RubyGems - google-apis-iam_v1 - Versions diffs - 0.36.0 → 0.72.0 - Mend

google-apis-iam_v1 0.36.0 → 0.72.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +154 -0
data/OVERVIEW.md +2 -2
data/lib/google/apis/iam_v1/classes.rb +2190 -392
data/lib/google/apis/iam_v1/gem_version.rb +3 -3
data/lib/google/apis/iam_v1/representations.rb +802 -17
data/lib/google/apis/iam_v1/service.rb +2759 -501
data/lib/google/apis/iam_v1.rb +5 -3
metadata +7 -10

data/lib/google/apis/iam_v1/classes.rb CHANGED Viewed

@@ -22,6 +22,56 @@ module Google
   module Apis
     module IamV1
+      # Access related restrictions on the workforce pool.
+      class AccessRestrictions
+        include Google::Apis::Core::Hashable
+        # Optional. Immutable. Services allowed for web sign-in with the workforce pool.
+        # If not set by default there are no restrictions.
+        # Corresponds to the JSON property `allowedServices`
+        # @return [Array<Google::Apis::IamV1::ServiceConfig>]
+        attr_accessor :allowed_services
+        # Optional. Disable programmatic sign-in by disabling token issue via the
+        # Security Token API endpoint. See [Security Token Service API] (https://cloud.
+        # google.com/iam/docs/reference/sts/rest).
+        # Corresponds to the JSON property `disableProgrammaticSignin`
+        # @return [Boolean]
+        attr_accessor :disable_programmatic_signin
+        alias_method :disable_programmatic_signin?, :disable_programmatic_signin
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @allowed_services = args[:allowed_services] if args.key?(:allowed_services)
+          @disable_programmatic_signin = args[:disable_programmatic_signin] if args.key?(:disable_programmatic_signin)
+        end
+      end
+      # Request message for AddAttestationRule.
+      class AddAttestationRuleRequest
+        include Google::Apis::Core::Hashable
+        # Defines which workloads can receive an identity within a pool. When an
+        # AttestationRule is defined under a managed identity, matching workloads may
+        # receive that identity.
+        # Corresponds to the JSON property `attestationRule`
+        # @return [Google::Apis::IamV1::AttestationRule]
+        attr_accessor :attestation_rule
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @attestation_rule = args[:attestation_rule] if args.key?(:attestation_rule)
+        end
+      end
       # Audit log information specific to Cloud IAM admin APIs. This message is
       # serialized as an `Any` type in the `ServiceData` message of an `AuditLog`
       # message.
@@ -44,6 +94,28 @@ module Google
         end
       end
+      # Defines which workloads can receive an identity within a pool. When an
+      # AttestationRule is defined under a managed identity, matching workloads may
+      # receive that identity.
+      class AttestationRule
+        include Google::Apis::Core::Hashable
+        # Optional. A single workload operating on Google Cloud. For example: `//compute.
+        # googleapis.com/projects/123/uid/zones/us-central1-a/instances/12345`.
+        # Corresponds to the JSON property `googleCloudResource`
+        # @return [String]
+        attr_accessor :google_cloud_resource
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @google_cloud_resource = args[:google_cloud_resource] if args.key?(:google_cloud_resource)
+        end
+      end
       # Specifies the audit configuration for a service. The configuration determines
       # which permission types are logged, and what identities, if any, are exempted
       # from logging. An AuditConfig must have one or more AuditLogConfigs. If there
@@ -139,8 +211,8 @@ module Google
       class AuditableService
         include Google::Apis::Core::Hashable
-        # Public name of the service. For example, the service name for Cloud IAM is '
-        # iam.googleapis.com'.
+        # Public name of the service. For example, the service name for IAM is 'iam.
+        # googleapis.com'.
         # Corresponds to the JSON property `name`
         # @return [String]
         attr_accessor :name
@@ -212,7 +284,27 @@ module Google
         # kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-
         # project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:`emailid``: An
         # email address that represents a Google group. For example, `admins@example.com`
-        # . * `deleted:user:`emailid`?uid=`uniqueid``: An email address (plus unique
+        # . * `domain:`domain``: The G Suite domain (primary) that represents all the
+        # users of that domain. For example, `google.com` or `example.com`. * `principal:
+        # //iam.googleapis.com/locations/global/workforcePools/`pool_id`/subject/`
+        # subject_attribute_value``: A single identity in a workforce identity pool. * `
+        # principalSet://iam.googleapis.com/locations/global/workforcePools/`pool_id`/
+        # group/`group_id``: All workforce identities in a group. * `principalSet://iam.
+        # googleapis.com/locations/global/workforcePools/`pool_id`/attribute.`
+        # attribute_name`/`attribute_value``: All workforce identities with a specific
+        # attribute value. * `principalSet://iam.googleapis.com/locations/global/
+        # workforcePools/`pool_id`/*`: All identities in a workforce identity pool. * `
+        # principal://iam.googleapis.com/projects/`project_number`/locations/global/
+        # workloadIdentityPools/`pool_id`/subject/`subject_attribute_value``: A single
+        # identity in a workload identity pool. * `principalSet://iam.googleapis.com/
+        # projects/`project_number`/locations/global/workloadIdentityPools/`pool_id`/
+        # group/`group_id``: A workload identity pool group. * `principalSet://iam.
+        # googleapis.com/projects/`project_number`/locations/global/
+        # workloadIdentityPools/`pool_id`/attribute.`attribute_name`/`attribute_value``:
+        # All identities in a workload identity pool with a certain attribute. * `
+        # principalSet://iam.googleapis.com/projects/`project_number`/locations/global/
+        # workloadIdentityPools/`pool_id`/*`: All identities in a workload identity pool.
+        # * `deleted:user:`emailid`?uid=`uniqueid``: An email address (plus unique
         # identifier) representing a user that has been recently deleted. For example, `
         # alice@example.com?uid=123456789012345678901`. If the user is recovered, this
         # value reverts to `user:`emailid`` and the recovered user retains the role in
@@ -226,14 +318,19 @@ module Google
         # been recently deleted. For example, `admins@example.com?uid=
         # 123456789012345678901`. If the group is recovered, this value reverts to `
         # group:`emailid`` and the recovered group retains the role in the binding. * `
-        # domain:`domain``: The G Suite domain (primary) that represents all the users
-        # of that domain. For example, `google.com` or `example.com`.
+        # deleted:principal://iam.googleapis.com/locations/global/workforcePools/`
+        # pool_id`/subject/`subject_attribute_value``: Deleted single identity in a
+        # workforce identity pool. For example, `deleted:principal://iam.googleapis.com/
+        # locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
         # Corresponds to the JSON property `members`
         # @return [Array<String>]
         attr_accessor :members
         # Role that is assigned to the list of `members`, or principals. For example, `
-        # roles/viewer`, `roles/editor`, or `roles/owner`.
+        # roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM
+        # roles and permissions, see the [IAM documentation](https://cloud.google.com/
+        # iam/docs/roles-overview). For a list of the available pre-defined roles, see [
+        # here](https://cloud.google.com/iam/docs/understanding-roles).
         # Corresponds to the JSON property `role`
         # @return [String]
         attr_accessor :role
@@ -376,7 +473,7 @@ module Google
         # https://cloud.google.com/iam/help/service-accounts/overview). When you create
         # a service account, you specify the project ID that owns the service account,
         # as well as a name that must be unique within the project. IAM uses these
-        # values to create an email address that identifies the service //
+        # values to create an email address that identifies the service account. //
         # Corresponds to the JSON property `serviceAccount`
         # @return [Google::Apis::IamV1::ServiceAccount]
         attr_accessor :service_account
@@ -396,12 +493,28 @@ module Google
       class DisableServiceAccountKeyRequest
         include Google::Apis::Core::Hashable
+        # Optional. Usable by internal google services only. An extended_status_message
+        # can be used to include additional information about the key, such as its
+        # private key data being exposed on a public repository like GitHub.
+        # Corresponds to the JSON property `extendedStatusMessage`
+        # @return [String]
+        attr_accessor :extended_status_message
+        # Optional. Describes the reason this key is being disabled. If unspecified, the
+        # default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be
+        # used.
+        # Corresponds to the JSON property `serviceAccountKeyDisableReason`
+        # @return [String]
+        attr_accessor :service_account_key_disable_reason
         def initialize(**args)
            update!(**args)
         end
         # Update properties of this object
         def update!(**args)
+          @extended_status_message = args[:extended_status_message] if args.key?(:extended_status_message)
+          @service_account_key_disable_reason = args[:service_account_key_disable_reason] if args.key?(:service_account_key_disable_reason)
         end
       end
@@ -514,38 +627,21 @@ module Google
         end
       end
-      # The request to lint a Cloud IAM policy object.
-      class LintPolicyRequest
+      # Extended status can store additional metadata. For example, for keys disabled
+      # due to their private key data being expoesed we may include a message with
+      # more information about the exposure.
+      class ExtendedStatus
         include Google::Apis::Core::Hashable
-        # Represents a textual expression in the Common Expression Language (CEL) syntax.
-        # CEL is a C-like expression language. The syntax and semantics of CEL are
-        # documented at https://github.com/google/cel-spec. Example (Comparison): title:
-        # "Summary size limit" description: "Determines if a summary is less than 100
-        # chars" expression: "document.summary.size() < 100" Example (Equality): title: "
-        # Requestor is owner" description: "Determines if requestor is the document
-        # owner" expression: "document.owner == request.auth.claims.email" Example (
-        # Logic): title: "Public documents" description: "Determine whether the document
-        # should be publicly visible" expression: "document.type != 'private' &&
-        # document.type != 'internal'" Example (Data Manipulation): title: "Notification
-        # string" description: "Create a notification string with a timestamp."
-        # expression: "'New message received at ' + string(document.create_time)" The
-        # exact variables and functions that may be referenced within an expression are
-        # determined by the service that evaluates it. See the service documentation for
-        # additional information.
-        # Corresponds to the JSON property `condition`
-        # @return [Google::Apis::IamV1::Expr]
-        attr_accessor :condition
+        # The key for this extended status.
+        # Corresponds to the JSON property `key`
+        # @return [String]
+        attr_accessor :key
-        # The full resource name of the policy this lint request is about. The name
-        # follows the Google Cloud Platform (GCP) resource format. For example, a GCP
-        # project with ID `my-project` will be named `//cloudresourcemanager.googleapis.
-        # com/projects/my-project`. The resource name is not used to read the policy
-        # instance from the Cloud IAM database. The candidate policy for lint has to be
-        # provided in the same request object.
-        # Corresponds to the JSON property `fullResourceName`
+        # The value for the extended status.
+        # Corresponds to the JSON property `value`
         # @return [String]
-        attr_accessor :full_resource_name
+        attr_accessor :value
         def initialize(**args)
            update!(**args)
@@ -553,20 +649,19 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @condition = args[:condition] if args.key?(:condition)
-          @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
+          @key = args[:key] if args.key?(:key)
+          @value = args[:value] if args.key?(:value)
         end
       end
-      # The response of a lint operation. An empty response indicates the operation
-      # was able to fully execute and no lint issue was found.
-      class LintPolicyResponse
+      # Request message for `GetIamPolicy` method.
+      class GetIamPolicyRequest
         include Google::Apis::Core::Hashable
-        # List of lint results sorted by `severity` in descending order.
-        # Corresponds to the JSON property `lintResults`
-        # @return [Array<Google::Apis::IamV1::LintResult>]
-        attr_accessor :lint_results
+        # Encapsulates settings provided to GetIamPolicy.
+        # Corresponds to the JSON property `options`
+        # @return [Google::Apis::IamV1::GetPolicyOptions]
+        attr_accessor :options
         def initialize(**args)
            update!(**args)
@@ -574,50 +669,27 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @lint_results = args[:lint_results] if args.key?(:lint_results)
+          @options = args[:options] if args.key?(:options)
         end
       end
-      # Structured response of a single validation unit.
-      class LintResult
+      # Encapsulates settings provided to GetIamPolicy.
+      class GetPolicyOptions
         include Google::Apis::Core::Hashable
-        # Human readable debug message associated with the issue.
-        # Corresponds to the JSON property `debugMessage`
-        # @return [String]
-        attr_accessor :debug_message
-        # The name of the field for which this lint result is about. For nested messages
-        # `field_name` consists of names of the embedded fields separated by period
-        # character. The top-level qualifier is the input object to lint in the request.
-        # For example, the `field_name` value `condition.expression` identifies a lint
-        # result for the `expression` field of the provided condition.
-        # Corresponds to the JSON property `fieldName`
-        # @return [String]
-        attr_accessor :field_name
-        # The validation unit level.
-        # Corresponds to the JSON property `level`
-        # @return [String]
-        attr_accessor :level
-        # 0-based character position of problematic construct within the object
-        # identified by `field_name`. Currently, this is populated only for condition
-        # expression.
-        # Corresponds to the JSON property `locationOffset`
+        # Optional. The maximum policy version that will be used to format the policy.
+        # Valid values are 0, 1, and 3. Requests specifying an invalid value will be
+        # rejected. Requests for policies with any conditional role bindings must
+        # specify version 3. Policies with no conditional role bindings may specify any
+        # valid value or leave the field unset. The policy in the response might use the
+        # policy version that you specified, or it might use a lower policy version. For
+        # example, if you specify version 3, but the policy has no conditional role
+        # bindings, the response uses version 1. To learn which resources support
+        # conditions in their IAM policies, see the [IAM documentation](https://cloud.
+        # google.com/iam/help/conditions/resource-policies).
+        # Corresponds to the JSON property `requestedPolicyVersion`
         # @return [Fixnum]
-        attr_accessor :location_offset
-        # The validation unit severity.
-        # Corresponds to the JSON property `severity`
-        # @return [String]
-        attr_accessor :severity
-        # The validation unit name, for instance "lintValidationUnits/
-        # ConditionComplexityCheck".
-        # Corresponds to the JSON property `validationUnitName`
-        # @return [String]
-        attr_accessor :validation_unit_name
+        attr_accessor :requested_policy_version
         def initialize(**args)
            update!(**args)
@@ -625,29 +697,45 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @debug_message = args[:debug_message] if args.key?(:debug_message)
-          @field_name = args[:field_name] if args.key?(:field_name)
-          @level = args[:level] if args.key?(:level)
-          @location_offset = args[:location_offset] if args.key?(:location_offset)
-          @severity = args[:severity] if args.key?(:severity)
-          @validation_unit_name = args[:validation_unit_name] if args.key?(:validation_unit_name)
+          @requested_policy_version = args[:requested_policy_version] if args.key?(:requested_policy_version)
         end
       end
-      # The response containing the roles defined under a resource.
-      class ListRolesResponse
+      # Represents the OAuth 2.0 client credential configuration for retrieving
+      # additional user attributes that are not present in the initial authentication
+      # credentials from the identity provider, e.g. groups. See https://datatracker.
+      # ietf.org/doc/html/rfc6749#section-4.4 for more details on client credentials
+      # grant flow.
+      class GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client
         include Google::Apis::Core::Hashable
-        # To retrieve the next page of results, set `ListRolesRequest.page_token` to
-        # this value.
-        # Corresponds to the JSON property `nextPageToken`
+        # Required. Represents the IdP and type of claims that should be fetched.
+        # Corresponds to the JSON property `attributesType`
         # @return [String]
-        attr_accessor :next_page_token
+        attr_accessor :attributes_type
-        # The Roles defined on this resource.
-        # Corresponds to the JSON property `roles`
-        # @return [Array<Google::Apis::IamV1::Role>]
-        attr_accessor :roles
+        # Required. The OAuth 2.0 client ID for retrieving extra attributes from the
+        # identity provider. Required to get the Access Token using client credentials
+        # grant flow.
+        # Corresponds to the JSON property `clientId`
+        # @return [String]
+        attr_accessor :client_id
+        # Representation of a client secret configured for the OIDC provider.
+        # Corresponds to the JSON property `clientSecret`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderOidcClientSecret]
+        attr_accessor :client_secret
+        # Required. The OIDC identity provider's issuer URI. Must be a valid URI using
+        # the `https` scheme. Required to get the OIDC discovery document.
+        # Corresponds to the JSON property `issuerUri`
+        # @return [String]
+        attr_accessor :issuer_uri
+        # Represents the parameters to control which claims are fetched from an IdP.
+        # Corresponds to the JSON property `queryParameters`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientQueryParameters]
+        attr_accessor :query_parameters
         def initialize(**args)
            update!(**args)
@@ -655,19 +743,35 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
-          @roles = args[:roles] if args.key?(:roles)
+          @attributes_type = args[:attributes_type] if args.key?(:attributes_type)
+          @client_id = args[:client_id] if args.key?(:client_id)
+          @client_secret = args[:client_secret] if args.key?(:client_secret)
+          @issuer_uri = args[:issuer_uri] if args.key?(:issuer_uri)
+          @query_parameters = args[:query_parameters] if args.key?(:query_parameters)
         end
       end
-      # The service account keys list response.
-      class ListServiceAccountKeysResponse
+      # Represents the parameters to control which claims are fetched from an IdP.
+      class GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientQueryParameters
         include Google::Apis::Core::Hashable
-        # The public keys for the service account.
-        # Corresponds to the JSON property `keys`
-        # @return [Array<Google::Apis::IamV1::ServiceAccountKey>]
-        attr_accessor :keys
+        # Optional. The filter used to request specific records from the IdP. By default,
+        # all of the groups that are associated with a user are fetched. For Microsoft
+        # Entra ID, you can add `$search` query parameters using [Keyword Query Language]
+        # (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-
+        # query-language-kql-syntax-reference). To learn more about `$search` querying
+        # in Microsoft Entra ID, see [Use the `$search` query parameter] (https://learn.
+        # microsoft.com/en-us/graph/search-query-parameter). Additionally, Workforce
+        # Identity Federation automatically adds the following [`$filter` query
+        # parameters] (https://learn.microsoft.com/en-us/graph/filter-query-parameter),
+        # based on the value of `attributes_type`. Values passed to `filter` are
+        # converted to `$search` query parameters. Additional `$filter` query parameters
+        # cannot be added using this field. * `AZURE_AD_GROUPS_MAIL`: `mailEnabled` and `
+        # securityEnabled` filters are applied. * `AZURE_AD_GROUPS_ID`: `securityEnabled`
+        # filter is applied.
+        # Corresponds to the JSON property `filter`
+        # @return [String]
+        attr_accessor :filter
         def initialize(**args)
            update!(**args)
@@ -675,24 +779,45 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @keys = args[:keys] if args.key?(:keys)
+          @filter = args[:filter] if args.key?(:filter)
         end
       end
-      # The service account list response.
-      class ListServiceAccountsResponse
+      # Represents an OpenId Connect 1.0 identity provider.
+      class GoogleIamAdminV1WorkforcePoolProviderOidc
         include Google::Apis::Core::Hashable
-        # The list of matching service accounts.
-        # Corresponds to the JSON property `accounts`
-        # @return [Array<Google::Apis::IamV1::ServiceAccount>]
-        attr_accessor :accounts
+        # Required. The client ID. Must match the audience claim of the JWT issued by
+        # the identity provider.
+        # Corresponds to the JSON property `clientId`
+        # @return [String]
+        attr_accessor :client_id
-        # To retrieve the next page of results, set ListServiceAccountsRequest.
-        # page_token to this value.
-        # Corresponds to the JSON property `nextPageToken`
+        # Representation of a client secret configured for the OIDC provider.
+        # Corresponds to the JSON property `clientSecret`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderOidcClientSecret]
+        attr_accessor :client_secret
+        # Required. The OIDC issuer URI. Must be a valid URI using the `https` scheme.
+        # Corresponds to the JSON property `issuerUri`
         # @return [String]
-        attr_accessor :next_page_token
+        attr_accessor :issuer_uri
+        # Optional. OIDC JWKs in JSON String format. For details on the definition of a
+        # JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from
+        # the discovery document(fetched from the .well-known path of the `issuer_uri`)
+        # will be used. Currently, RSA and EC asymmetric keys are supported. The JWK
+        # must use following format and include only the following fields: ` "keys": [ `
+        # "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "",
+        # "y": "", "crv": "" ` ] `
+        # Corresponds to the JSON property `jwksJson`
+        # @return [String]
+        attr_accessor :jwks_json
+        # Configuration for web single sign-on for the OIDC provider.
+        # Corresponds to the JSON property `webSsoConfig`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig]
+        attr_accessor :web_sso_config
         def initialize(**args)
            update!(**args)
@@ -700,25 +825,22 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @accounts = args[:accounts] if args.key?(:accounts)
-          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @client_id = args[:client_id] if args.key?(:client_id)
+          @client_secret = args[:client_secret] if args.key?(:client_secret)
+          @issuer_uri = args[:issuer_uri] if args.key?(:issuer_uri)
+          @jwks_json = args[:jwks_json] if args.key?(:jwks_json)
+          @web_sso_config = args[:web_sso_config] if args.key?(:web_sso_config)
         end
       end
-      # Response message for ListWorkloadIdentityPoolProviders.
-      class ListWorkloadIdentityPoolProvidersResponse
+      # Representation of a client secret configured for the OIDC provider.
+      class GoogleIamAdminV1WorkforcePoolProviderOidcClientSecret
         include Google::Apis::Core::Hashable
-        # A token, which can be sent as `page_token` to retrieve the next page. If this
-        # field is omitted, there are no subsequent pages.
-        # Corresponds to the JSON property `nextPageToken`
-        # @return [String]
-        attr_accessor :next_page_token
-        # A list of providers.
-        # Corresponds to the JSON property `workloadIdentityPoolProviders`
-        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPoolProvider>]
-        attr_accessor :workload_identity_pool_providers
+        # Representation of the value of the client secret.
+        # Corresponds to the JSON property `value`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderOidcClientSecretValue]
+        attr_accessor :value
         def initialize(**args)
            update!(**args)
@@ -726,25 +848,25 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
-          @workload_identity_pool_providers = args[:workload_identity_pool_providers] if args.key?(:workload_identity_pool_providers)
+          @value = args[:value] if args.key?(:value)
         end
       end
-      # Response message for ListWorkloadIdentityPools.
-      class ListWorkloadIdentityPoolsResponse
+      # Representation of the value of the client secret.
+      class GoogleIamAdminV1WorkforcePoolProviderOidcClientSecretValue
         include Google::Apis::Core::Hashable
-        # A token, which can be sent as `page_token` to retrieve the next page. If this
-        # field is omitted, there are no subsequent pages.
-        # Corresponds to the JSON property `nextPageToken`
+        # Optional. Input only. The plain text of the client secret value. For security
+        # reasons, this field is only used for input and will never be populated in any
+        # response.
+        # Corresponds to the JSON property `plainText`
         # @return [String]
-        attr_accessor :next_page_token
+        attr_accessor :plain_text
-        # A list of pools.
-        # Corresponds to the JSON property `workloadIdentityPools`
-        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPool>]
-        attr_accessor :workload_identity_pools
+        # Output only. A thumbprint to represent the current client secret value.
+        # Corresponds to the JSON property `thumbprint`
+        # @return [String]
+        attr_accessor :thumbprint
         def initialize(**args)
            update!(**args)
@@ -752,32 +874,36 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
-          @workload_identity_pools = args[:workload_identity_pools] if args.key?(:workload_identity_pools)
+          @plain_text = args[:plain_text] if args.key?(:plain_text)
+          @thumbprint = args[:thumbprint] if args.key?(:thumbprint)
         end
       end
-      # Represents an OpenId Connect 1.0 identity provider.
-      class Oidc
+      # Configuration for web single sign-on for the OIDC provider.
+      class GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig
         include Google::Apis::Core::Hashable
-        # Acceptable values for the `aud` field (audience) in the OIDC token. Token
-        # exchange requests are rejected if the token audience does not match one of the
-        # configured values. Each audience may be at most 256 characters. A maximum of
-        # 10 audiences may be configured. If this list is empty, the OIDC token audience
-        # must be equal to the full canonical resource name of the
-        # WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``
-        # ` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
-        # https://iam.googleapis.com/projects//locations//workloadIdentityPools//
-        # providers/ ```
-        # Corresponds to the JSON property `allowedAudiences`
+        # Optional. Additional scopes to request for in the OIDC authentication request
+        # on top of scopes requested by default. By default, the `openid`, `profile` and
+        # `email` scopes that are supported by the identity provider are requested. Each
+        # additional scope may be at most 256 characters. A maximum of 10 additional
+        # scopes may be configured.
+        # Corresponds to the JSON property `additionalScopes`
         # @return [Array<String>]
-        attr_accessor :allowed_audiences
+        attr_accessor :additional_scopes
-        # Required. The OIDC issuer URL. Must be an HTTPS endpoint.
-        # Corresponds to the JSON property `issuerUri`
+        # Required. The behavior for how OIDC Claims are included in the `assertion`
+        # object used for attribute mapping and attribute condition.
+        # Corresponds to the JSON property `assertionClaimsBehavior`
         # @return [String]
-        attr_accessor :issuer_uri
+        attr_accessor :assertion_claims_behavior
+        # Required. The Response Type to request for in the OIDC Authorization Request
+        # for web sign-in. The `CODE` Response Type is recommended to avoid the Implicit
+        # Flow, for security reasons.
+        # Corresponds to the JSON property `responseType`
+        # @return [String]
+        attr_accessor :response_type
         def initialize(**args)
            update!(**args)
@@ -785,58 +911,31 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @allowed_audiences = args[:allowed_audiences] if args.key?(:allowed_audiences)
-          @issuer_uri = args[:issuer_uri] if args.key?(:issuer_uri)
+          @additional_scopes = args[:additional_scopes] if args.key?(:additional_scopes)
+          @assertion_claims_behavior = args[:assertion_claims_behavior] if args.key?(:assertion_claims_behavior)
+          @response_type = args[:response_type] if args.key?(:response_type)
         end
       end
-      # This resource represents a long-running operation that is the result of a
-      # network API call.
-      class Operation
+      # Represents a SAML identity provider.
+      class GoogleIamAdminV1WorkforcePoolProviderSaml
         include Google::Apis::Core::Hashable
-        # If the value is `false`, it means the operation is still in progress. If `true`
-        # , the operation is completed, and either `error` or `response` is available.
-        # Corresponds to the JSON property `done`
-        # @return [Boolean]
-        attr_accessor :done
-        alias_method :done?, :done
-        # The `Status` type defines a logical error model that is suitable for different
-        # programming environments, including REST APIs and RPC APIs. It is used by [
-        # gRPC](https://github.com/grpc). Each `Status` message contains three pieces of
-        # data: error code, error message, and error details. You can find out more
-        # about this error model and how to work with it in the [API Design Guide](https:
-        # //cloud.google.com/apis/design/errors).
-        # Corresponds to the JSON property `error`
-        # @return [Google::Apis::IamV1::Status]
-        attr_accessor :error
-        # Service-specific metadata associated with the operation. It typically contains
-        # progress information and common metadata such as create time. Some services
-        # might not provide such metadata. Any method that returns a long-running
-        # operation should document the metadata type, if any.
-        # Corresponds to the JSON property `metadata`
-        # @return [Hash<String,Object>]
-        attr_accessor :metadata
-        # The server-assigned name, which is only unique within the same service that
-        # originally returns it. If you use the default HTTP mapping, the `name` should
-        # be a resource name ending with `operations/`unique_id``.
-        # Corresponds to the JSON property `name`
+        # Required. SAML Identity provider configuration metadata xml doc. The xml
+        # document should comply with [SAML 2.0 specification](https://docs.oasis-open.
+        # org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the
+        # acceptable xml document will be bounded to 128k characters. The metadata xml
+        # document should satisfy the following constraints: 1) Must contain an Identity
+        # Provider Entity ID. 2) Must contain at least one non-expired signing key
+        # certificate. 3) For each signing key: a) Valid from should be no more than 7
+        # days from now. b) Valid to should be no more than 25 years in the future. 4)
+        # Up to 3 IdP signing keys are allowed in the metadata xml. When updating the
+        # provider's metadata xml, at least one non-expired signing key must overlap
+        # with the existing metadata. This requirement is skipped if there are no non-
+        # expired signing keys present in the existing metadata.
+        # Corresponds to the JSON property `idpMetadataXml`
         # @return [String]
-        attr_accessor :name
-        # The normal response of the operation in case of success. If the original
-        # method returns no data on success, such as `Delete`, the response is `google.
-        # protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`,
-        # the response should be the resource. For other methods, the response should
-        # have the type `XxxResponse`, where `Xxx` is the original method name. For
-        # example, if the original method name is `TakeSnapshot()`, the inferred
-        # response type is `TakeSnapshotResponse`.
-        # Corresponds to the JSON property `response`
-        # @return [Hash<String,Object>]
-        attr_accessor :response
+        attr_accessor :idp_metadata_xml
         def initialize(**args)
            update!(**args)
@@ -844,15 +943,962 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @done = args[:done] if args.key?(:done)
-          @error = args[:error] if args.key?(:error)
-          @metadata = args[:metadata] if args.key?(:metadata)
-          @name = args[:name] if args.key?(:name)
-          @response = args[:response] if args.key?(:response)
+          @idp_metadata_xml = args[:idp_metadata_xml] if args.key?(:idp_metadata_xml)
         end
       end
-      # The service account patch request. You can patch only the `display_name` and `
+      # Represents configuration for generating mutual TLS (mTLS) certificates for the
+      # identities within this pool.
+      class InlineCertificateIssuanceConfig
+        include Google::Apis::Core::Hashable
+        # Optional. A required mapping of a Google Cloud region to the CA pool resource
+        # located in that region. The CA pool is used for certificate issuance, adhering
+        # to the following constraints: * Key format: A supported cloud region name
+        # equivalent to the location identifier in the corresponding map entry's value. *
+        # Value format: A valid CA pool resource path format like: "projects/`project`/
+        # locations/`location`/caPools/`ca_pool`" * Region Matching: Workloads are ONLY
+        # issued certificates from CA pools within the same region. Also the CA pool
+        # region (in value) must match the workload's region (key).
+        # Corresponds to the JSON property `caPools`
+        # @return [Hash<String,String>]
+        attr_accessor :ca_pools
+        # Optional. Key algorithm to use when generating the key pair. This key pair
+        # will be used to create the certificate. If not specified, this will default to
+        # ECDSA_P256.
+        # Corresponds to the JSON property `keyAlgorithm`
+        # @return [String]
+        attr_accessor :key_algorithm
+        # Optional. Lifetime of the workload certificates issued by the CA pool. Must be
+        # between 24 hours and 30 days. If not specified, this will be defaulted to 24
+        # hours.
+        # Corresponds to the JSON property `lifetime`
+        # @return [String]
+        attr_accessor :lifetime
+        # Optional. Rotation window percentage, the percentage of remaining lifetime
+        # after which certificate rotation is initiated. Must be between 50 and 80. If
+        # no value is specified, rotation window percentage is defaulted to 50.
+        # Corresponds to the JSON property `rotationWindowPercentage`
+        # @return [Fixnum]
+        attr_accessor :rotation_window_percentage
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @ca_pools = args[:ca_pools] if args.key?(:ca_pools)
+          @key_algorithm = args[:key_algorithm] if args.key?(:key_algorithm)
+          @lifetime = args[:lifetime] if args.key?(:lifetime)
+          @rotation_window_percentage = args[:rotation_window_percentage] if args.key?(:rotation_window_percentage)
+        end
+      end
+      # Defines configuration for extending trust to additional trust domains. By
+      # establishing trust with another domain, the current domain will recognize and
+      # accept certificates issued by entities within the trusted domains. Note that a
+      # trust domain automatically trusts itself, eliminating the need for explicit
+      # configuration.
+      class InlineTrustConfig
+        include Google::Apis::Core::Hashable
+        # Optional. Maps specific trust domains (e.g., "example.com") to their
+        # corresponding TrustStore, which contain the trusted root certificates for that
+        # domain. There can be a maximum of 10 trust domain entries in this map. Note
+        # that a trust domain automatically trusts itself and don't need to be specified
+        # here. If however, this WorkloadIdentityPool's trust domain contains any trust
+        # anchors in the additional_trust_bundles map, those trust anchors will be *
+        # appended to* the trust bundle automatically derived from your
+        # InlineCertificateIssuanceConfig's ca_pools.
+        # Corresponds to the JSON property `additionalTrustBundles`
+        # @return [Hash<String,Google::Apis::IamV1::TrustStore>]
+        attr_accessor :additional_trust_bundles
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @additional_trust_bundles = args[:additional_trust_bundles] if args.key?(:additional_trust_bundles)
+        end
+      end
+      # Intermediate CA certificates used for building the trust chain to trust anchor
+      class IntermediateCa
+        include Google::Apis::Core::Hashable
+        # PEM certificate of the PKI used for validation. Must only contain one ca
+        # certificate.
+        # Corresponds to the JSON property `pemCertificate`
+        # @return [String]
+        attr_accessor :pem_certificate
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @pem_certificate = args[:pem_certificate] if args.key?(:pem_certificate)
+        end
+      end
+      # Represents a public key data along with its format.
+      class KeyData
+        include Google::Apis::Core::Hashable
+        # Output only. The format of the key.
+        # Corresponds to the JSON property `format`
+        # @return [String]
+        attr_accessor :format
+        # Output only. The key data. The format of the key is represented by the format
+        # field.
+        # Corresponds to the JSON property `key`
+        # @return [String]
+        attr_accessor :key
+        # Required. The specifications for the key.
+        # Corresponds to the JSON property `keySpec`
+        # @return [String]
+        attr_accessor :key_spec
+        # Output only. Latest timestamp when this key is valid. Attempts to use this key
+        # after this time will fail. Only present if the key data represents a X.509
+        # certificate.
+        # Corresponds to the JSON property `notAfterTime`
+        # @return [String]
+        attr_accessor :not_after_time
+        # Output only. Earliest timestamp when this key is valid. Attempts to use this
+        # key before this time will fail. Only present if the key data represents a X.
+        # 509 certificate.
+        # Corresponds to the JSON property `notBeforeTime`
+        # @return [String]
+        attr_accessor :not_before_time
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @format = args[:format] if args.key?(:format)
+          @key = args[:key] if args.key?(:key)
+          @key_spec = args[:key_spec] if args.key?(:key_spec)
+          @not_after_time = args[:not_after_time] if args.key?(:not_after_time)
+          @not_before_time = args[:not_before_time] if args.key?(:not_before_time)
+        end
+      end
+      # The request to lint an IAM policy object.
+      class LintPolicyRequest
+        include Google::Apis::Core::Hashable
+        # Represents a textual expression in the Common Expression Language (CEL) syntax.
+        # CEL is a C-like expression language. The syntax and semantics of CEL are
+        # documented at https://github.com/google/cel-spec. Example (Comparison): title:
+        # "Summary size limit" description: "Determines if a summary is less than 100
+        # chars" expression: "document.summary.size() < 100" Example (Equality): title: "
+        # Requestor is owner" description: "Determines if requestor is the document
+        # owner" expression: "document.owner == request.auth.claims.email" Example (
+        # Logic): title: "Public documents" description: "Determine whether the document
+        # should be publicly visible" expression: "document.type != 'private' &&
+        # document.type != 'internal'" Example (Data Manipulation): title: "Notification
+        # string" description: "Create a notification string with a timestamp."
+        # expression: "'New message received at ' + string(document.create_time)" The
+        # exact variables and functions that may be referenced within an expression are
+        # determined by the service that evaluates it. See the service documentation for
+        # additional information.
+        # Corresponds to the JSON property `condition`
+        # @return [Google::Apis::IamV1::Expr]
+        attr_accessor :condition
+        # The full resource name of the policy this lint request is about. The name
+        # follows the Google Cloud format for full resource names. For example, a Google
+        # Cloud project with ID `my-project` will be named `//cloudresourcemanager.
+        # googleapis.com/projects/my-project`. The resource name is not used to read a
+        # policy from IAM. Only the data in the request object is linted.
+        # Corresponds to the JSON property `fullResourceName`
+        # @return [String]
+        attr_accessor :full_resource_name
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @condition = args[:condition] if args.key?(:condition)
+          @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
+        end
+      end
+      # The response of a lint operation. An empty response indicates the operation
+      # was able to fully execute and no lint issue was found.
+      class LintPolicyResponse
+        include Google::Apis::Core::Hashable
+        # List of lint results sorted by `severity` in descending order.
+        # Corresponds to the JSON property `lintResults`
+        # @return [Array<Google::Apis::IamV1::LintResult>]
+        attr_accessor :lint_results
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @lint_results = args[:lint_results] if args.key?(:lint_results)
+        end
+      end
+      # Structured response of a single validation unit.
+      class LintResult
+        include Google::Apis::Core::Hashable
+        # Human readable debug message associated with the issue.
+        # Corresponds to the JSON property `debugMessage`
+        # @return [String]
+        attr_accessor :debug_message
+        # The name of the field for which this lint result is about. For nested messages
+        # `field_name` consists of names of the embedded fields separated by period
+        # character. The top-level qualifier is the input object to lint in the request.
+        # For example, the `field_name` value `condition.expression` identifies a lint
+        # result for the `expression` field of the provided condition.
+        # Corresponds to the JSON property `fieldName`
+        # @return [String]
+        attr_accessor :field_name
+        # The validation unit level.
+        # Corresponds to the JSON property `level`
+        # @return [String]
+        attr_accessor :level
+        # 0-based character position of problematic construct within the object
+        # identified by `field_name`. Currently, this is populated only for condition
+        # expression.
+        # Corresponds to the JSON property `locationOffset`
+        # @return [Fixnum]
+        attr_accessor :location_offset
+        # The validation unit severity.
+        # Corresponds to the JSON property `severity`
+        # @return [String]
+        attr_accessor :severity
+        # The validation unit name, for instance "lintValidationUnits/
+        # ConditionComplexityCheck".
+        # Corresponds to the JSON property `validationUnitName`
+        # @return [String]
+        attr_accessor :validation_unit_name
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @debug_message = args[:debug_message] if args.key?(:debug_message)
+          @field_name = args[:field_name] if args.key?(:field_name)
+          @level = args[:level] if args.key?(:level)
+          @location_offset = args[:location_offset] if args.key?(:location_offset)
+          @severity = args[:severity] if args.key?(:severity)
+          @validation_unit_name = args[:validation_unit_name] if args.key?(:validation_unit_name)
+        end
+      end
+      # Response message for ListAttestationRules.
+      class ListAttestationRulesResponse
+        include Google::Apis::Core::Hashable
+        # A list of AttestationRules.
+        # Corresponds to the JSON property `attestationRules`
+        # @return [Array<Google::Apis::IamV1::AttestationRule>]
+        attr_accessor :attestation_rules
+        # Optional. A token, which can be sent as `page_token` to retrieve the next page.
+        # If this field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @attestation_rules = args[:attestation_rules] if args.key?(:attestation_rules)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+        end
+      end
+      # Response message for ListOauthClientCredentials.
+      class ListOauthClientCredentialsResponse
+        include Google::Apis::Core::Hashable
+        # A list of OauthClientCredentials.
+        # Corresponds to the JSON property `oauthClientCredentials`
+        # @return [Array<Google::Apis::IamV1::OauthClientCredential>]
+        attr_accessor :oauth_client_credentials
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @oauth_client_credentials = args[:oauth_client_credentials] if args.key?(:oauth_client_credentials)
+        end
+      end
+      # Response message for ListOauthClients.
+      class ListOauthClientsResponse
+        include Google::Apis::Core::Hashable
+        # Optional. A token, which can be sent as `page_token` to retrieve the next page.
+        # If this field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of OauthClients.
+        # Corresponds to the JSON property `oauthClients`
+        # @return [Array<Google::Apis::IamV1::OauthClient>]
+        attr_accessor :oauth_clients
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @oauth_clients = args[:oauth_clients] if args.key?(:oauth_clients)
+        end
+      end
+      # The response containing the roles defined under a resource.
+      class ListRolesResponse
+        include Google::Apis::Core::Hashable
+        # To retrieve the next page of results, set `ListRolesRequest.page_token` to
+        # this value.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # The Roles defined on this resource.
+        # Corresponds to the JSON property `roles`
+        # @return [Array<Google::Apis::IamV1::Role>]
+        attr_accessor :roles
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @roles = args[:roles] if args.key?(:roles)
+        end
+      end
+      # The service account keys list response.
+      class ListServiceAccountKeysResponse
+        include Google::Apis::Core::Hashable
+        # The public keys for the service account.
+        # Corresponds to the JSON property `keys`
+        # @return [Array<Google::Apis::IamV1::ServiceAccountKey>]
+        attr_accessor :keys
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @keys = args[:keys] if args.key?(:keys)
+        end
+      end
+      # The service account list response.
+      class ListServiceAccountsResponse
+        include Google::Apis::Core::Hashable
+        # The list of matching service accounts.
+        # Corresponds to the JSON property `accounts`
+        # @return [Array<Google::Apis::IamV1::ServiceAccount>]
+        attr_accessor :accounts
+        # To retrieve the next page of results, set ListServiceAccountsRequest.
+        # page_token to this value.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @accounts = args[:accounts] if args.key?(:accounts)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+        end
+      end
+      # Response message for ListWorkforcePoolProviderKeys.
+      class ListWorkforcePoolProviderKeysResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of WorkforcePoolProviderKeys.
+        # Corresponds to the JSON property `workforcePoolProviderKeys`
+        # @return [Array<Google::Apis::IamV1::WorkforcePoolProviderKey>]
+        attr_accessor :workforce_pool_provider_keys
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workforce_pool_provider_keys = args[:workforce_pool_provider_keys] if args.key?(:workforce_pool_provider_keys)
+        end
+      end
+      # Response message for ListWorkforcePoolProviders.
+      class ListWorkforcePoolProvidersResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of providers.
+        # Corresponds to the JSON property `workforcePoolProviders`
+        # @return [Array<Google::Apis::IamV1::WorkforcePoolProvider>]
+        attr_accessor :workforce_pool_providers
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workforce_pool_providers = args[:workforce_pool_providers] if args.key?(:workforce_pool_providers)
+        end
+      end
+      # Response message for ListWorkforcePools.
+      class ListWorkforcePoolsResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of pools.
+        # Corresponds to the JSON property `workforcePools`
+        # @return [Array<Google::Apis::IamV1::WorkforcePool>]
+        attr_accessor :workforce_pools
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workforce_pools = args[:workforce_pools] if args.key?(:workforce_pools)
+        end
+      end
+      # Response message for ListWorkloadIdentityPoolManagedIdentities.
+      class ListWorkloadIdentityPoolManagedIdentitiesResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of managed identities.
+        # Corresponds to the JSON property `workloadIdentityPoolManagedIdentities`
+        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity>]
+        attr_accessor :workload_identity_pool_managed_identities
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workload_identity_pool_managed_identities = args[:workload_identity_pool_managed_identities] if args.key?(:workload_identity_pool_managed_identities)
+        end
+      end
+      # Response message for ListWorkloadIdentityPoolNamespaces.
+      class ListWorkloadIdentityPoolNamespacesResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of namespaces.
+        # Corresponds to the JSON property `workloadIdentityPoolNamespaces`
+        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPoolNamespace>]
+        attr_accessor :workload_identity_pool_namespaces
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workload_identity_pool_namespaces = args[:workload_identity_pool_namespaces] if args.key?(:workload_identity_pool_namespaces)
+        end
+      end
+      # Response message for ListWorkloadIdentityPoolProviderKeys.
+      class ListWorkloadIdentityPoolProviderKeysResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of WorkloadIdentityPoolProviderKey
+        # Corresponds to the JSON property `workloadIdentityPoolProviderKeys`
+        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPoolProviderKey>]
+        attr_accessor :workload_identity_pool_provider_keys
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workload_identity_pool_provider_keys = args[:workload_identity_pool_provider_keys] if args.key?(:workload_identity_pool_provider_keys)
+        end
+      end
+      # Response message for ListWorkloadIdentityPoolProviders.
+      class ListWorkloadIdentityPoolProvidersResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of providers.
+        # Corresponds to the JSON property `workloadIdentityPoolProviders`
+        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPoolProvider>]
+        attr_accessor :workload_identity_pool_providers
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workload_identity_pool_providers = args[:workload_identity_pool_providers] if args.key?(:workload_identity_pool_providers)
+        end
+      end
+      # Response message for ListWorkloadIdentityPools.
+      class ListWorkloadIdentityPoolsResponse
+        include Google::Apis::Core::Hashable
+        # A token, which can be sent as `page_token` to retrieve the next page. If this
+        # field is omitted, there are no subsequent pages.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # A list of pools.
+        # Corresponds to the JSON property `workloadIdentityPools`
+        # @return [Array<Google::Apis::IamV1::WorkloadIdentityPool>]
+        attr_accessor :workload_identity_pools
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @workload_identity_pools = args[:workload_identity_pools] if args.key?(:workload_identity_pools)
+        end
+      end
+      # Represents an OauthClient. Used to access Google Cloud resources on behalf of
+      # a Workforce Identity Federation user by using OAuth 2.0 Protocol to obtain an
+      # access token from Google Cloud.
+      class OauthClient
+        include Google::Apis::Core::Hashable
+        # Required. The list of OAuth grant types is allowed for the OauthClient.
+        # Corresponds to the JSON property `allowedGrantTypes`
+        # @return [Array<String>]
+        attr_accessor :allowed_grant_types
+        # Required. The list of redirect uris that is allowed to redirect back when
+        # authorization process is completed.
+        # Corresponds to the JSON property `allowedRedirectUris`
+        # @return [Array<String>]
+        attr_accessor :allowed_redirect_uris
+        # Required. The list of scopes that the OauthClient is allowed to request during
+        # OAuth flows. The following scopes are supported: * `https://www.googleapis.com/
+        # auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data
+        # and see the email address for your Google Account. * `openid`: The OAuth
+        # client can associate you with your personal information on Google Cloud. * `
+        # email`: The OAuth client can read a federated identity's email address. * `
+        # groups`: The OAuth client can read a federated identity's groups.
+        # Corresponds to the JSON property `allowedScopes`
+        # @return [Array<String>]
+        attr_accessor :allowed_scopes
+        # Output only. The system-generated OauthClient id.
+        # Corresponds to the JSON property `clientId`
+        # @return [String]
+        attr_accessor :client_id
+        # Immutable. The type of OauthClient. Either public or private. For private
+        # clients, the client secret can be managed using the dedicated
+        # OauthClientCredential resource.
+        # Corresponds to the JSON property `clientType`
+        # @return [String]
+        attr_accessor :client_type
+        # Optional. A user-specified description of the OauthClient. Cannot exceed 256
+        # characters.
+        # Corresponds to the JSON property `description`
+        # @return [String]
+        attr_accessor :description
+        # Optional. Whether the OauthClient is disabled. You cannot use a disabled OAuth
+        # client.
+        # Corresponds to the JSON property `disabled`
+        # @return [Boolean]
+        attr_accessor :disabled
+        alias_method :disabled?, :disabled
+        # Optional. A user-specified display name of the OauthClient. Cannot exceed 32
+        # characters.
+        # Corresponds to the JSON property `displayName`
+        # @return [String]
+        attr_accessor :display_name
+        # Output only. Time after which the OauthClient will be permanently purged and
+        # cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Immutable. Identifier. The resource name of the OauthClient. Format:`projects/`
+        # project`/locations/`location`/oauthClients/`oauth_client``.
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Output only. The state of the OauthClient.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @allowed_grant_types = args[:allowed_grant_types] if args.key?(:allowed_grant_types)
+          @allowed_redirect_uris = args[:allowed_redirect_uris] if args.key?(:allowed_redirect_uris)
+          @allowed_scopes = args[:allowed_scopes] if args.key?(:allowed_scopes)
+          @client_id = args[:client_id] if args.key?(:client_id)
+          @client_type = args[:client_type] if args.key?(:client_type)
+          @description = args[:description] if args.key?(:description)
+          @disabled = args[:disabled] if args.key?(:disabled)
+          @display_name = args[:display_name] if args.key?(:display_name)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @name = args[:name] if args.key?(:name)
+          @state = args[:state] if args.key?(:state)
+        end
+      end
+      # Represents an OauthClientCredential. Used to authenticate an OauthClient while
+      # accessing Google Cloud resources on behalf of a user by using OAuth 2.0
+      # Protocol.
+      class OauthClientCredential
+        include Google::Apis::Core::Hashable
+        # Output only. The system-generated OAuth client secret. The client secret must
+        # be stored securely. If the client secret is leaked, you must delete and re-
+        # create the client credential. To learn more, see [OAuth client and credential
+        # security risks and mitigations](https://cloud.google.com/iam/docs/workforce-
+        # oauth-app#security)
+        # Corresponds to the JSON property `clientSecret`
+        # @return [String]
+        attr_accessor :client_secret
+        # Optional. Whether the OauthClientCredential is disabled. You cannot use a
+        # disabled OauthClientCredential.
+        # Corresponds to the JSON property `disabled`
+        # @return [Boolean]
+        attr_accessor :disabled
+        alias_method :disabled?, :disabled
+        # Optional. A user-specified display name of the OauthClientCredential. Cannot
+        # exceed 32 characters.
+        # Corresponds to the JSON property `displayName`
+        # @return [String]
+        attr_accessor :display_name
+        # Immutable. Identifier. The resource name of the OauthClientCredential. Format:
+        # `projects/`project`/locations/`location`/oauthClients/`oauth_client`/
+        # credentials/`credential``
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @client_secret = args[:client_secret] if args.key?(:client_secret)
+          @disabled = args[:disabled] if args.key?(:disabled)
+          @display_name = args[:display_name] if args.key?(:display_name)
+          @name = args[:name] if args.key?(:name)
+        end
+      end
+      # Represents an OpenId Connect 1.0 identity provider.
+      class Oidc
+        include Google::Apis::Core::Hashable
+        # Optional. Acceptable values for the `aud` field (audience) in the OIDC token.
+        # Token exchange requests are rejected if the token audience does not match one
+        # of the configured values. Each audience may be at most 256 characters. A
+        # maximum of 10 audiences may be configured. If this list is empty, the OIDC
+        # token audience must be equal to the full canonical resource name of the
+        # WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``
+        # ` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
+        # https://iam.googleapis.com/projects//locations//workloadIdentityPools//
+        # providers/ ```
+        # Corresponds to the JSON property `allowedAudiences`
+        # @return [Array<String>]
+        attr_accessor :allowed_audiences
+        # Required. The OIDC issuer URL. Must be an HTTPS endpoint. Per OpenID Connect
+        # Discovery 1.0 spec, the OIDC issuer URL is used to locate the provider's
+        # public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token.
+        # These public key types must be 'EC' or 'RSA'.
+        # Corresponds to the JSON property `issuerUri`
+        # @return [String]
+        attr_accessor :issuer_uri
+        # Optional. OIDC JWKs in JSON String format. For details on the definition of a
+        # JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from
+        # the discovery document(fetched from the .well-known path of the `issuer_uri`)
+        # will be used. Currently, RSA and EC asymmetric keys are supported. The JWK
+        # must use following format and include only the following fields: ` "keys": [ `
+        # "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "",
+        # "y": "", "crv": "" ` ] `
+        # Corresponds to the JSON property `jwksJson`
+        # @return [String]
+        attr_accessor :jwks_json
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @allowed_audiences = args[:allowed_audiences] if args.key?(:allowed_audiences)
+          @issuer_uri = args[:issuer_uri] if args.key?(:issuer_uri)
+          @jwks_json = args[:jwks_json] if args.key?(:jwks_json)
+        end
+      end
+      # This resource represents a long-running operation that is the result of a
+      # network API call.
+      class Operation
+        include Google::Apis::Core::Hashable
+        # If the value is `false`, it means the operation is still in progress. If `true`
+        # , the operation is completed, and either `error` or `response` is available.
+        # Corresponds to the JSON property `done`
+        # @return [Boolean]
+        attr_accessor :done
+        alias_method :done?, :done
+        # The `Status` type defines a logical error model that is suitable for different
+        # programming environments, including REST APIs and RPC APIs. It is used by [
+        # gRPC](https://github.com/grpc). Each `Status` message contains three pieces of
+        # data: error code, error message, and error details. You can find out more
+        # about this error model and how to work with it in the [API Design Guide](https:
+        # //cloud.google.com/apis/design/errors).
+        # Corresponds to the JSON property `error`
+        # @return [Google::Apis::IamV1::Status]
+        attr_accessor :error
+        # Service-specific metadata associated with the operation. It typically contains
+        # progress information and common metadata such as create time. Some services
+        # might not provide such metadata. Any method that returns a long-running
+        # operation should document the metadata type, if any.
+        # Corresponds to the JSON property `metadata`
+        # @return [Hash<String,Object>]
+        attr_accessor :metadata
+        # The server-assigned name, which is only unique within the same service that
+        # originally returns it. If you use the default HTTP mapping, the `name` should
+        # be a resource name ending with `operations/`unique_id``.
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # The normal, successful response of the operation. If the original method
+        # returns no data on success, such as `Delete`, the response is `google.protobuf.
+        # Empty`. If the original method is standard `Get`/`Create`/`Update`, the
+        # response should be the resource. For other methods, the response should have
+        # the type `XxxResponse`, where `Xxx` is the original method name. For example,
+        # if the original method name is `TakeSnapshot()`, the inferred response type is
+        # `TakeSnapshotResponse`.
+        # Corresponds to the JSON property `response`
+        # @return [Hash<String,Object>]
+        attr_accessor :response
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @done = args[:done] if args.key?(:done)
+          @error = args[:error] if args.key?(:error)
+          @metadata = args[:metadata] if args.key?(:metadata)
+          @name = args[:name] if args.key?(:name)
+          @response = args[:response] if args.key?(:response)
+        end
+      end
+      # Represents the metadata of the long-running operation.
+      class OperationMetadata
+        include Google::Apis::Core::Hashable
+        # Output only. API version used to start the operation.
+        # Corresponds to the JSON property `apiVersion`
+        # @return [String]
+        attr_accessor :api_version
+        # Output only. Identifies whether the user has requested cancellation of the
+        # operation. Operations that have been cancelled successfully have google.
+        # longrunning.Operation.error value with a google.rpc.Status.code of `1`,
+        # corresponding to `Code.CANCELLED`.
+        # Corresponds to the JSON property `cancelRequested`
+        # @return [Boolean]
+        attr_accessor :cancel_requested
+        alias_method :cancel_requested?, :cancel_requested
+        # Output only. The time the operation was created.
+        # Corresponds to the JSON property `createTime`
+        # @return [String]
+        attr_accessor :create_time
+        # Output only. The time the operation finished running.
+        # Corresponds to the JSON property `endTime`
+        # @return [String]
+        attr_accessor :end_time
+        # Output only. Human-readable status of the operation, if any.
+        # Corresponds to the JSON property `statusDetail`
+        # @return [String]
+        attr_accessor :status_detail
+        # Output only. Server-defined resource path for the target of the operation.
+        # Corresponds to the JSON property `target`
+        # @return [String]
+        attr_accessor :target
+        # Output only. Name of the verb executed by the operation.
+        # Corresponds to the JSON property `verb`
+        # @return [String]
+        attr_accessor :verb
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @api_version = args[:api_version] if args.key?(:api_version)
+          @cancel_requested = args[:cancel_requested] if args.key?(:cancel_requested)
+          @create_time = args[:create_time] if args.key?(:create_time)
+          @end_time = args[:end_time] if args.key?(:end_time)
+          @status_detail = args[:status_detail] if args.key?(:status_detail)
+          @target = args[:target] if args.key?(:target)
+          @verb = args[:verb] if args.key?(:verb)
+        end
+      end
+      # The Google Cloud service that owns this namespace.
+      class OwnerService
+        include Google::Apis::Core::Hashable
+        # Required. The service agent principal subject, e.g. "serviceAccount:service-
+        # 1234@gcp-sa-gkehub.iam.gserviceaccount.com".
+        # Corresponds to the JSON property `principalSubject`
+        # @return [String]
+        attr_accessor :principal_subject
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @principal_subject = args[:principal_subject] if args.key?(:principal_subject)
+        end
+      end
+      # The service account patch request. You can patch only the `display_name` and `
       # description` fields. You must use the `update_mask` field to specify which of
       # these fields you want to patch. Only the fields specified in the request are
       # guaranteed to be returned in the response. Other fields may be empty in the
@@ -866,7 +1912,7 @@ module Google
         # https://cloud.google.com/iam/help/service-accounts/overview). When you create
         # a service account, you specify the project ID that owns the service account,
         # as well as a name that must be unique within the project. IAM uses these
-        # values to create an email address that identifies the service //
+        # values to create an email address that identifies the service account. //
         # Corresponds to the JSON property `serviceAccount`
         # @return [Google::Apis::IamV1::ServiceAccount]
         attr_accessor :service_account
@@ -902,8 +1948,7 @@ module Google
         # @return [String]
         attr_accessor :custom_roles_support_level
-        # A brief description of what this Permission is used for. This permission can
-        # ONLY be used in predefined roles.
+        # A brief description of what this Permission is used for.
         # Corresponds to the JSON property `description`
         # @return [String]
         attr_accessor :description
@@ -989,22 +2034,22 @@ module Google
       # evaluates to `true`. A condition can add constraints based on attributes of
       # the request, the resource, or both. To learn which resources support
       # conditions in their IAM policies, see the [IAM documentation](https://cloud.
-      # google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
+      # google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
       # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
       # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
       # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
       # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
       # ], "condition": ` "title": "expirable access", "description": "Does not grant
       # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
-      # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:**
-      # bindings: - members: - user:mike@example.com - group:admins@example.com -
-      # domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
-      # role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
-      # com role: roles/resourcemanager.organizationViewer condition: title: expirable
-      # access description: Does not grant access after Sep 2020 expression: request.
-      # time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For
-      # a description of IAM and its features, see the [IAM documentation](https://
-      # cloud.google.com/iam/docs/).
+      # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
+      # example:** ``` bindings: - members: - user:mike@example.com - group:admins@
+      # example.com - domain:google.com - serviceAccount:my-project-id@appspot.
+      # gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
+      # user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
+      # title: expirable access description: Does not grant access after Sep 2020
+      # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
+      # BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
+      # [IAM documentation](https://cloud.google.com/iam/docs/).
       class Policy
         include Google::Apis::Core::Hashable
@@ -1137,16 +2182,16 @@ module Google
       class QueryGrantableRolesRequest
         include Google::Apis::Core::Hashable
-        # Required. The full resource name to query from the list of grantable roles.
-        # The name follows the Google Cloud Platform resource format. For example, a
-        # Cloud Platform project with id `my-project` will be named `//
+        # Required. Required. The full resource name to query from the list of grantable
+        # roles. The name follows the Google Cloud Platform resource format. For example,
+        # a Cloud Platform project with id `my-project` will be named `//
         # cloudresourcemanager.googleapis.com/projects/my-project`.
         # Corresponds to the JSON property `fullResourceName`
         # @return [String]
         attr_accessor :full_resource_name
         # Optional limit on the number of roles to include in the response. The default
-        # is 300, and the maximum is 1,000.
+        # is 300, and the maximum is 2,000.
         # Corresponds to the JSON property `pageSize`
         # @return [Fixnum]
         attr_accessor :page_size
@@ -1218,11 +2263,64 @@ module Google
         # @return [Fixnum]
         attr_accessor :page_size
-        # Optional pagination token returned in an earlier
-        # QueryTestablePermissionsRequest.
-        # Corresponds to the JSON property `pageToken`
+        # Optional pagination token returned in an earlier
+        # QueryTestablePermissionsRequest.
+        # Corresponds to the JSON property `pageToken`
+        # @return [String]
+        attr_accessor :page_token
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
+          @page_size = args[:page_size] if args.key?(:page_size)
+          @page_token = args[:page_token] if args.key?(:page_token)
+        end
+      end
+      # The response containing permissions which can be tested on a resource.
+      class QueryTestablePermissionsResponse
+        include Google::Apis::Core::Hashable
+        # To retrieve the next page of results, set `QueryTestableRolesRequest.
+        # page_token` to this value.
+        # Corresponds to the JSON property `nextPageToken`
+        # @return [String]
+        attr_accessor :next_page_token
+        # The Permissions testable on the requested resource.
+        # Corresponds to the JSON property `permissions`
+        # @return [Array<Google::Apis::IamV1::Permission>]
+        attr_accessor :permissions
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
+          @permissions = args[:permissions] if args.key?(:permissions)
+        end
+      end
+      # Operation metadata returned by the CLH during resource state reconciliation.
+      class ReconciliationOperationMetadata
+        include Google::Apis::Core::Hashable
+        # DEPRECATED. Use exclusive_action instead.
+        # Corresponds to the JSON property `deleteResource`
+        # @return [Boolean]
+        attr_accessor :delete_resource
+        alias_method :delete_resource?, :delete_resource
+        # Excluisive action returned by the CLH.
+        # Corresponds to the JSON property `exclusiveAction`
         # @return [String]
-        attr_accessor :page_token
+        attr_accessor :exclusive_action
         def initialize(**args)
            update!(**args)
@@ -1230,26 +2328,21 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
-          @page_size = args[:page_size] if args.key?(:page_size)
-          @page_token = args[:page_token] if args.key?(:page_token)
+          @delete_resource = args[:delete_resource] if args.key?(:delete_resource)
+          @exclusive_action = args[:exclusive_action] if args.key?(:exclusive_action)
         end
       end
-      # The response containing permissions which can be tested on a resource.
-      class QueryTestablePermissionsResponse
+      # Request message for RemoveAttestationRule.
+      class RemoveAttestationRuleRequest
         include Google::Apis::Core::Hashable
-        # To retrieve the next page of results, set `QueryTestableRolesRequest.
-        # page_token` to this value.
-        # Corresponds to the JSON property `nextPageToken`
-        # @return [String]
-        attr_accessor :next_page_token
-        # The Permissions testable on the requested resource.
-        # Corresponds to the JSON property `permissions`
-        # @return [Array<Google::Apis::IamV1::Permission>]
-        attr_accessor :permissions
+        # Defines which workloads can receive an identity within a pool. When an
+        # AttestationRule is defined under a managed identity, matching workloads may
+        # receive that identity.
+        # Corresponds to the JSON property `attestationRule`
+        # @return [Google::Apis::IamV1::AttestationRule]
+        attr_accessor :attestation_rule
         def initialize(**args)
            update!(**args)
@@ -1257,8 +2350,7 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
-          @permissions = args[:permissions] if args.key?(:permissions)
+          @attestation_rule = args[:attestation_rule] if args.key?(:attestation_rule)
         end
       end
@@ -1289,11 +2381,12 @@ module Google
         # @return [Array<String>]
         attr_accessor :included_permissions
-        # The name of the role. When Role is used in CreateRole, the role name must not
-        # be set. When Role is used in output and other input such as UpdateRole, the
-        # role name is the complete path, e.g., roles/logging.viewer for predefined
-        # roles and organizations/`ORGANIZATION_ID`/roles/logging.viewer for custom
-        # roles.
+        # The name of the role. When `Role` is used in `CreateRole`, the role name must
+        # not be set. When `Role` is used in output and other input such as `UpdateRole`,
+        # the role name is the complete path. For example, `roles/logging.viewer` for
+        # predefined roles, `organizations/`ORGANIZATION_ID`/roles/myRole` for
+        # organization-level custom roles, and `projects/`PROJECT_ID`/roles/myRole` for
+        # project-level custom roles.
         # Corresponds to the JSON property `name`
         # @return [String]
         attr_accessor :name
@@ -1331,18 +2424,18 @@ module Google
       class Saml
         include Google::Apis::Core::Hashable
-        # Required. SAML Identity provider configuration metadata xml doc. The xml
-        # document should comply with [SAML 2.0 specification](https://www.oasis-open.
-        # org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf).
-        # The max size of the acceptable xml document will be bounded to 128k characters.
-        # The metadata xml document should satisfy the following constraints: 1) Must
-        # contain an Identity Provider Entity ID. 2) Must contain at least one non-
-        # expired signing key certificate. 3) For each signing key: a) Valid from should
-        # be no more than 7 days from now. b) Valid to should be no more than 14 years
-        # in the future. 4) Upto 3 IdP signing keys are allowed in the metadata xml.
-        # When updating the provider's metadata xml, at lease one non-expired signing
-        # key must overlap with the existing metadata. This requirement is skipped if
-        # there are no non-expired signing keys present in the existing metadata
+        # Required. SAML identity provider (IdP) configuration metadata XML doc. The XML
+        # document must comply with the [SAML 2.0 specification](https://docs.oasis-open.
+        # org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an
+        # acceptable XML document is 128K characters. The SAML metadata XML document
+        # must satisfy the following constraints: * Must contain an IdP Entity ID. *
+        # Must contain at least one non-expired signing certificate. * For each signing
+        # certificate, the expiration must be: * From no more than 7 days in the future.
+        # * To no more than 25 years in the future. * Up to three IdP signing keys are
+        # allowed. When updating the provider's metadata XML, at least one non-expired
+        # signing key must overlap with the existing metadata. This requirement is
+        # skipped if there are no non-expired signing keys present in the existing
+        # metadata.
         # Corresponds to the JSON property `idpMetadataXml`
         # @return [String]
         attr_accessor :idp_metadata_xml
@@ -1363,7 +2456,7 @@ module Google
       # https://cloud.google.com/iam/help/service-accounts/overview). When you create
       # a service account, you specify the project ID that owns the service account,
       # as well as a name that must be unique within the project. IAM uses these
-      # values to create an email address that identifies the service //
+      # values to create an email address that identifies the service account. //
       class ServiceAccount
         include Google::Apis::Core::Hashable
@@ -1402,10 +2495,10 @@ module Google
         # character instead of the project ID: * `projects/-/serviceAccounts/`
         # EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
         # avoid using the `-` wildcard character, because it can cause response messages
-        # to contain misleading error codes. For example, if you try to get the service
-        # account `projects/-/serviceAccounts/fake@example.com`, which does not exist,
-        # the response contains an HTTP `403 Forbidden` error instead of a `404 Not
-        # Found` error.
+        # to contain misleading error codes. For example, if you try to access the
+        # service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        # exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        # Not Found` error.
         # Corresponds to the JSON property `name`
         # @return [String]
         attr_accessor :name
@@ -1465,12 +2558,26 @@ module Google
       class ServiceAccountKey
         include Google::Apis::Core::Hashable
+        # Output only. optional. If the key is disabled, it may have a DisableReason
+        # describing why it was disabled.
+        # Corresponds to the JSON property `disableReason`
+        # @return [String]
+        attr_accessor :disable_reason
         # The key status.
         # Corresponds to the JSON property `disabled`
         # @return [Boolean]
         attr_accessor :disabled
         alias_method :disabled?, :disabled
+        # Output only. Extended Status provides permanent information about a service
+        # account key. For example, if this key was detected as exposed or compromised,
+        # that information will remain for the lifetime of the key in the
+        # extended_status.
+        # Corresponds to the JSON property `extendedStatus`
+        # @return [Array<Google::Apis::IamV1::ExtendedStatus>]
+        attr_accessor :extended_status
         # Specifies the algorithm (and possibly key size) for the key.
         # Corresponds to the JSON property `keyAlgorithm`
         # @return [String]
@@ -1534,7 +2641,9 @@ module Google
         # Update properties of this object
         def update!(**args)
+          @disable_reason = args[:disable_reason] if args.key?(:disable_reason)
           @disabled = args[:disabled] if args.key?(:disabled)
+          @extended_status = args[:extended_status] if args.key?(:extended_status)
           @key_algorithm = args[:key_algorithm] if args.key?(:key_algorithm)
           @key_origin = args[:key_origin] if args.key?(:key_origin)
           @key_type = args[:key_type] if args.key?(:key_type)
@@ -1547,6 +2656,45 @@ module Google
         end
       end
+      # Configuration for a service.
+      class ServiceConfig
+        include Google::Apis::Core::Hashable
+        # Optional. Domain name of the service. Example: console.cloud.google
+        # Corresponds to the JSON property `domain`
+        # @return [String]
+        attr_accessor :domain
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @domain = args[:domain] if args.key?(:domain)
+        end
+      end
+      # Request message for SetAttestationRules.
+      class SetAttestationRulesRequest
+        include Google::Apis::Core::Hashable
+        # Required. The attestation rules to be set. At most 50 attestation rules can be
+        # set.
+        # Corresponds to the JSON property `attestationRules`
+        # @return [Array<Google::Apis::IamV1::AttestationRule>]
+        attr_accessor :attestation_rules
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @attestation_rules = args[:attestation_rules] if args.key?(:attestation_rules)
+        end
+      end
       # Request message for `SetIamPolicy` method.
       class SetIamPolicyRequest
         include Google::Apis::Core::Hashable
@@ -1562,22 +2710,22 @@ module Google
         # evaluates to `true`. A condition can add constraints based on attributes of
         # the request, the resource, or both. To learn which resources support
         # conditions in their IAM policies, see the [IAM documentation](https://cloud.
-        # google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
+        # google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
         # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
         # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
         # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
         # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
         # ], "condition": ` "title": "expirable access", "description": "Does not grant
         # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
-        # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:**
-        # bindings: - members: - user:mike@example.com - group:admins@example.com -
-        # domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
-        # role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
-        # com role: roles/resourcemanager.organizationViewer condition: title: expirable
-        # access description: Does not grant access after Sep 2020 expression: request.
-        # time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For
-        # a description of IAM and its features, see the [IAM documentation](https://
-        # cloud.google.com/iam/docs/).
+        # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
+        # example:** ``` bindings: - members: - user:mike@example.com - group:admins@
+        # example.com - domain:google.com - serviceAccount:my-project-id@appspot.
+        # gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
+        # user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
+        # title: expirable access description: Does not grant access after Sep 2020
+        # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
+        # BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
+        # [IAM documentation](https://cloud.google.com/iam/docs/).
         # Corresponds to the JSON property `policy`
         # @return [Google::Apis::IamV1::Policy]
         attr_accessor :policy
@@ -1762,38 +2910,278 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @permissions = args[:permissions] if args.key?(:permissions)
+          @permissions = args[:permissions] if args.key?(:permissions)
+        end
+      end
+      # Response message for `TestIamPermissions` method.
+      class TestIamPermissionsResponse
+        include Google::Apis::Core::Hashable
+        # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
+        # Corresponds to the JSON property `permissions`
+        # @return [Array<String>]
+        attr_accessor :permissions
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @permissions = args[:permissions] if args.key?(:permissions)
+        end
+      end
+      # Represents a root of trust.
+      class TrustAnchor
+        include Google::Apis::Core::Hashable
+        # PEM certificate of the PKI used for validation. Must only contain one ca
+        # certificate(either root or intermediate cert).
+        # Corresponds to the JSON property `pemCertificate`
+        # @return [String]
+        attr_accessor :pem_certificate
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @pem_certificate = args[:pem_certificate] if args.key?(:pem_certificate)
+        end
+      end
+      # Trust store that contains trust anchors and optional intermediate CAs used in
+      # PKI to build a trust chain(trust hierarchy) and verify a client's identity.
+      class TrustStore
+        include Google::Apis::Core::Hashable
+        # Optional. Set of intermediate CA certificates used for building the trust
+        # chain to the trust anchor. Important: Intermediate CAs are only supported for
+        # X.509 federation.
+        # Corresponds to the JSON property `intermediateCas`
+        # @return [Array<Google::Apis::IamV1::IntermediateCa>]
+        attr_accessor :intermediate_cas
+        # Required. List of trust anchors to be used while performing validation against
+        # a given TrustStore. The incoming end entity's certificate must be in the trust
+        # chain of one of the trust anchors here.
+        # Corresponds to the JSON property `trustAnchors`
+        # @return [Array<Google::Apis::IamV1::TrustAnchor>]
+        attr_accessor :trust_anchors
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @intermediate_cas = args[:intermediate_cas] if args.key?(:intermediate_cas)
+          @trust_anchors = args[:trust_anchors] if args.key?(:trust_anchors)
+        end
+      end
+      # Request message for UndeleteOauthClient.
+      class UndeleteOauthClientRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # The request to undelete an existing role.
+      class UndeleteRoleRequest
+        include Google::Apis::Core::Hashable
+        # Used to perform a consistent read-modify-write.
+        # Corresponds to the JSON property `etag`
+        # NOTE: Values are automatically base64 encoded/decoded in the client library.
+        # @return [String]
+        attr_accessor :etag
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @etag = args[:etag] if args.key?(:etag)
+        end
+      end
+      # The service account undelete request.
+      class UndeleteServiceAccountRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      #
+      class UndeleteServiceAccountResponse
+        include Google::Apis::Core::Hashable
+        # An IAM service account. A service account is an account for an application or
+        # a virtual machine (VM) instance, not a person. You can use a service account
+        # to call Google APIs. To learn more, read the [overview of service accounts](
+        # https://cloud.google.com/iam/help/service-accounts/overview). When you create
+        # a service account, you specify the project ID that owns the service account,
+        # as well as a name that must be unique within the project. IAM uses these
+        # values to create an email address that identifies the service account. //
+        # Corresponds to the JSON property `restoredAccount`
+        # @return [Google::Apis::IamV1::ServiceAccount]
+        attr_accessor :restored_account
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @restored_account = args[:restored_account] if args.key?(:restored_account)
+        end
+      end
+      # Request message for UndeleteWorkforcePoolProviderKey.
+      class UndeleteWorkforcePoolProviderKeyRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkforcePoolProvider.
+      class UndeleteWorkforcePoolProviderRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkforcePool.
+      class UndeleteWorkforcePoolRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkforcePoolSubject.
+      class UndeleteWorkforcePoolSubjectRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkloadIdentityPoolManagedIdentity.
+      class UndeleteWorkloadIdentityPoolManagedIdentityRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkloadIdentityPoolNamespace.
+      class UndeleteWorkloadIdentityPoolNamespaceRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkloadIdentityPoolProviderKey.
+      class UndeleteWorkloadIdentityPoolProviderKeyRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+        end
+      end
+      # Request message for UndeleteWorkloadIdentityPoolProvider.
+      class UndeleteWorkloadIdentityPoolProviderRequest
+        include Google::Apis::Core::Hashable
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
         end
       end
-      # Response message for `TestIamPermissions` method.
-      class TestIamPermissionsResponse
+      # Request message for UndeleteWorkloadIdentityPool.
+      class UndeleteWorkloadIdentityPoolRequest
         include Google::Apis::Core::Hashable
-        # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
-        # Corresponds to the JSON property `permissions`
-        # @return [Array<String>]
-        attr_accessor :permissions
         def initialize(**args)
            update!(**args)
         end
         # Update properties of this object
         def update!(**args)
-          @permissions = args[:permissions] if args.key?(:permissions)
         end
       end
-      # The request to undelete an existing role.
-      class UndeleteRoleRequest
+      # The service account key upload request.
+      class UploadServiceAccountKeyRequest
         include Google::Apis::Core::Hashable
-        # Used to perform a consistent read-modify-write.
-        # Corresponds to the JSON property `etag`
+        # The public key to associate with the service account. Must be an RSA public
+        # key that is wrapped in an X.509 v3 certificate. Include the first line, `-----
+        # BEGIN CERTIFICATE-----`, and the last line, `-----END CERTIFICATE-----`.
+        # Corresponds to the JSON property `publicKeyData`
         # NOTE: Values are automatically base64 encoded/decoded in the client library.
         # @return [String]
-        attr_accessor :etag
+        attr_accessor :public_key_data
         def initialize(**args)
            update!(**args)
@@ -1801,37 +3189,220 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @etag = args[:etag] if args.key?(:etag)
+          @public_key_data = args[:public_key_data] if args.key?(:public_key_data)
         end
       end
-      # The service account undelete request.
-      class UndeleteServiceAccountRequest
+      # Represents a collection of external workforces. Provides namespaces for
+      # federated users that can be referenced in IAM policies.
+      class WorkforcePool
         include Google::Apis::Core::Hashable
+        # Access related restrictions on the workforce pool.
+        # Corresponds to the JSON property `accessRestrictions`
+        # @return [Google::Apis::IamV1::AccessRestrictions]
+        attr_accessor :access_restrictions
+        # Optional. A user-specified description of the pool. Cannot exceed 256
+        # characters.
+        # Corresponds to the JSON property `description`
+        # @return [String]
+        attr_accessor :description
+        # Optional. Disables the workforce pool. You cannot use a disabled pool to
+        # exchange tokens, or use existing tokens to access resources. If the pool is re-
+        # enabled, existing tokens grant access again.
+        # Corresponds to the JSON property `disabled`
+        # @return [Boolean]
+        attr_accessor :disabled
+        alias_method :disabled?, :disabled
+        # Optional. A user-specified display name of the pool in Google Cloud Console.
+        # Cannot exceed 32 characters.
+        # Corresponds to the JSON property `displayName`
+        # @return [String]
+        attr_accessor :display_name
+        # Output only. Time after which the workforce pool will be permanently purged
+        # and cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Identifier. The resource name of the pool. Format: `locations/`location`/
+        # workforcePools/`workforce_pool_id``
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Immutable. The resource name of the parent. Format: `organizations/`org-id``.
+        # Corresponds to the JSON property `parent`
+        # @return [String]
+        attr_accessor :parent
+        # Optional. Duration that the Google Cloud access tokens, console sign-in
+        # sessions, and `gcloud` sign-in sessions from this pool are valid. Must be
+        # greater than 15 minutes (900s) and less than 12 hours (43200s). If `
+        # session_duration` is not configured, minted credentials have a default
+        # duration of one hour (3600s). For SAML providers, the lifetime of the token is
+        # the minimum of the `session_duration` and the `SessionNotOnOrAfter` claim in
+        # the SAML assertion.
+        # Corresponds to the JSON property `sessionDuration`
+        # @return [String]
+        attr_accessor :session_duration
+        # Output only. The state of the pool.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
         def initialize(**args)
            update!(**args)
         end
         # Update properties of this object
         def update!(**args)
+          @access_restrictions = args[:access_restrictions] if args.key?(:access_restrictions)
+          @description = args[:description] if args.key?(:description)
+          @disabled = args[:disabled] if args.key?(:disabled)
+          @display_name = args[:display_name] if args.key?(:display_name)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @name = args[:name] if args.key?(:name)
+          @parent = args[:parent] if args.key?(:parent)
+          @session_duration = args[:session_duration] if args.key?(:session_duration)
+          @state = args[:state] if args.key?(:state)
         end
       end
-      #
-      class UndeleteServiceAccountResponse
+      # A configuration for an external identity provider.
+      class WorkforcePoolProvider
         include Google::Apis::Core::Hashable
-        # An IAM service account. A service account is an account for an application or
-        # a virtual machine (VM) instance, not a person. You can use a service account
-        # to call Google APIs. To learn more, read the [overview of service accounts](
-        # https://cloud.google.com/iam/help/service-accounts/overview). When you create
-        # a service account, you specify the project ID that owns the service account,
-        # as well as a name that must be unique within the project. IAM uses these
-        # values to create an email address that identifies the service //
-        # Corresponds to the JSON property `restoredAccount`
-        # @return [Google::Apis::IamV1::ServiceAccount]
-        attr_accessor :restored_account
+        # Optional. A [Common Expression Language](https://opensource.google/projects/
+        # cel) expression, in plain text, to restrict what otherwise valid
+        # authentication credentials issued by the provider should not be accepted. The
+        # expression must output a boolean representing whether to allow the federation.
+        # The following keywords may be referenced in the expressions: * `assertion`:
+        # JSON representing the authentication credential issued by the provider. * `
+        # google`: The Google attributes mapped from the assertion in the `
+        # attribute_mappings`. `google.profile_photo`, `google.display_name` and `google.
+        # posix_username` are not supported. * `attribute`: The custom attributes mapped
+        # from the assertion in the `attribute_mappings`. The maximum length of the
+        # attribute condition expression is 4096 characters. If unspecified, all valid
+        # authentication credentials will be accepted. The following example shows how
+        # to only allow credentials with a mapped `google.groups` value of `admins`: ```
+        # "'admins' in google.groups" ```
+        # Corresponds to the JSON property `attributeCondition`
+        # @return [String]
+        attr_accessor :attribute_condition
+        # Required. Maps attributes from the authentication credentials issued by an
+        # external identity provider to Google Cloud attributes, such as `subject` and `
+        # segment`. Each key must be a string specifying the Google Cloud IAM attribute
+        # to map to. The following keys are supported: * `google.subject`: The principal
+        # IAM is authenticating. You can reference this value in IAM bindings. This is
+        # also the subject that appears in Cloud Logging logs. This is a required field
+        # and the mapped subject cannot exceed 127 bytes. * `google.groups`: Groups the
+        # authenticating user belongs to. You can grant groups access to resources using
+        # an IAM `principalSet` binding; access applies to all members of the group. * `
+        # google.display_name`: The name of the authenticated user. This is an optional
+        # field and the mapped display name cannot exceed 100 bytes. If not set, `google.
+        # subject` will be displayed instead. This attribute cannot be referenced in IAM
+        # bindings. * `google.profile_photo`: The URL that specifies the authenticated
+        # user's thumbnail photo. This is an optional field. When set, the image will be
+        # visible as the user's profile picture. If not set, a generic user icon will be
+        # displayed instead. This attribute cannot be referenced in IAM bindings. * `
+        # google.posix_username`: The Linux username used by OS Login. This is an
+        # optional field and the mapped POSIX username cannot exceed 32 characters, The
+        # key must match the regex "^a-zA-Z0-9._`0,31`$". This attribute cannot be
+        # referenced in IAM bindings. You can also provide custom attributes by
+        # specifying `attribute.`custom_attribute``, where `custom_attribute` is the
+        # name of the custom attribute to be mapped. You can define a maximum of 50
+        # custom attributes. The maximum length of a mapped attribute key is 100
+        # characters, and the key may only contain the characters [a-z0-9_]. You can
+        # reference these attributes in IAM policies to define fine-grained access for a
+        # workforce pool to Google Cloud resources. For example: * `google.subject`: `
+        # principal://iam.googleapis.com/locations/global/workforcePools/`pool`/subject/`
+        # value`` * `google.groups`: `principalSet://iam.googleapis.com/locations/global/
+        # workforcePools/`pool`/group/`value`` * `attribute.`custom_attribute``: `
+        # principalSet://iam.googleapis.com/locations/global/workforcePools/`pool`/
+        # attribute.`custom_attribute`/`value`` Each value must be a [Common Expression
+        # Language] (https://opensource.google/projects/cel) function that maps an
+        # identity provider credential to the normalized attribute specified by the
+        # corresponding map key. You can use the `assertion` keyword in the expression
+        # to access a JSON representation of the authentication credential issued by the
+        # provider. The maximum length of an attribute mapping expression is 2048
+        # characters. When evaluated, the total size of all mapped attributes must not
+        # exceed 4KB. For OIDC providers, you must supply a custom mapping that includes
+        # the `google.subject` attribute. For example, the following maps the `sub`
+        # claim of the incoming credential to the `subject` attribute on a Google token:
+        # ``` `"google.subject": "assertion.sub"` ```
+        # Corresponds to the JSON property `attributeMapping`
+        # @return [Hash<String,String>]
+        attr_accessor :attribute_mapping
+        # Optional. A user-specified description of the provider. Cannot exceed 256
+        # characters.
+        # Corresponds to the JSON property `description`
+        # @return [String]
+        attr_accessor :description
+        # Optional. If true, populates additional debug information in Cloud Audit Logs
+        # for this provider. Logged attribute mappings and values can be found in `sts.
+        # googleapis.com` data access logs. Default value is false.
+        # Corresponds to the JSON property `detailedAuditLogging`
+        # @return [Boolean]
+        attr_accessor :detailed_audit_logging
+        alias_method :detailed_audit_logging?, :detailed_audit_logging
+        # Optional. Disables the workforce pool provider. You cannot use a disabled
+        # provider to exchange tokens. However, existing tokens still grant access.
+        # Corresponds to the JSON property `disabled`
+        # @return [Boolean]
+        attr_accessor :disabled
+        alias_method :disabled?, :disabled
+        # Optional. A user-specified display name for the provider. Cannot exceed 32
+        # characters.
+        # Corresponds to the JSON property `displayName`
+        # @return [String]
+        attr_accessor :display_name
+        # Output only. Time after which the workload pool provider will be permanently
+        # purged and cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Represents the OAuth 2.0 client credential configuration for retrieving
+        # additional user attributes that are not present in the initial authentication
+        # credentials from the identity provider, e.g. groups. See https://datatracker.
+        # ietf.org/doc/html/rfc6749#section-4.4 for more details on client credentials
+        # grant flow.
+        # Corresponds to the JSON property `extraAttributesOauth2Client`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client]
+        attr_accessor :extra_attributes_oauth2_client
+        # Identifier. The resource name of the provider. Format: `locations/`location`/
+        # workforcePools/`workforce_pool_id`/providers/`provider_id``
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Represents an OpenId Connect 1.0 identity provider.
+        # Corresponds to the JSON property `oidc`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderOidc]
+        attr_accessor :oidc
+        # Represents a SAML identity provider.
+        # Corresponds to the JSON property `saml`
+        # @return [Google::Apis::IamV1::GoogleIamAdminV1WorkforcePoolProviderSaml]
+        attr_accessor :saml
+        # Output only. The state of the provider.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
         def initialize(**args)
            update!(**args)
@@ -1839,47 +3410,178 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @restored_account = args[:restored_account] if args.key?(:restored_account)
+          @attribute_condition = args[:attribute_condition] if args.key?(:attribute_condition)
+          @attribute_mapping = args[:attribute_mapping] if args.key?(:attribute_mapping)
+          @description = args[:description] if args.key?(:description)
+          @detailed_audit_logging = args[:detailed_audit_logging] if args.key?(:detailed_audit_logging)
+          @disabled = args[:disabled] if args.key?(:disabled)
+          @display_name = args[:display_name] if args.key?(:display_name)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @extra_attributes_oauth2_client = args[:extra_attributes_oauth2_client] if args.key?(:extra_attributes_oauth2_client)
+          @name = args[:name] if args.key?(:name)
+          @oidc = args[:oidc] if args.key?(:oidc)
+          @saml = args[:saml] if args.key?(:saml)
+          @state = args[:state] if args.key?(:state)
         end
       end
-      # Request message for UndeleteWorkloadIdentityPoolProvider.
-      class UndeleteWorkloadIdentityPoolProviderRequest
+      # Represents a public key configuration for a Workforce Pool Provider. The key
+      # can be configured in your identity provider to encrypt SAML assertions. Google
+      # holds the corresponding private key, which it uses to decrypt encrypted tokens.
+      class WorkforcePoolProviderKey
         include Google::Apis::Core::Hashable
+        # Output only. The time after which the key will be permanently deleted and
+        # cannot be recovered. Note that the key may get purged before this time if the
+        # total limit of keys per provider is exceeded.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Represents a public key data along with its format.
+        # Corresponds to the JSON property `keyData`
+        # @return [Google::Apis::IamV1::KeyData]
+        attr_accessor :key_data
+        # Identifier. The resource name of the key. Format: `locations/`location`/
+        # workforcePools/`workforce_pool_id`/providers/`provider_id`/keys/`key_id``
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Output only. The state of the key.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
+        # Required. The purpose of the key.
+        # Corresponds to the JSON property `use`
+        # @return [String]
+        attr_accessor :use
         def initialize(**args)
            update!(**args)
         end
         # Update properties of this object
         def update!(**args)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @key_data = args[:key_data] if args.key?(:key_data)
+          @name = args[:name] if args.key?(:name)
+          @state = args[:state] if args.key?(:state)
+          @use = args[:use] if args.key?(:use)
         end
       end
-      # Request message for UndeleteWorkloadIdentityPool.
-      class UndeleteWorkloadIdentityPoolRequest
+      # Represents a collection of workload identities. You can define IAM policies to
+      # grant these identities access to Google Cloud resources.
+      class WorkloadIdentityPool
         include Google::Apis::Core::Hashable
+        # Optional. A description of the pool. Cannot exceed 256 characters.
+        # Corresponds to the JSON property `description`
+        # @return [String]
+        attr_accessor :description
+        # Optional. Whether the pool is disabled. You cannot use a disabled pool to
+        # exchange tokens, or use existing tokens to access resources. If the pool is re-
+        # enabled, existing tokens grant access again.
+        # Corresponds to the JSON property `disabled`
+        # @return [Boolean]
+        attr_accessor :disabled
+        alias_method :disabled?, :disabled
+        # Optional. A display name for the pool. Cannot exceed 32 characters.
+        # Corresponds to the JSON property `displayName`
+        # @return [String]
+        attr_accessor :display_name
+        # Output only. Time after which the workload identity pool will be permanently
+        # purged and cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Represents configuration for generating mutual TLS (mTLS) certificates for the
+        # identities within this pool.
+        # Corresponds to the JSON property `inlineCertificateIssuanceConfig`
+        # @return [Google::Apis::IamV1::InlineCertificateIssuanceConfig]
+        attr_accessor :inline_certificate_issuance_config
+        # Defines configuration for extending trust to additional trust domains. By
+        # establishing trust with another domain, the current domain will recognize and
+        # accept certificates issued by entities within the trusted domains. Note that a
+        # trust domain automatically trusts itself, eliminating the need for explicit
+        # configuration.
+        # Corresponds to the JSON property `inlineTrustConfig`
+        # @return [Google::Apis::IamV1::InlineTrustConfig]
+        attr_accessor :inline_trust_config
+        # Immutable. The mode the pool is operating in.
+        # Corresponds to the JSON property `mode`
+        # @return [String]
+        attr_accessor :mode
+        # Output only. The resource name of the pool.
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Output only. The state of the pool.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
         def initialize(**args)
            update!(**args)
         end
         # Update properties of this object
         def update!(**args)
+          @description = args[:description] if args.key?(:description)
+          @disabled = args[:disabled] if args.key?(:disabled)
+          @display_name = args[:display_name] if args.key?(:display_name)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @inline_certificate_issuance_config = args[:inline_certificate_issuance_config] if args.key?(:inline_certificate_issuance_config)
+          @inline_trust_config = args[:inline_trust_config] if args.key?(:inline_trust_config)
+          @mode = args[:mode] if args.key?(:mode)
+          @name = args[:name] if args.key?(:name)
+          @state = args[:state] if args.key?(:state)
         end
       end
-      # The service account key upload request.
-      class UploadServiceAccountKeyRequest
+      # Represents a managed identity for a workload identity pool namespace.
+      class WorkloadIdentityPoolManagedIdentity
         include Google::Apis::Core::Hashable
-        # The public key to associate with the service account. Must be an RSA public
-        # key that is wrapped in an X.509 v3 certificate. Include the first line, `-----
-        # BEGIN CERTIFICATE-----`, and the last line, `-----END CERTIFICATE-----`.
-        # Corresponds to the JSON property `publicKeyData`
-        # NOTE: Values are automatically base64 encoded/decoded in the client library.
+        # A description of the managed identity. Cannot exceed 256 characters.
+        # Corresponds to the JSON property `description`
         # @return [String]
-        attr_accessor :public_key_data
+        attr_accessor :description
+        # Whether the managed identity is disabled. If disabled, credentials may no
+        # longer be issued for the identity, however existing credentials will still be
+        # accepted until they expire.
+        # Corresponds to the JSON property `disabled`
+        # @return [Boolean]
+        attr_accessor :disabled
+        alias_method :disabled?, :disabled
+        # Output only. Time after which the managed identity will be permanently purged
+        # and cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Output only. The resource name of the managed identity.
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Output only. The state of the managed identity.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
         def initialize(**args)
            update!(**args)
@@ -1887,39 +3589,49 @@ module Google
         # Update properties of this object
         def update!(**args)
-          @public_key_data = args[:public_key_data] if args.key?(:public_key_data)
+          @description = args[:description] if args.key?(:description)
+          @disabled = args[:disabled] if args.key?(:disabled)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @name = args[:name] if args.key?(:name)
+          @state = args[:state] if args.key?(:state)
         end
       end
-      # Represents a collection of external workload identities. You can define IAM
-      # policies to grant these identities access to Google Cloud resources.
-      class WorkloadIdentityPool
+      # Represents a namespace for a workload identity pool. Namespaces are used to
+      # segment identities within the pool.
+      class WorkloadIdentityPoolNamespace
         include Google::Apis::Core::Hashable
-        # A description of the pool. Cannot exceed 256 characters.
+        # A description of the namespace. Cannot exceed 256 characters.
         # Corresponds to the JSON property `description`
         # @return [String]
         attr_accessor :description
-        # Whether the pool is disabled. You cannot use a disabled pool to exchange
-        # tokens, or use existing tokens to access resources. If the pool is re-enabled,
-        # existing tokens grant access again.
+        # Whether the namespace is disabled. If disabled, credentials may no longer be
+        # issued for identities within this namespace, however existing credentials will
+        # still be accepted until they expire.
         # Corresponds to the JSON property `disabled`
         # @return [Boolean]
         attr_accessor :disabled
         alias_method :disabled?, :disabled
-        # A display name for the pool. Cannot exceed 32 characters.
-        # Corresponds to the JSON property `displayName`
+        # Output only. Time after which the namespace will be permanently purged and
+        # cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
         # @return [String]
-        attr_accessor :display_name
+        attr_accessor :expire_time
-        # Output only. The resource name of the pool.
+        # Output only. The resource name of the namespace.
         # Corresponds to the JSON property `name`
         # @return [String]
         attr_accessor :name
-        # Output only. The state of the pool.
+        # The Google Cloud service that owns this namespace.
+        # Corresponds to the JSON property `ownerService`
+        # @return [Google::Apis::IamV1::OwnerService]
+        attr_accessor :owner_service
+        # Output only. The state of the namespace.
         # Corresponds to the JSON property `state`
         # @return [String]
         attr_accessor :state
@@ -1932,8 +3644,9 @@ module Google
         def update!(**args)
           @description = args[:description] if args.key?(:description)
           @disabled = args[:disabled] if args.key?(:disabled)
-          @display_name = args[:display_name] if args.key?(:display_name)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
           @name = args[:name] if args.key?(:name)
+          @owner_service = args[:owner_service] if args.key?(:owner_service)
           @state = args[:state] if args.key?(:state)
         end
       end
@@ -1955,59 +3668,61 @@ module Google
       class WorkloadIdentityPoolProvider
         include Google::Apis::Core::Hashable
-        # [A Common Expression Language](https://opensource.google/projects/cel)
-        # expression, in plain text, to restrict what otherwise valid authentication
-        # credentials issued by the provider should not be accepted. The expression must
-        # output a boolean representing whether to allow the federation. The following
-        # keywords may be referenced in the expressions: * `assertion`: JSON
-        # representing the authentication credential issued by the provider. * `google`:
-        # The Google attributes mapped from the assertion in the `attribute_mappings`. *
-        # `attribute`: The custom attributes mapped from the assertion in the `
-        # attribute_mappings`. The maximum length of the attribute condition expression
-        # is 4096 characters. If unspecified, all valid authentication credential are
-        # accepted. The following example shows how to only allow credentials with a
-        # mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ```
+        # Optional. [A Common Expression Language](https://opensource.google/projects/
+        # cel) expression, in plain text, to restrict what otherwise valid
+        # authentication credentials issued by the provider should not be accepted. The
+        # expression must output a boolean representing whether to allow the federation.
+        # The following keywords may be referenced in the expressions: * `assertion`:
+        # JSON representing the authentication credential issued by the provider. * `
+        # google`: The Google attributes mapped from the assertion in the `
+        # attribute_mappings`. * `attribute`: The custom attributes mapped from the
+        # assertion in the `attribute_mappings`. The maximum length of the attribute
+        # condition expression is 4096 characters. If unspecified, all valid
+        # authentication credential are accepted. The following example shows how to
+        # only allow credentials with a mapped `google.groups` value of `admins`: ``` "'
+        # admins' in google.groups" ```
         # Corresponds to the JSON property `attributeCondition`
         # @return [String]
         attr_accessor :attribute_condition
-        # Maps attributes from authentication credentials issued by an external identity
-        # provider to Google Cloud attributes, such as `subject` and `segment`. Each key
-        # must be a string specifying the Google Cloud IAM attribute to map to. The
-        # following keys are supported: * `google.subject`: The principal IAM is
-        # authenticating. You can reference this value in IAM bindings. This is also the
-        # subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * `google.
-        # groups`: Groups the external identity belongs to. You can grant groups access
-        # to resources using an IAM `principalSet` binding; access applies to all
-        # members of the group. You can also provide custom attributes by specifying `
-        # attribute.`custom_attribute``, where ``custom_attribute`` is the name of the
-        # custom attribute to be mapped. You can define a maximum of 50 custom
-        # attributes. The maximum length of a mapped attribute key is 100 characters,
-        # and the key may only contain the characters [a-z0-9_]. You can reference these
-        # attributes in IAM policies to define fine-grained access for a workload to
-        # Google Cloud resources. For example: * `google.subject`: `principal://iam.
-        # googleapis.com/projects/`project`/locations/`location`/workloadIdentityPools/`
-        # pool`/subject/`value`` * `google.groups`: `principalSet://iam.googleapis.com/
-        # projects/`project`/locations/`location`/workloadIdentityPools/`pool`/group/`
-        # value`` * `attribute.`custom_attribute``: `principalSet://iam.googleapis.com/
-        # projects/`project`/locations/`location`/workloadIdentityPools/`pool`/attribute.
-        # `custom_attribute`/`value`` Each value must be a [Common Expression Language] (
-        # https://opensource.google/projects/cel) function that maps an identity
-        # provider credential to the normalized attribute specified by the corresponding
-        # map key. You can use the `assertion` keyword in the expression to access a
-        # JSON representation of the authentication credential issued by the provider.
-        # The maximum length of an attribute mapping expression is 2048 characters. When
-        # evaluated, the total size of all mapped attributes must not exceed 8KB. For
-        # AWS providers, if no attribute mapping is defined, the following default
-        # mapping applies: ``` ` "google.subject":"assertion.arn", "attribute.aws_role":
-        # "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('`
-        # account_arn`assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('
-        # assumed-role/`role_name`/')" " : assertion.arn", ` ``` If any custom attribute
-        # mappings are defined, they must include a mapping to the `google.subject`
-        # attribute. For OIDC providers, you must supply a custom mapping, which must
-        # include the `google.subject` attribute. For example, the following maps the `
-        # sub` claim of the incoming credential to the `subject` attribute on a Google
-        # token: ``` `"google.subject": "assertion.sub"` ```
+        # Optional. Maps attributes from authentication credentials issued by an
+        # external identity provider to Google Cloud attributes, such as `subject` and `
+        # segment`. Each key must be a string specifying the Google Cloud IAM attribute
+        # to map to. The following keys are supported: * `google.subject`: The principal
+        # IAM is authenticating. You can reference this value in IAM bindings. This is
+        # also the subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. *
+        # `google.groups`: Groups the external identity belongs to. You can grant
+        # groups access to resources using an IAM `principalSet` binding; access applies
+        # to all members of the group. You can also provide custom attributes by
+        # specifying `attribute.`custom_attribute``, where ``custom_attribute`` is the
+        # name of the custom attribute to be mapped. You can define a maximum of 50
+        # custom attributes. The maximum length of a mapped attribute key is 100
+        # characters, and the key may only contain the characters [a-z0-9_]. You can
+        # reference these attributes in IAM policies to define fine-grained access for a
+        # workload to Google Cloud resources. For example: * `google.subject`: `
+        # principal://iam.googleapis.com/projects/`project`/locations/`location`/
+        # workloadIdentityPools/`pool`/subject/`value`` * `google.groups`: `principalSet:
+        # //iam.googleapis.com/projects/`project`/locations/`location`/
+        # workloadIdentityPools/`pool`/group/`value`` * `attribute.`custom_attribute``: `
+        # principalSet://iam.googleapis.com/projects/`project`/locations/`location`/
+        # workloadIdentityPools/`pool`/attribute.`custom_attribute`/`value`` Each value
+        # must be a [Common Expression Language] (https://opensource.google/projects/cel)
+        # function that maps an identity provider credential to the normalized
+        # attribute specified by the corresponding map key. You can use the `assertion`
+        # keyword in the expression to access a JSON representation of the
+        # authentication credential issued by the provider. The maximum length of an
+        # attribute mapping expression is 2048 characters. When evaluated, the total
+        # size of all mapped attributes must not exceed 8KB. For AWS providers, if no
+        # attribute mapping is defined, the following default mapping applies: ``` ` "
+        # google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains(
+        # 'assumed-role')" " ? assertion.arn.extract('`account_arn`assumed-role/')" " + '
+        # assumed-role/'" " + assertion.arn.extract('assumed-role/`role_name`/')" " :
+        # assertion.arn", ` ``` If any custom attribute mappings are defined, they must
+        # include a mapping to the `google.subject` attribute. For OIDC providers, you
+        # must supply a custom mapping, which must include the `google.subject`
+        # attribute. For example, the following maps the `sub` claim of the incoming
+        # credential to the `subject` attribute on a Google token: ``` `"google.subject":
+        # "assertion.sub"` ```
         # Corresponds to the JSON property `attributeMapping`
         # @return [Hash<String,String>]
         attr_accessor :attribute_mapping
@@ -2017,23 +3732,29 @@ module Google
         # @return [Google::Apis::IamV1::Aws]
         attr_accessor :aws
-        # A description for the provider. Cannot exceed 256 characters.
+        # Optional. A description for the provider. Cannot exceed 256 characters.
         # Corresponds to the JSON property `description`
         # @return [String]
         attr_accessor :description
-        # Whether the provider is disabled. You cannot use a disabled provider to
-        # exchange tokens. However, existing tokens still grant access.
+        # Optional. Whether the provider is disabled. You cannot use a disabled provider
+        # to exchange tokens. However, existing tokens still grant access.
         # Corresponds to the JSON property `disabled`
         # @return [Boolean]
         attr_accessor :disabled
         alias_method :disabled?, :disabled
-        # A display name for the provider. Cannot exceed 32 characters.
+        # Optional. A display name for the provider. Cannot exceed 32 characters.
         # Corresponds to the JSON property `displayName`
         # @return [String]
         attr_accessor :display_name
+        # Output only. Time after which the workload identity pool provider will be
+        # permanently purged and cannot be recovered.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
         # Output only. The resource name of the provider.
         # Corresponds to the JSON property `name`
         # @return [String]
@@ -2054,6 +3775,12 @@ module Google
         # @return [String]
         attr_accessor :state
+        # An X.509-type identity provider represents a CA. It is trusted to assert a
+        # client identity if the client has a certificate that chains up to this CA.
+        # Corresponds to the JSON property `x509`
+        # @return [Google::Apis::IamV1::X509]
+        attr_accessor :x509
         def initialize(**args)
            update!(**args)
         end
@@ -2066,10 +3793,81 @@ module Google
           @description = args[:description] if args.key?(:description)
           @disabled = args[:disabled] if args.key?(:disabled)
           @display_name = args[:display_name] if args.key?(:display_name)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
           @name = args[:name] if args.key?(:name)
           @oidc = args[:oidc] if args.key?(:oidc)
           @saml = args[:saml] if args.key?(:saml)
           @state = args[:state] if args.key?(:state)
+          @x509 = args[:x509] if args.key?(:x509)
+        end
+      end
+      # Represents a public key configuration for your workload identity pool provider.
+      # The key can be configured in your identity provider to encrypt the SAML
+      # assertions. Google holds the corresponding private key which it uses to
+      # decrypt encrypted tokens.
+      class WorkloadIdentityPoolProviderKey
+        include Google::Apis::Core::Hashable
+        # Output only. Time after which the key will be permanently purged and cannot be
+        # recovered. Note that the key may get purged before this timestamp if the total
+        # limit of keys per provider is crossed.
+        # Corresponds to the JSON property `expireTime`
+        # @return [String]
+        attr_accessor :expire_time
+        # Represents a public key data along with its format.
+        # Corresponds to the JSON property `keyData`
+        # @return [Google::Apis::IamV1::KeyData]
+        attr_accessor :key_data
+        # Output only. The resource name of the key.
+        # Corresponds to the JSON property `name`
+        # @return [String]
+        attr_accessor :name
+        # Output only. The state of the key.
+        # Corresponds to the JSON property `state`
+        # @return [String]
+        attr_accessor :state
+        # Required. The purpose of the key.
+        # Corresponds to the JSON property `use`
+        # @return [String]
+        attr_accessor :use
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @expire_time = args[:expire_time] if args.key?(:expire_time)
+          @key_data = args[:key_data] if args.key?(:key_data)
+          @name = args[:name] if args.key?(:name)
+          @state = args[:state] if args.key?(:state)
+          @use = args[:use] if args.key?(:use)
+        end
+      end
+      # An X.509-type identity provider represents a CA. It is trusted to assert a
+      # client identity if the client has a certificate that chains up to this CA.
+      class X509
+        include Google::Apis::Core::Hashable
+        # Trust store that contains trust anchors and optional intermediate CAs used in
+        # PKI to build a trust chain(trust hierarchy) and verify a client's identity.
+        # Corresponds to the JSON property `trustStore`
+        # @return [Google::Apis::IamV1::TrustStore]
+        attr_accessor :trust_store
+        def initialize(**args)
+           update!(**args)
+        end
+        # Update properties of this object
+        def update!(**args)
+          @trust_store = args[:trust_store] if args.key?(:trust_store)
         end
       end
     end