    description

    string

    A brief description of what this Permission is used for.
    only_in_predefined_roles
    (deprecated)

    bool

    stage

    PermissionLaunchStage

    The current launch stage of the permission.
    custom_roles_support_level

    CustomRolesSupportLevel

    The current custom role support level.
    api_disabled

    bool

    The service API associated with the permission is not enabled.
    primary_permission

    string

    The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.

    CustomRolesSupportLevel

    The state of the permission with regards to custom roles.

    Enums
    SUPPORTED Default state. Permission is fully supported for custom role use.
    TESTING Permission is being tested to check custom role compatibility.
    NOT_SUPPORTED Permission is not supported for custom role use.

    PermissionLaunchStage

    A stage representing a permission's lifecycle phase.

    Enums
    ALPHA The permission is currently in an alpha phase.
    BETA The permission is currently in a beta phase.
    GA The permission is generally available.
    DEPRECATED The permission is being deprecated.

    QueryAuditableServicesRequest

    A request to get the list of auditable services for a resource.

    Fields
    full_resource_name

    string

    Required. The full resource name to query from the list of auditable services.

    The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project .

    QueryAuditableServicesResponse

    A response containing a list of auditable services for a resource.

    Fields
    services[]

    AuditableService

    The auditable services for a resource.

    AuditableService

    Contains information about an auditable service.

    Fields
    name

    string

    Public name of the service. For example, the service name for IAM is 'iam.googleapis.com'.

    QueryGrantableRolesRequest

    The grantable role query request.

    Fields
    full_resource_name

    string

    Required. Required. The full resource name to query from the list of grantable roles.

    The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project .
    view

    RoleView

    page_size

    int32

    Optional limit on the number of roles to include in the response.

    The default is 300, and the maximum is 2,000.
    page_token

    string

    Optional pagination token returned in an earlier QueryGrantableRolesResponse.

    QueryGrantableRolesResponse

    The grantable role query response.

    Fields
    roles[]

    Role

    The list of matching roles.
    next_page_token

    string

    To retrieve the next page of results, set QueryGrantableRolesRequest.page_token to this value.

    QueryTestablePermissionsRequest

    A request to get permissions which can be tested on a resource.

    Fields
    full_resource_name

    string

    Required. The full resource name to query from the list of testable permissions.

    The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project .
    page_size

    int32

    Optional limit on the number of permissions to include in the response.

    The default is 100, and the maximum is 1,000.
    page_token

    string

    Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

    QueryTestablePermissionsResponse

    The response containing permissions which can be tested on a resource.

    Fields
    permissions[]

    Permission

    The Permissions testable on the requested resource.
    next_page_token

    string

    To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.

    Role

    A role in the Identity and Access Management API.

    Fields
    name

    string

    The name of the role.

    When Role is used in CreateRole , the role name must not be set.

    When Role is used in output and other input such as UpdateRole , the role name is the complete path. For example, roles/logging.viewer for predefined roles, organizations/{ORGANIZATION_ID}/roles/myRole for organization-level custom roles, and projects/{PROJECT_ID}/roles/myRole for project-level custom roles.
    title

    string

    Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
    description

    string

    Optional. A human-readable description for the role.
    included_permissions[]

    string

    The names of the permissions this role grants when bound in an IAM policy.
    stage

    RoleLaunchStage

    The current launch stage of the role. If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.
    etag

    bytes

    Used to perform a consistent read-modify-write.
    deleted

    bool

    The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

    RoleLaunchStage

    A stage representing a role's lifecycle phase.

    Enums
    ALPHA The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role.
    BETA The user has indicated this role is currently in a Beta phase.
    GA The user has indicated this role is generally available.
    DEPRECATED The user has indicated this role is being deprecated.
    DISABLED This role is disabled and will not contribute permissions to any principals it is granted to in policies.
    EAP The user has indicated this role is currently in an EAP phase.

    RoleView

    A view for Role objects.

    Enums
    BASIC Omits the included_permissions field. This is the default value.
    FULL Returns all fields.

    ServiceAccount

    An IAM service account.

    A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts .

    When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account. //

    Fields
    name

    string

    The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    project_id

    string

    Output only. The ID of the project that owns the service account.

    unique_id

    string

    Output only. The unique, stable numeric ID for the service account.

    Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.

    email

    string

    Output only. The email address of the service account.

    display_name

    string

    Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.

    etag
    (deprecated)

    bytes

    Deprecated. Do not use.

    description

    string

    Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.

    oauth2_client_id

    string

    Output only. The OAuth 2.0 client ID for the service account.

    disabled

    bool

    Output only. Whether the service account is disabled.

    ServiceAccountKey

    Represents a service account key.

    A service account has two sets of key-pairs: user-managed, and system-managed.

    User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.

    System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.

    If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.

    Public keys for all service accounts are also published at the OAuth2 Service Account API.

    Fields
    name

    string

    The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key} .
    private_key_type

    ServiceAccountPrivateKeyType

    The output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses.

    Google never exposes system-managed private keys, and never retains user-managed private keys.
    key_algorithm

    ServiceAccountKeyAlgorithm

    Specifies the algorithm (and possibly key size) for the key.
    private_key_data

    bytes

    The private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account .
    public_key_data

    bytes

    The public key data. Only provided in GetServiceAccountKey responses.
    valid_after_time

    Timestamp

    The key can be used after this timestamp.
    valid_before_time

    Timestamp

    The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.
    key_origin

    ServiceAccountKeyOrigin

    The key origin.
    key_type

    KeyType

    The key type.
    disabled

    bool

    The key status.
    disable_reason

    ServiceAccountKeyDisableReason

    Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled.
    extended_status[]

    ExtendedStatus

    Output only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status.

    ExtendedStatus

    Extended status can store additional metadata. For example, for keys disabled due to their private key data being expoesed we may include a message with more information about the exposure.

    Fields
    key

    ServiceAccountKeyExtendedStatusKey

    The key for this extended status.
    value

    string

    The value for the extended status.

    ServiceAccountKeyAlgorithm

    Supported key algorithms.

    Enums
    KEY_ALG_UNSPECIFIED An unspecified key algorithm.
    KEY_ALG_RSA_1024 1k RSA Key.
    KEY_ALG_RSA_2048 2k RSA Key.

    ServiceAccountKeyDisableReason

    DisableReason is intended to communicate more information about a disabled Service Accounts or Service Account Key.

    Enums

    ServiceAccountKeyExtendedStatusKey

    Different categories of extended_status messages. For example the accompanying message for SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED may contain information about how the key was exposed.

    Enums

    ServiceAccountKeyOrigin

    Service Account Key Origin.

    Enums
    ORIGIN_UNSPECIFIED Unspecified key origin.
    USER_PROVIDED Key is provided by user.
    GOOGLE_PROVIDED Key is provided by Google.

    ServiceAccountPrivateKeyType

    Supported private key output formats.

    Enums
    TYPE_UNSPECIFIED Unspecified. Equivalent to TYPE_GOOGLE_CREDENTIALS_FILE .
    TYPE_PKCS12_FILE PKCS12 format. The password for the PKCS12 file is notasecret . For more information, see https://tools.ietf.org/html/rfc7292 .
    TYPE_GOOGLE_CREDENTIALS_FILE Google Credentials File format.

    ServiceAccountPublicKeyType

    Supported public key output formats.

    Enums
    TYPE_NONE Do not return the public key.
    TYPE_X509_PEM_FILE X509 PEM format.
    TYPE_RAW_PUBLIC_KEY Raw public key.

    SignBlobRequest

    Deprecated. Migrate to Service Account Credentials API .

    The service account sign blob request.

    Fields
    name
    (deprecated)

    string

    Required. Deprecated. Migrate to Service Account Credentials API .

    The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.signBlob
    bytes_to_sign
    (deprecated)

    bytes

    Required. Deprecated. Migrate to Service Account Credentials API .

    The bytes to sign.

    SignBlobResponse

    Deprecated. Migrate to Service Account Credentials API .

    The service account sign blob response.

    Fields
    key_id
    (deprecated)

    string

    Deprecated. Migrate to Service Account Credentials API .

    The id of the key used to sign the blob.
    signature
    (deprecated)

    bytes

    Deprecated. Migrate to Service Account Credentials API .

    The signed blob.

    SignJwtRequest

    Deprecated. Migrate to Service Account Credentials API .

    The service account sign JWT request.

    Fields
    name
    (deprecated)

    string

    Required. Deprecated. Migrate to Service Account Credentials API .

    The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.signJwt
    payload
    (deprecated)

    string

    Required. Deprecated. Migrate to Service Account Credentials API .

    The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

    If the JWT Claims Set contains an expiration time ( exp ) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

    If the JWT Claims Set does not contain an expiration time ( exp ) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

    SignJwtResponse

    Deprecated. Migrate to Service Account Credentials API .

    The service account sign JWT response.

    Fields
    key_id
    (deprecated)

    string

    Deprecated. Migrate to Service Account Credentials API .

    The id of the key used to sign the JWT.
    signed_jwt
    (deprecated)

    string

    Deprecated. Migrate to Service Account Credentials API .

    The signed JWT.

    UndeleteOauthClientRequest

    Request message for UndeleteOauthClient.

    Fields
    name

    string

    Required. The name of the OauthClient to undelete.

    Format: projects/{project}/locations/{location}/oauthClients/{oauth_client} .

    UndeleteRoleRequest

    The request to undelete an existing role.

    Fields
    name

    string

    The name parameter's value depends on the target resource for the request, namely projects or organizations . Each resource type's name value format is described below:

    • projects.roles.undelete : projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} . This method undeletes only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

    • organizations.roles.undelete : organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID} . This method undeletes only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

    Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.roles.undelete
    etag

    bytes

    Used to perform a consistent read-modify-write.

    UndeleteServiceAccountRequest

    The service account undelete request.

    Fields
    name

    string

    The resource name of the service account.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.undelete

    UndeleteServiceAccountResponse

    Fields

    UndeleteWorkforcePoolProviderKeyRequest

    Request message for UndeleteWorkforcePoolProviderKey.

    Fields
    name

    string

    Required. The name of the key to undelete.

    UndeleteWorkforcePoolProviderRequest

    Request message for UndeleteWorkforcePoolProvider.

    Fields
    name

    string

    Required. The name of the provider to undelete.

    Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

    UndeleteWorkforcePoolRequest

    Request message for UndeleteWorkforcePool.

    Fields
    name

    string

    Required. The name of the pool to undelete.

    Format: locations/{location}/workforcePools/{workforce_pool_id}

    UndeleteWorkforcePoolSubjectRequest

    Request message for [UndeleteWorkforcePoolSubject][].

    Fields
    name

    string

    Required. The resource name of the WorkforcePoolSubject . Special characters, like / and : , must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986 .

    Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

    UpdateOauthClientCredentialRequest

    Request message for UpdateOauthClientCredential.

    Fields
    oauth_client_credential

    OauthClientCredential

    Required. The OauthClientCredential to update. The name field is used to identify the OauthClientCredential .
    update_mask

    FieldMask

    Required. The list of fields to update.

    UpdateOauthClientRequest

    Request message for UpdateOauthClient.

    Fields
    oauth_client

    OauthClient

    Required. The OauthClient to update. The name field is used to identify the OauthClient .
    update_mask

    FieldMask

    Required. The list of fields to update.

    UpdateRoleRequest

    The request to update a role.

    Fields
    name

    string

    The name parameter's value depends on the target resource for the request, namely projects or organizations . Each resource type's name value format is described below:

    • projects.roles.patch : projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} . This method updates only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}

    • organizations.roles.patch : organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID} . This method updates only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}

    Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.roles.update
    role

    Role

    The updated role.

    update_mask

    FieldMask

    A mask describing which fields in the Role have changed.

    UpdateWorkforcePoolProviderRequest

    Request message for UpdateWorkforcePoolProvider.

    Fields
    workforce_pool_provider

    WorkforcePoolProvider

    Required. The provider to update.
    update_mask

    FieldMask

    Required. The list of fields to update.

    UpdateWorkforcePoolRequest

    Request message for UpdateWorkforcePool.

    Fields
    workforce_pool

    WorkforcePool

    Required. The pool to update. The name field is used to identify the pool.
    update_mask

    FieldMask

    Required. The list of fields to update.

    UploadServiceAccountKeyRequest

    The service account key upload request.

    Fields
    name

    string

    The resource name of the service account key.

    Use one of the following formats:

    • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
    • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

    As an alternative, you can use the - wildcard character instead of the project ID:

    • projects/-/serviceAccounts/{EMAIL_ADDRESS}
    • projects/-/serviceAccounts/{UNIQUE_ID}

    When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com , which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccountKeys.create
    public_key_data

    bytes

    The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE----- , and the last line, -----END CERTIFICATE----- .

    WorkforcePool

    Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.

    Fields
    name

    string

    Identifier. The resource name of the pool.

    Format: locations/{location}/workforcePools/{workforce_pool_id}

    parent

    string

    Immutable. The resource name of the parent.

    Format: organizations/{org-id} .
    display_name

    string

    Optional. A user-specified display name of the pool in Google Cloud Console.

    Cannot exceed 32 characters.
    description

    string

    Optional. A user-specified description of the pool.

    Cannot exceed 256 characters.
    state

    State

    Output only. The state of the pool.
    disabled

    bool

    Optional. Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    session_duration

    Duration

    Optional. Duration that the Google Cloud access tokens, console sign-in sessions, and gcloud sign-in sessions from this pool are valid.

    Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session_duration is not configured, minted credentials have a default duration of one hour (3600s).

    For SAML providers, the lifetime of the token is the minimum of the session_duration and the SessionNotOnOrAfter claim in the SAML assertion.
    expire_time

    Timestamp

    Output only. Time after which the workforce pool will be permanently purged and cannot be recovered.
    access_restrictions

    AccessRestrictions

    Optional. Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users.

    AccessRestrictions

    Access related restrictions on the workforce pool.

    Fields
    allowed_services[]

    ServiceConfig

    Optional. Immutable. Services allowed for web sign-in with the workforce pool. If not set by default there are no restrictions.

    ServiceConfig

    Configuration for a service.

    Fields
    domain

    string

    Optional. Domain name of the service.

    Example: console.cloud.google

    State

    The current state of the pool.

    Enums
    STATE_UNSPECIFIED State unspecified.
    ACTIVE The pool is active and may be used in Google Cloud policies.
    DELETED

    The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkforcePool .

    You cannot reuse the ID of a soft-deleted pool until it is permanently deleted.

    While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

    WorkforcePoolOperationMetadata

    This type has no fields.

    Metadata for long-running WorkforcePool operations.

    WorkforcePoolProvider

    A configuration for an external identity provider.

    Fields
    name

    string

    Identifier. The resource name of the provider.

    Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}

    display_name

    string

    Optional. A user-specified display name for the provider.

    Cannot exceed 32 characters.

    description

    string

    Optional. A user-specified description of the provider. Cannot exceed 256 characters.

    state

    State

    Output only. The state of the provider.

    disabled

    bool

    Optional. Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

    attribute_mapping

    map<string, string>

    Required. Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment .

    Each key must be a string specifying the Google Cloud IAM attribute to map to.

    The following keys are supported:

    • google.subject : The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.

    • google.groups : Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.

    • google.display_name : The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.

    • google.profile_photo : The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings.

    • google.posix_username : The Linux username used by OS Login. This is an optional field and the mapped POSIX username cannot exceed 32 characters, The key must match the regex "^[a-zA-Z0-9._][a-zA-Z0-9._-]{0,31}$". This attribute cannot be referenced in IAM bindings.

    You can also provide custom attributes by specifying attribute.{custom_attribute} , where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_].

    You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:

    • google.subject : principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}

    • google.groups : principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}

    • attribute.{custom_attribute} : principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}

    Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key.

    You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider.

    The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 4KB.

    For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

     {"google.subject": "assertion.sub"}
    attribute_condition

    string

    Optional. A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.

    The expression must output a boolean representing whether to allow the federation.

    The following keywords may be referenced in the expressions:

    • assertion : JSON representing the authentication credential issued by the provider.
    • google : The Google attributes mapped from the assertion in the attribute_mappings . google.profile_photo , google.display_name and google.posix_username are not supported.
    • attribute : The custom attributes mapped from the assertion in the attribute_mappings .

    The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted.

    The following example shows how to only allow credentials with a mapped google.groups value of admins :

     "'admins' in google.groups"
    expire_time

    Timestamp

    Output only. Time after which the workforce identity pool provider will be permanently purged and cannot be recovered.

    extra_attributes_oauth2_client

    ExtraAttributesOAuth2Client

    Optional. The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol.

    detailed_audit_logging

    bool

    Optional. If true, populates additional debug information in Cloud Audit Logs for this provider. Logged attribute mappings and values can be found in sts.googleapis.com data access logs. Default value is false.

    Union field provider_config .

    provider_config can be only one of the following:

    saml

    Saml

    A SAML identity provider configuration.

    oidc

    Oidc

    An OpenId Connect 1.0 identity provider configuration.

    ExtraAttributesOAuth2Client

    Represents the OAuth 2.0 client credential configuration for retrieving additional user attributes that are not present in the initial authentication credentials from the identity provider, e.g. groups. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4 for more details on client credentials grant flow.

    Fields
    issuer_uri

    string

    Required. The OIDC identity provider's issuer URI. Must be a valid URI using the https scheme. Required to get the OIDC discovery document.
    client_id

    string

    Required. The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    client_secret

    ClientSecret

    Required. The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    attributes_type

    AttributesType

    Required. Represents the IdP and type of claims that should be fetched.
    query_parameters

    QueryParameters

    Optional. Represents the parameters to control which claims are fetched from an IdP.

    AttributesType

    Represents the IdP and type of claims that should be fetched.

    Enums
    ATTRIBUTES_TYPE_UNSPECIFIED
    No AttributesType specified.
    AZURE_AD_GROUPS_MAIL

    Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The mail property of the microsoft.graph.group object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on microsoft.graph.group properties. The group mail addresses of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes:

    • OIDC: assertion.groups
    • SAML: assertion.attributes.groups
    AZURE_AD_GROUPS_ID

    Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The id property of the microsoft.graph.group object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on microsoft.graph.group properties. The group IDs of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes:

    • OIDC: assertion.groups
    • SAML: assertion.attributes.groups

    QueryParameters

    Represents the parameters to control which claims are fetched from an IdP.

    Fields
    filter

    string

    Optional. The filter used to request specific records from the IdP. By default, all of the groups that are associated with a user are fetched. For Microsoft Entra ID, you can add $search query parameters using Keyword Query Language . To learn more about $search querying in Microsoft Entra ID, see Use the $search query parameter .

    Additionally, Workforce Identity Federation automatically adds the following $filter query parameters , based on the value of attributes_type . Values passed to filter are converted to $search query parameters. Additional $filter query parameters cannot be added using this field.

    • AZURE_AD_GROUPS_MAIL : mailEnabled and securityEnabled filters are applied.
    • AZURE_AD_GROUPS_ID : securityEnabled filter is applied.

    Oidc

    Represents an OpenId Connect 1.0 identity provider.

    Fields
    issuer_uri

    string

    Required. The OIDC issuer URI. Must be a valid URI using the https scheme.
    client_id

    string

    Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.
    client_secret

    ClientSecret

    Optional. The optional client secret. Required to enable Authorization Code flow for web sign-in.
    web_sso_config

    WebSsoConfig

    Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
    jwks_json

    string

    Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517 . If not set, the jwks_uri from the discovery document(fetched from the .well-known path of the issuer_uri ) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": " ", "use": "sig", "kid": " ", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }

    ClientSecret

    Representation of a client secret configured for the OIDC provider.

    Fields

    Union field source .

    source can be only one of the following:

    value

    Value

    The value of the client secret.

    Value

    Representation of the value of the client secret.

    Fields
    plain_text

    string

    Optional. Input only. The plain text of the client secret value. For security reasons, this field is only used for input and will never be populated in any response.
    thumbprint

    string

    Output only. A thumbprint to represent the current client secret value.

    WebSsoConfig

    Configuration for web single sign-on for the OIDC provider.

    Fields
    response_type

    ResponseType

    Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.

    The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.
    assertion_claims_behavior

    AssertionClaimsBehavior

    Required. The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.
    additional_scopes[]

    string

    Optional. Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid , profile and email scopes that are supported by the identity provider are requested.

    Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    AssertionClaimsBehavior

    Possible behaviors for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    Enums
    ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED No assertion claims behavior specified.
    ONLY_ID_TOKEN_CLAIMS Only include ID Token Claims.

    ResponseType

    Possible Response Types to request for in the OIDC Authorization Request for web sign-in. This determines the OIDC Authentication Flow. See https://openid.net/specs/openid-connect-core-1_0.html#Authentication for a mapping of Response Type to OIDC Authentication Flow.

    Enums
    RESPONSE_TYPE_UNSPECIFIED No Response Type specified.
    CODE The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    ID_TOKEN The response_type=id_token selection uses the Implicit Flow for web sign-in.

    Saml

    Represents a SAML identity provider.

    Fields

    Union field identity_provider .

    identity_provider can be only one of the following:

    idp_metadata_xml

    string

    Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification . The max size of the acceptable xml document will be bounded to 128k characters.

    The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 25 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml.

    When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

    State

    The current state of the provider.

    Enums
    STATE_UNSPECIFIED State unspecified.
    ACTIVE The provider is active and may be used to validate authentication credentials.
    DELETED The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkforcePoolProvider .

    WorkforcePoolProviderKey

    Represents a public key configuration for a Workforce Pool Provider. The key can be configured in your identity provider to encrypt SAML assertions. Google holds the corresponding private key, which it uses to decrypt encrypted tokens.

    Fields
    name

    string

    Identifier. The resource name of the key.

    Format: locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}/keys/{key_id}

    key_data

    KeyData

    Immutable. Public half of the asymmetric key.
    state

    State

    Output only. The state of the key.
    use

    KeyUse

    Required. The purpose of the key.
    expire_time

    Timestamp

    Output only. The time after which the key will be permanently deleted and cannot be recovered. Note that the key may get purged before this time if the total limit of keys per provider is exceeded.

    KeyUse

    The purpose of the key.

    Enums
    KEY_USE_UNSPECIFIED KeyUse unspecified.
    ENCRYPTION The key is used for encryption.

    State

    The current state of the key.

    Enums
    STATE_UNSPECIFIED State unspecified.
    ACTIVE The key is active.
    DELETED The key is soft-deleted. Soft-deleted keys are permanently deleted after approximately 30 days. You can restore a soft-deleted key using UndeleteWorkforcePoolProviderKey .

    WorkforcePoolProviderKeyOperationMetadata

    This type has no fields.

    Metadata for long-running WorkforcePoolProviderKey operations.

    WorkforcePoolProviderOperationMetadata

    This type has no fields.

    Metadata for long-running WorkforcePoolProvider operations.

    WorkforcePoolSubject

    Represents a single identity in a Workforce Pool.

    Fields
    name

    string

    Output only. The resource name of the WorkforcePoolSubject . Special characters, like / and : , must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986 .

    Format: locations/{location}/workforcePools/{workforce_pool_id}/subjects/{subject_id}

    expire_time

    Timestamp

    Output only. The planned hard deletion time of this resource in RFC3339 text format.

    WorkforcePoolSubjectOperationMetadata

    This type has no fields.

    Metadata for long-running WorkforcePoolSubject operations.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: