google-apis-iam_v1 0.36.0 → 0.72.0

data/lib/google/apis/iam_v1/service.rb

@@ -22,9 +22,11 @@ module Google
     module IamV1
       # Identity and Access Management (IAM) API
       #
-      # Manages identity and access control for Google Cloud Platform resources,
-      #  including the creation of service accounts, which you can use to authenticate
-      #  to Google and make API calls.
+      # Manages identity and access control for Google Cloud resources, including the
+      #  creation of service accounts, which you can use to authenticate to Google and
+      #  make API calls. Enabling this API also enables the IAM Service Account
+      #  Credentials API (iamcredentials.googleapis.com). However, disabling this API
+      #  doesn't disable the IAM Service Account Credentials API.
       #
       # @example
       #    require 'google/apis/iam_v1'
@@ -34,6 +36,8 @@ module Google
       #
       # @see https://cloud.google.com/iam/
       class IamService < Google::Apis::Core::BaseService
+        DEFAULT_ENDPOINT_TEMPLATE = "https://iam.$UNIVERSE_DOMAIN$/"
+
         # @return [String]
         #  API key. Your API key identifies your project and provides you with API access,
         #  quota, and reports. Required unless you provide an OAuth 2.0 token.
@@ -45,7 +49,7 @@ module Google
         attr_accessor :quota_user
 
         def initialize
-          super('https://iam.googleapis.com/', '',
+          super(DEFAULT_ENDPOINT_TEMPLATE, '',
                 client_name: 'google-apis-iam_v1',
                 client_version: Google::Apis::IamV1::GEM_VERSION)
           @batch_path = 'batch'
@@ -116,10 +120,17 @@ module Google
           execute_or_queue_command(command, &block)
         end
         
-        # Gets the latest state of a long-running operation. Clients can use this method
-        # to poll the operation result at intervals as recommended by the API service.
-        # @param [String] name
-        #   The name of the operation resource.
+        # Creates a new WorkforcePool. You cannot reuse the name of a deleted pool until
+        # 30 days after deletion.
+        # @param [String] location
+        #   Optional. The location of the pool to create. Format: `locations/`location``.
+        # @param [Google::Apis::IamV1::WorkforcePool] workforce_pool_object
+        # @param [String] workforce_pool_id
+        #   Optional. The ID to use for the pool, which becomes the final component of the
+        #   resource name. The IDs must be a globally unique string of 6 to 63 lowercase
+        #   letters, digits, or hyphens. It must start with a letter, and cannot have a
+        #   trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not
+        #   be specified.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -137,20 +148,29 @@ module Google
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def get_location_workforce_pool_operation(name, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+name}', options)
+        def create_location_workforce_pool(location, workforce_pool_object = nil, workforce_pool_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+location}/workforcePools', options)
+          command.request_representation = Google::Apis::IamV1::WorkforcePool::Representation
+          command.request_object = workforce_pool_object
           command.response_representation = Google::Apis::IamV1::Operation::Representation
           command.response_class = Google::Apis::IamV1::Operation
-          command.params['name'] = name unless name.nil?
+          command.params['location'] = location unless location.nil?
+          command.query['workforcePoolId'] = workforce_pool_id unless workforce_pool_id.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Gets the latest state of a long-running operation. Clients can use this method
-        # to poll the operation result at intervals as recommended by the API service.
+        # Deletes a WorkforcePool. You cannot use a deleted WorkforcePool to exchange
+        # external credentials for Google Cloud credentials. However, deletion does not
+        # revoke credentials that have already been issued. Credentials issued for a
+        # deleted pool do not grant access to resources. If the pool is undeleted, and
+        # the credentials are not expired, they grant access again. You can undelete a
+        # pool for 30 days. After 30 days, deletion is permanent. You cannot update
+        # deleted pools. However, you can view and list them.
         # @param [String] name
-        #   The name of the operation resource.
+        #   Required. The name of the pool to delete. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id``
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -168,8 +188,8 @@ module Google
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def get_location_workforce_pool_provider_key_operation(name, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+name}', options)
+        def delete_location_workforce_pool(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
           command.response_representation = Google::Apis::IamV1::Operation::Representation
           command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
@@ -178,10 +198,10 @@ module Google
           execute_or_queue_command(command, &block)
         end
         
-        # Gets the latest state of a long-running operation. Clients can use this method
-        # to poll the operation result at intervals as recommended by the API service.
+        # Gets an individual WorkforcePool.
         # @param [String] name
-        #   The name of the operation resource.
+        #   Required. The name of the pool to retrieve. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id``
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -191,28 +211,30 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::WorkforcePool] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Operation]
+        # @return [Google::Apis::IamV1::WorkforcePool]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def get_location_workforce_pool_provider_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+        def get_location_workforce_pool(name, fields: nil, quota_user: nil, options: nil, &block)
           command = make_simple_command(:get, 'v1/{+name}', options)
-          command.response_representation = Google::Apis::IamV1::Operation::Representation
-          command.response_class = Google::Apis::IamV1::Operation
+          command.response_representation = Google::Apis::IamV1::WorkforcePool::Representation
+          command.response_class = Google::Apis::IamV1::WorkforcePool
           command.params['name'] = name unless name.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Gets the latest state of a long-running operation. Clients can use this method
-        # to poll the operation result at intervals as recommended by the API service.
-        # @param [String] name
-        #   The name of the operation resource.
+        # Gets IAM policies on a WorkforcePool.
+        # @param [String] resource
+        #   REQUIRED: The resource for which the policy is being requested. See [Resource
+        #   names](https://cloud.google.com/apis/design/resource_names) for the
+        #   appropriate value for this field.
+        # @param [Google::Apis::IamV1::GetIamPolicyRequest] get_iam_policy_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -222,42 +244,42 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Policy] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Operation]
+        # @return [Google::Apis::IamV1::Policy]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def get_location_workforce_pool_subject_operation(name, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+name}', options)
-          command.response_representation = Google::Apis::IamV1::Operation::Representation
-          command.response_class = Google::Apis::IamV1::Operation
-          command.params['name'] = name unless name.nil?
+        def get_workforce_pool_iam_policy(resource, get_iam_policy_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:getIamPolicy', options)
+          command.request_representation = Google::Apis::IamV1::GetIamPolicyRequest::Representation
+          command.request_object = get_iam_policy_request_object
+          command.response_representation = Google::Apis::IamV1::Policy::Representation
+          command.response_class = Google::Apis::IamV1::Policy
+          command.params['resource'] = resource unless resource.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Creates a new custom Role.
+        # Lists all non-deleted WorkforcePools under the specified parent. If `
+        # show_deleted` is set to `true`, then deleted pools are also listed.
+        # @param [String] location
+        #   The location of the pool. Format: `locations/`location``.
+        # @param [Fixnum] page_size
+        #   The maximum number of pools to return. If unspecified, at most 50 pools will
+        #   be returned. The maximum value is 1000; values above 1000 are truncated to
+        #   1000.
+        # @param [String] page_token
+        #   A page token, received from a previous `ListWorkforcePools` call. Provide this
+        #   to retrieve the subsequent page.
         # @param [String] parent
-        #   The `parent` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles). Each resource type's `parent` value format is described
-        #   below: * [`projects.roles.create()`](https://cloud.google.com/iam/reference/
-        #   rest/v1/projects.roles/create): `projects/`PROJECT_ID``. This method creates
-        #   project-level [custom roles](https://cloud.google.com/iam/docs/understanding-
-        #   custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/`
-        #   PROJECT_ID`/roles` * [`organizations.roles.create()`](https://cloud.google.com/
-        #   iam/reference/rest/v1/organizations.roles/create): `organizations/`
-        #   ORGANIZATION_ID``. This method creates organization-level [custom roles](https:
-        #   //cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `
-        #   https://iam.googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles` Note:
-        #   Wildcard (*) values are invalid; you must specify a complete project ID or
-        #   organization ID.
-        # @param [Google::Apis::IamV1::CreateRoleRequest] create_role_request_object
+        #   Required. The parent resource to list pools for. Format: `organizations/`org-
+        #   id``.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft-deleted pools.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -267,54 +289,35 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::ListWorkforcePoolsResponse] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Role]
+        # @return [Google::Apis::IamV1::ListWorkforcePoolsResponse]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def create_organization_role(parent, create_role_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:post, 'v1/{+parent}/roles', options)
-          command.request_representation = Google::Apis::IamV1::CreateRoleRequest::Representation
-          command.request_object = create_role_request_object
-          command.response_representation = Google::Apis::IamV1::Role::Representation
-          command.response_class = Google::Apis::IamV1::Role
-          command.params['parent'] = parent unless parent.nil?
+        def list_location_workforce_pools(location, page_size: nil, page_token: nil, parent: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+location}/workforcePools', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkforcePoolsResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkforcePoolsResponse
+          command.params['location'] = location unless location.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['parent'] = parent unless parent.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Deletes a custom Role. When you delete a custom role, the following changes
-        # occur immediately: * You cannot bind a principal to the custom role in an IAM
-        # Policy. * Existing bindings to the custom role are not changed, but they have
-        # no effect. * By default, the response from ListRoles does not include the
-        # custom role. You have 7 days to undelete the custom role. After 7 days, the
-        # following changes occur: * The custom role is permanently deleted and cannot
-        # be recovered. * If an IAM policy contains a binding to the custom role, the
-        # binding is permanently removed.
+        # Updates an existing WorkforcePool.
         # @param [String] name
-        #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles). Each resource type's `name` value format is described
-        #   below: * [`projects.roles.delete()`](https://cloud.google.com/iam/reference/
-        #   rest/v1/projects.roles/delete): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``.
-        #   This method deletes only [custom roles](https://cloud.google.com/iam/docs/
-        #   understanding-custom-roles) that have been created at the project level.
-        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
-        #   roles/`CUSTOM_ROLE_ID`` * [`organizations.roles.delete()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/delete): `organizations/`
-        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method deletes only [custom
-        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
-        #   been created at the organization level. Example request URL: `https://iam.
-        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
-        #   Wildcard (*) values are invalid; you must specify a complete project ID or
-        #   organization ID.
-        # @param [String] etag
-        #   Used to perform a consistent read-modify-write.
+        #   Identifier. The resource name of the pool. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id``
+        # @param [Google::Apis::IamV1::WorkforcePool] workforce_pool_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -324,48 +327,33 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Role]
+        # @return [Google::Apis::IamV1::Operation]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def delete_organization_role(name, etag: nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:delete, 'v1/{+name}', options)
-          command.response_representation = Google::Apis::IamV1::Role::Representation
-          command.response_class = Google::Apis::IamV1::Role
+        def patch_location_workforce_pool(name, workforce_pool_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::WorkforcePool::Representation
+          command.request_object = workforce_pool_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
-          command.query['etag'] = etag unless etag.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Gets the definition of a Role.
-        # @param [String] name
-        #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), [`
-        #   projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), or [
-        #   `organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.
-        #   roles). Each resource type's `name` value format is described below: * [`roles.
-        #   get()`](https://cloud.google.com/iam/reference/rest/v1/roles/get): `roles/`
-        #   ROLE_NAME``. This method returns results from all [predefined roles](https://
-        #   cloud.google.com/iam/docs/understanding-roles#predefined_roles) in Cloud IAM.
-        #   Example request URL: `https://iam.googleapis.com/v1/roles/`ROLE_NAME`` * [`
-        #   projects.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles/get): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``. This method
-        #   returns only [custom roles](https://cloud.google.com/iam/docs/understanding-
-        #   custom-roles) that have been created at the project level. Example request URL:
-        #   `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID`` *
-        #   [`organizations.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles/get): `organizations/`ORGANIZATION_ID`/roles/`
-        #   CUSTOM_ROLE_ID``. This method returns only [custom roles](https://cloud.google.
-        #   com/iam/docs/understanding-custom-roles) that have been created at the
-        #   organization level. Example request URL: `https://iam.googleapis.com/v1/
-        #   organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note: Wildcard (*)
-        #   values are invalid; you must specify a complete project ID or organization ID.
+        # Sets IAM policies on a WorkforcePool.
+        # @param [String] resource
+        #   REQUIRED: The resource for which the policy is being specified. See [Resource
+        #   names](https://cloud.google.com/apis/design/resource_names) for the
+        #   appropriate value for this field.
+        # @param [Google::Apis::IamV1::SetIamPolicyRequest] set_iam_policy_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -375,59 +363,34 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Policy] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Role]
+        # @return [Google::Apis::IamV1::Policy]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def get_organization_role(name, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+name}', options)
-          command.response_representation = Google::Apis::IamV1::Role::Representation
-          command.response_class = Google::Apis::IamV1::Role
-          command.params['name'] = name unless name.nil?
+        def set_workforce_pool_iam_policy(resource, set_iam_policy_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:setIamPolicy', options)
+          command.request_representation = Google::Apis::IamV1::SetIamPolicyRequest::Representation
+          command.request_object = set_iam_policy_request_object
+          command.response_representation = Google::Apis::IamV1::Policy::Representation
+          command.response_class = Google::Apis::IamV1::Policy
+          command.params['resource'] = resource unless resource.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Lists every predefined Role that IAM supports, or every custom role that is
-        # defined for an organization or project.
-        # @param [String] parent
-        #   The `parent` parameter's value depends on the target resource for the request,
-        #   namely [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), [`
-        #   projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), or [
-        #   `organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.
-        #   roles). Each resource type's `parent` value format is described below: * [`
-        #   roles.list()`](https://cloud.google.com/iam/reference/rest/v1/roles/list): An
-        #   empty string. This method doesn't require a resource; it simply returns all [
-        #   predefined roles](https://cloud.google.com/iam/docs/understanding-roles#
-        #   predefined_roles) in Cloud IAM. Example request URL: `https://iam.googleapis.
-        #   com/v1/roles` * [`projects.roles.list()`](https://cloud.google.com/iam/
-        #   reference/rest/v1/projects.roles/list): `projects/`PROJECT_ID``. This method
-        #   lists all project-level [custom roles](https://cloud.google.com/iam/docs/
-        #   understanding-custom-roles). Example request URL: `https://iam.googleapis.com/
-        #   v1/projects/`PROJECT_ID`/roles` * [`organizations.roles.list()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/list): `organizations/`
-        #   ORGANIZATION_ID``. This method lists all organization-level [custom roles](
-        #   https://cloud.google.com/iam/docs/understanding-custom-roles). Example request
-        #   URL: `https://iam.googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles`
-        #   Note: Wildcard (*) values are invalid; you must specify a complete project ID
-        #   or organization ID.
-        # @param [Fixnum] page_size
-        #   Optional limit on the number of roles to include in the response. The default
-        #   is 300, and the maximum is 1,000.
-        # @param [String] page_token
-        #   Optional pagination token returned in an earlier ListRolesResponse.
-        # @param [Boolean] show_deleted
-        #   Include Roles that have been deleted.
-        # @param [String] view
-        #   Optional view for the returned Role objects. When `FULL` is specified, the `
-        #   includedPermissions` field is returned, which includes a list of all
-        #   permissions in the role. The default value is `BASIC`, which does not return
-        #   the `includedPermissions` field.
+        # Returns the caller's permissions on the WorkforcePool. If the pool doesn't
+        # exist, this call returns an empty set of permissions. It doesn't return a `
+        # NOT_FOUND` error.
+        # @param [String] resource
+        #   REQUIRED: The resource for which the policy detail is being requested. See [
+        #   Resource names](https://cloud.google.com/apis/design/resource_names) for the
+        #   appropriate value for this field.
+        # @param [Google::Apis::IamV1::TestIamPermissionsRequest] test_iam_permissions_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -437,50 +400,31 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::ListRolesResponse] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::TestIamPermissionsResponse] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::ListRolesResponse]
+        # @return [Google::Apis::IamV1::TestIamPermissionsResponse]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def list_organization_roles(parent, page_size: nil, page_token: nil, show_deleted: nil, view: nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+parent}/roles', options)
-          command.response_representation = Google::Apis::IamV1::ListRolesResponse::Representation
-          command.response_class = Google::Apis::IamV1::ListRolesResponse
-          command.params['parent'] = parent unless parent.nil?
-          command.query['pageSize'] = page_size unless page_size.nil?
-          command.query['pageToken'] = page_token unless page_token.nil?
-          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
-          command.query['view'] = view unless view.nil?
+        def test_workforce_pool_iam_permissions(resource, test_iam_permissions_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:testIamPermissions', options)
+          command.request_representation = Google::Apis::IamV1::TestIamPermissionsRequest::Representation
+          command.request_object = test_iam_permissions_request_object
+          command.response_representation = Google::Apis::IamV1::TestIamPermissionsResponse::Representation
+          command.response_class = Google::Apis::IamV1::TestIamPermissionsResponse
+          command.params['resource'] = resource unless resource.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Updates the definition of a custom Role.
+        # Undeletes a WorkforcePool, as long as it was deleted fewer than 30 days ago.
         # @param [String] name
-        #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles). Each resource type's `name` value format is described
-        #   below: * [`projects.roles.patch()`](https://cloud.google.com/iam/reference/
-        #   rest/v1/projects.roles/patch): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``.
-        #   This method updates only [custom roles](https://cloud.google.com/iam/docs/
-        #   understanding-custom-roles) that have been created at the project level.
-        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
-        #   roles/`CUSTOM_ROLE_ID`` * [`organizations.roles.patch()`](https://cloud.google.
-        #   com/iam/reference/rest/v1/organizations.roles/patch): `organizations/`
-        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method updates only [custom
-        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
-        #   been created at the organization level. Example request URL: `https://iam.
-        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
-        #   Wildcard (*) values are invalid; you must specify a complete project ID or
-        #   organization ID.
-        # @param [Google::Apis::IamV1::Role] role_object
-        # @param [String] update_mask
-        #   A mask describing which fields in the Role have changed.
+        #   Required. The name of the pool to undelete. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id``
+        # @param [Google::Apis::IamV1::UndeleteWorkforcePoolRequest] undelete_workforce_pool_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -490,47 +434,30 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Role]
+        # @return [Google::Apis::IamV1::Operation]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def patch_organization_role(name, role_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:patch, 'v1/{+name}', options)
-          command.request_representation = Google::Apis::IamV1::Role::Representation
-          command.request_object = role_object
-          command.response_representation = Google::Apis::IamV1::Role::Representation
-          command.response_class = Google::Apis::IamV1::Role
+        def undelete_workforce_pool(name, undelete_workforce_pool_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkforcePoolRequest::Representation
+          command.request_object = undelete_workforce_pool_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
-          command.query['updateMask'] = update_mask unless update_mask.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Undeletes a custom Role.
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
         # @param [String] name
-        #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles). Each resource type's `name` value format is described
-        #   below: * [`projects.roles.undelete()`](https://cloud.google.com/iam/reference/
-        #   rest/v1/projects.roles/undelete): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID`
-        #   `. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/
-        #   understanding-custom-roles) that have been created at the project level.
-        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
-        #   roles/`CUSTOM_ROLE_ID`` * [`organizations.roles.undelete()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/undelete): `organizations/
-        #   `ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method undeletes only [custom
-        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
-        #   been created at the organization level. Example request URL: `https://iam.
-        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
-        #   Wildcard (*) values are invalid; you must specify a complete project ID or
-        #   organization ID.
-        # @param [Google::Apis::IamV1::UndeleteRoleRequest] undelete_role_request_object
+        #   The name of the operation resource.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -540,30 +467,35 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::Role]
+        # @return [Google::Apis::IamV1::Operation]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def undelete_organization_role(name, undelete_role_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
-          command.request_representation = Google::Apis::IamV1::UndeleteRoleRequest::Representation
-          command.request_object = undelete_role_request_object
-          command.response_representation = Google::Apis::IamV1::Role::Representation
-          command.response_class = Google::Apis::IamV1::Role
+        def get_location_workforce_pool_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Lists every permission that you can test on a resource. A permission is
-        # testable if you can check whether a principal has that permission on the
-        # resource.
-        # @param [Google::Apis::IamV1::QueryTestablePermissionsRequest] query_testable_permissions_request_object
+        # Creates a new WorkforcePoolProvider in a WorkforcePool. You cannot reuse the
+        # name of a deleted provider until 30 days after deletion.
+        # @param [String] parent
+        #   Required. The pool to create this provider in. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id``
+        # @param [Google::Apis::IamV1::WorkforcePoolProvider] workforce_pool_provider_object
+        # @param [String] workforce_pool_provider_id
+        #   Required. The ID for the provider, which becomes the final component of the
+        #   resource name. This value must be 4-32 characters, and may contain the
+        #   characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may
+        #   not be specified.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -573,36 +505,1900 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::QueryTestablePermissionsResponse] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::QueryTestablePermissionsResponse]
+        # @return [Google::Apis::IamV1::Operation]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def query_testable_permissions(query_testable_permissions_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:post, 'v1/permissions:queryTestablePermissions', options)
-          command.request_representation = Google::Apis::IamV1::QueryTestablePermissionsRequest::Representation
-          command.request_object = query_testable_permissions_request_object
-          command.response_representation = Google::Apis::IamV1::QueryTestablePermissionsResponse::Representation
-          command.response_class = Google::Apis::IamV1::QueryTestablePermissionsResponse
-          command.query['fields'] = fields unless fields.nil?
-          command.query['quotaUser'] = quota_user unless quota_user.nil?
-          execute_or_queue_command(command, &block)
+        def create_location_workforce_pool_provider(parent, workforce_pool_provider_object = nil, workforce_pool_provider_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/providers', options)
+          command.request_representation = Google::Apis::IamV1::WorkforcePoolProvider::Representation
+          command.request_object = workforce_pool_provider_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['parent'] = parent unless parent.nil?
+          command.query['workforcePoolProviderId'] = workforce_pool_provider_id unless workforce_pool_provider_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes a WorkforcePoolProvider. Deleting a provider does not revoke
+        # credentials that have already been issued; they continue to grant access. You
+        # can undelete a provider for 30 days. After 30 days, deletion is permanent. You
+        # cannot update deleted providers. However, you can view and list them.
+        # @param [String] name
+        #   Required. The name of the provider to delete. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id`/providers/`provider_id``
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_location_workforce_pool_provider(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual WorkforcePoolProvider.
+        # @param [String] name
+        #   Required. The name of the provider to retrieve. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id`/providers/`provider_id``
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::WorkforcePoolProvider] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::WorkforcePoolProvider]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_location_workforce_pool_provider(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::WorkforcePoolProvider::Representation
+          command.response_class = Google::Apis::IamV1::WorkforcePoolProvider
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted WorkforcePoolProviders in a WorkforcePool. If `
+        # show_deleted` is set to `true`, then deleted providers are also listed.
+        # @param [String] parent
+        #   Required. The pool to list providers for. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id``
+        # @param [Fixnum] page_size
+        #   The maximum number of providers to return. If unspecified, at most 50
+        #   providers are returned. The maximum value is 100; values above 100 are
+        #   truncated to 100.
+        # @param [String] page_token
+        #   A page token, received from a previous `ListWorkforcePoolProviders` call.
+        #   Provide this to retrieve the subsequent page.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft-deleted providers.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListWorkforcePoolProvidersResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListWorkforcePoolProvidersResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_location_workforce_pool_providers(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/providers', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkforcePoolProvidersResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkforcePoolProvidersResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates an existing WorkforcePoolProvider.
+        # @param [String] name
+        #   Identifier. The resource name of the provider. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id`/providers/`provider_id``
+        # @param [Google::Apis::IamV1::WorkforcePoolProvider] workforce_pool_provider_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_location_workforce_pool_provider(name, workforce_pool_provider_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::WorkforcePoolProvider::Representation
+          command.request_object = workforce_pool_provider_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes a WorkforcePoolProvider, as long as it was deleted fewer than 30
+        # days ago.
+        # @param [String] name
+        #   Required. The name of the provider to undelete. Format: `locations/`location`/
+        #   workforcePools/`workforce_pool_id`/providers/`provider_id``
+        # @param [Google::Apis::IamV1::UndeleteWorkforcePoolProviderRequest] undelete_workforce_pool_provider_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_workforce_pool_provider(name, undelete_workforce_pool_provider_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkforcePoolProviderRequest::Representation
+          command.request_object = undelete_workforce_pool_provider_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new WorkforcePoolProviderKey in a WorkforcePoolProvider.
+        # @param [String] parent
+        #   Required. The provider to create this key in.
+        # @param [Google::Apis::IamV1::WorkforcePoolProviderKey] workforce_pool_provider_key_object
+        # @param [String] workforce_pool_provider_key_id
+        #   Required. The ID to use for the key, which becomes the final component of the
+        #   resource name. This value must be 4-32 characters, and may contain the
+        #   characters [a-z0-9-].
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_location_workforce_pool_provider_key(parent, workforce_pool_provider_key_object = nil, workforce_pool_provider_key_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/keys', options)
+          command.request_representation = Google::Apis::IamV1::WorkforcePoolProviderKey::Representation
+          command.request_object = workforce_pool_provider_key_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['parent'] = parent unless parent.nil?
+          command.query['workforcePoolProviderKeyId'] = workforce_pool_provider_key_id unless workforce_pool_provider_key_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes a WorkforcePoolProviderKey. You can undelete a key for 30 days. After
+        # 30 days, deletion is permanent.
+        # @param [String] name
+        #   Required. The name of the key to delete.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_location_workforce_pool_provider_key(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets a WorkforcePoolProviderKey.
+        # @param [String] name
+        #   Required. The name of the key to retrieve.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::WorkforcePoolProviderKey] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::WorkforcePoolProviderKey]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_location_workforce_pool_provider_key(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::WorkforcePoolProviderKey::Representation
+          command.response_class = Google::Apis::IamV1::WorkforcePoolProviderKey
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted WorkforcePoolProviderKeys in a WorkforcePoolProvider. If
+        # `show_deleted` is set to `true`, then deleted keys are also listed.
+        # @param [String] parent
+        #   Required. The provider resource to list encryption keys for. Format: `
+        #   locations/`location`/workforcePools/`workforce_pool_id`/providers/`provider_id`
+        #   `
+        # @param [Fixnum] page_size
+        #   The maximum number of keys to return. If unspecified, all keys are returned.
+        #   The maximum value is 10; values above 10 are truncated to 10.
+        # @param [String] page_token
+        #   A page token, received from a previous `ListWorkforcePoolProviderKeys` call.
+        #   Provide this to retrieve the subsequent page.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft-deleted keys.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListWorkforcePoolProviderKeysResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListWorkforcePoolProviderKeysResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_location_workforce_pool_provider_keys(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/keys', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkforcePoolProviderKeysResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkforcePoolProviderKeysResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes a WorkforcePoolProviderKey, as long as it was deleted fewer than 30
+        # days ago.
+        # @param [String] name
+        #   Required. The name of the key to undelete.
+        # @param [Google::Apis::IamV1::UndeleteWorkforcePoolProviderKeyRequest] undelete_workforce_pool_provider_key_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_workforce_pool_provider_key(name, undelete_workforce_pool_provider_key_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkforcePoolProviderKeyRequest::Representation
+          command.request_object = undelete_workforce_pool_provider_key_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
+        # @param [String] name
+        #   The name of the operation resource.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_location_workforce_pool_provider_key_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
+        # @param [String] name
+        #   The name of the operation resource.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_location_workforce_pool_provider_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes a WorkforcePoolSubject. Subject must not already be in a deleted state.
+        # A WorkforcePoolSubject is automatically created the first time an external
+        # credential is exchanged for a Google Cloud credential using a mapped `google.
+        # subject` attribute. There is no endpoint to manually create a
+        # WorkforcePoolSubject. For 30 days after a WorkforcePoolSubject is deleted,
+        # using the same `google.subject` attribute in token exchanges with Google Cloud
+        # STS fails. Call UndeleteWorkforcePoolSubject to undelete a
+        # WorkforcePoolSubject that has been deleted, within within 30 days of deleting
+        # it. After 30 days, the WorkforcePoolSubject is permanently deleted. At this
+        # point, a token exchange with Google Cloud STS that uses the same mapped `
+        # google.subject` attribute automatically creates a new WorkforcePoolSubject
+        # that is unrelated to the previously deleted WorkforcePoolSubject but has the
+        # same `google.subject` value.
+        # @param [String] name
+        #   Required. The resource name of the WorkforcePoolSubject. Special characters,
+        #   like `/` and `:`, must be escaped, because all URLs need to conform to the "
+        #   When to Escape and Unescape" section of [RFC3986](https://www.ietf.org/rfc/
+        #   rfc2396.txt). Format: `locations/`location`/workforcePools/`workforce_pool_id`/
+        #   subjects/`subject_id``
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_location_workforce_pool_subject(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes a WorkforcePoolSubject, as long as it was deleted fewer than 30 days
+        # ago.
+        # @param [String] name
+        #   Required. The resource name of the WorkforcePoolSubject. Special characters,
+        #   like `/` and `:`, must be escaped, because all URLs need to conform to the "
+        #   When to Escape and Unescape" section of [RFC3986](https://www.ietf.org/rfc/
+        #   rfc2396.txt). Format: `locations/`location`/workforcePools/`workforce_pool_id`/
+        #   subjects/`subject_id``
+        # @param [Google::Apis::IamV1::UndeleteWorkforcePoolSubjectRequest] undelete_workforce_pool_subject_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_workforce_pool_subject(name, undelete_workforce_pool_subject_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkforcePoolSubjectRequest::Representation
+          command.request_object = undelete_workforce_pool_subject_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
+        # @param [String] name
+        #   The name of the operation resource.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_location_workforce_pool_subject_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new custom Role.
+        # @param [String] parent
+        #   The `parent` parameter's value depends on the target resource for the request,
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `parent` value format is described
+        #   below: * [projects.roles.create](https://cloud.google.com/iam/docs/reference/
+        #   rest/v1/projects.roles/create): `projects/`PROJECT_ID``. This method creates
+        #   project-level [custom roles](https://cloud.google.com/iam/docs/understanding-
+        #   custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/`
+        #   PROJECT_ID`/roles` * [organizations.roles.create](https://cloud.google.com/iam/
+        #   docs/reference/rest/v1/organizations.roles/create): `organizations/`
+        #   ORGANIZATION_ID``. This method creates organization-level [custom roles](https:
+        #   //cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `
+        #   https://iam.googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
+        # @param [Google::Apis::IamV1::CreateRoleRequest] create_role_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Role]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_organization_role(parent, create_role_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/roles', options)
+          command.request_representation = Google::Apis::IamV1::CreateRoleRequest::Representation
+          command.request_object = create_role_request_object
+          command.response_representation = Google::Apis::IamV1::Role::Representation
+          command.response_class = Google::Apis::IamV1::Role
+          command.params['parent'] = parent unless parent.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes a custom Role. When you delete a custom role, the following changes
+        # occur immediately: * You cannot bind a principal to the custom role in an IAM
+        # Policy. * Existing bindings to the custom role are not changed, but they have
+        # no effect. * By default, the response from ListRoles does not include the
+        # custom role. A deleted custom role still counts toward the [custom role limit](
+        # https://cloud.google.com/iam/help/limits) until it is permanently deleted. You
+        # have 7 days to undelete the custom role. After 7 days, the following changes
+        # occur: * The custom role is permanently deleted and cannot be recovered. * If
+        # an IAM policy contains a binding to the custom role, the binding is
+        # permanently removed. * The custom role no longer counts toward your custom
+        # role limit.
+        # @param [String] name
+        #   The `name` parameter's value depends on the target resource for the request,
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `name` value format is described
+        #   below: * [projects.roles.delete](https://cloud.google.com/iam/docs/reference/
+        #   rest/v1/projects.roles/delete): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``.
+        #   This method deletes only [custom roles](https://cloud.google.com/iam/docs/
+        #   understanding-custom-roles) that have been created at the project level.
+        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.delete](https://cloud.google.
+        #   com/iam/docs/reference/rest/v1/organizations.roles/delete): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method deletes only [custom
+        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
+        #   been created at the organization level. Example request URL: `https://iam.
+        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
+        # @param [String] etag
+        #   Used to perform a consistent read-modify-write.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Role]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_organization_role(name, etag: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Role::Representation
+          command.response_class = Google::Apis::IamV1::Role
+          command.params['name'] = name unless name.nil?
+          command.query['etag'] = etag unless etag.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets the definition of a Role.
+        # @param [String] name
+        #   The `name` parameter's value depends on the target resource for the request,
+        #   namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [
+        #   projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles),
+        #   or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `name` value format is described
+        #   below: * [roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/roles/
+        #   get): `roles/`ROLE_NAME``. This method returns results from all [predefined
+        #   roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles)
+        #   in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/`ROLE_NAME``
+        #   * [projects.roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   projects.roles/get): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``. This
+        #   method returns only [custom roles](https://cloud.google.com/iam/docs/
+        #   understanding-custom-roles) that have been created at the project level.
+        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.get](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/organizations.roles/get): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method returns only [custom
+        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
+        #   been created at the organization level. Example request URL: `https://iam.
+        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Role]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_organization_role(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Role::Representation
+          command.response_class = Google::Apis::IamV1::Role
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists every predefined Role that IAM supports, or every custom role that is
+        # defined for an organization or project.
+        # @param [String] parent
+        #   The `parent` parameter's value depends on the target resource for the request,
+        #   namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [
+        #   projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles),
+        #   or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `parent` value format is described
+        #   below: * [roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   roles/list): An empty string. This method doesn't require a resource; it
+        #   simply returns all [predefined roles](https://cloud.google.com/iam/docs/
+        #   understanding-roles#predefined_roles) in IAM. Example request URL: `https://
+        #   iam.googleapis.com/v1/roles` * [projects.roles.list](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/projects.roles/list): `projects/`PROJECT_ID``. This
+        #   method lists all project-level [custom roles](https://cloud.google.com/iam/
+        #   docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.
+        #   com/v1/projects/`PROJECT_ID`/roles` * [organizations.roles.list](https://cloud.
+        #   google.com/iam/docs/reference/rest/v1/organizations.roles/list): `
+        #   organizations/`ORGANIZATION_ID``. This method lists all organization-level [
+        #   custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+        #   Example request URL: `https://iam.googleapis.com/v1/organizations/`
+        #   ORGANIZATION_ID`/roles` Note: Wildcard (*) values are invalid; you must
+        #   specify a complete project ID or organization ID.
+        # @param [Fixnum] page_size
+        #   Optional limit on the number of roles to include in the response. The default
+        #   is 300, and the maximum is 1,000.
+        # @param [String] page_token
+        #   Optional pagination token returned in an earlier ListRolesResponse.
+        # @param [Boolean] show_deleted
+        #   Include Roles that have been deleted.
+        # @param [String] view
+        #   Optional view for the returned Role objects. When `FULL` is specified, the `
+        #   includedPermissions` field is returned, which includes a list of all
+        #   permissions in the role. The default value is `BASIC`, which does not return
+        #   the `includedPermissions` field.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListRolesResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListRolesResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_organization_roles(parent, page_size: nil, page_token: nil, show_deleted: nil, view: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/roles', options)
+          command.response_representation = Google::Apis::IamV1::ListRolesResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListRolesResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['view'] = view unless view.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates the definition of a custom Role.
+        # @param [String] name
+        #   The `name` parameter's value depends on the target resource for the request,
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `name` value format is described
+        #   below: * [projects.roles.patch](https://cloud.google.com/iam/docs/reference/
+        #   rest/v1/projects.roles/patch): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``.
+        #   This method updates only [custom roles](https://cloud.google.com/iam/docs/
+        #   understanding-custom-roles) that have been created at the project level.
+        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.patch](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/organizations.roles/patch): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method updates only [custom
+        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
+        #   been created at the organization level. Example request URL: `https://iam.
+        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
+        # @param [Google::Apis::IamV1::Role] role_object
+        # @param [String] update_mask
+        #   A mask describing which fields in the Role have changed.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Role]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_organization_role(name, role_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::Role::Representation
+          command.request_object = role_object
+          command.response_representation = Google::Apis::IamV1::Role::Representation
+          command.response_class = Google::Apis::IamV1::Role
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes a custom Role.
+        # @param [String] name
+        #   The `name` parameter's value depends on the target resource for the request,
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `name` value format is described
+        #   below: * [projects.roles.undelete](https://cloud.google.com/iam/docs/reference/
+        #   rest/v1/projects.roles/undelete): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID`
+        #   `. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/
+        #   understanding-custom-roles) that have been created at the project level.
+        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.undelete](https://cloud.google.
+        #   com/iam/docs/reference/rest/v1/organizations.roles/undelete): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method undeletes only [custom
+        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
+        #   been created at the organization level. Example request URL: `https://iam.
+        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
+        # @param [Google::Apis::IamV1::UndeleteRoleRequest] undelete_role_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Role] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Role]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_organization_role(name, undelete_role_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteRoleRequest::Representation
+          command.request_object = undelete_role_request_object
+          command.response_representation = Google::Apis::IamV1::Role::Representation
+          command.response_class = Google::Apis::IamV1::Role
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists every permission that you can test on a resource. A permission is
+        # testable if you can check whether a principal has that permission on the
+        # resource.
+        # @param [Google::Apis::IamV1::QueryTestablePermissionsRequest] query_testable_permissions_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::QueryTestablePermissionsResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::QueryTestablePermissionsResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def query_testable_permissions(query_testable_permissions_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/permissions:queryTestablePermissions', options)
+          command.request_representation = Google::Apis::IamV1::QueryTestablePermissionsRequest::Representation
+          command.request_object = query_testable_permissions_request_object
+          command.response_representation = Google::Apis::IamV1::QueryTestablePermissionsResponse::Representation
+          command.response_class = Google::Apis::IamV1::QueryTestablePermissionsResponse
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new OauthClient. You cannot reuse the name of a deleted OauthClient
+        # until 30 days after deletion.
+        # @param [String] parent
+        #   Required. The parent resource to create the OauthClient in. The only supported
+        #   location is `global`.
+        # @param [Google::Apis::IamV1::OauthClient] oauth_client_object
+        # @param [String] oauth_client_id
+        #   Required. The ID to use for the OauthClient, which becomes the final component
+        #   of the resource name. This value should be a string of 6 to 63 lowercase
+        #   letters, digits, or hyphens. It must start with a letter, and cannot have a
+        #   trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not
+        #   be specified.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClient] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClient]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_project_location_oauth_client(parent, oauth_client_object = nil, oauth_client_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/oauthClients', options)
+          command.request_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.request_object = oauth_client_object
+          command.response_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.response_class = Google::Apis::IamV1::OauthClient
+          command.params['parent'] = parent unless parent.nil?
+          command.query['oauthClientId'] = oauth_client_id unless oauth_client_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes an OauthClient. You cannot use a deleted OauthClient. However,
+        # deletion does not revoke access tokens that have already been issued. They
+        # continue to grant access. Deletion does revoke refresh tokens that have
+        # already been issued. They cannot be used to renew an access token. If the
+        # OauthClient is undeleted, and the refresh tokens are not expired, they are
+        # valid for token exchange again. You can undelete an OauthClient for 30 days.
+        # After 30 days, deletion is permanent. You cannot update deleted OauthClients.
+        # However, you can view and list them.
+        # @param [String] name
+        #   Required. The name of the OauthClient to delete. Format: `projects/`project`/
+        #   locations/`location`/oauthClients/`oauth_client``.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClient] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClient]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_project_location_oauth_client(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.response_class = Google::Apis::IamV1::OauthClient
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual OauthClient.
+        # @param [String] name
+        #   Required. The name of the OauthClient to retrieve. Format: `projects/`project`/
+        #   locations/`location`/oauthClients/`oauth_client``.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClient] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClient]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_project_location_oauth_client(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.response_class = Google::Apis::IamV1::OauthClient
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted OauthClients in a project. If `show_deleted` is set to `
+        # true`, then deleted OauthClients are also listed.
+        # @param [String] parent
+        #   Required. The parent to list OauthClients for.
+        # @param [Fixnum] page_size
+        #   Optional. The maximum number of OauthClients to return. If unspecified, at
+        #   most 50 OauthClients will be returned. The maximum value is 100; values above
+        #   100 are truncated to 100.
+        # @param [String] page_token
+        #   Optional. A page token, received from a previous `ListOauthClients` call.
+        #   Provide this to retrieve the subsequent page.
+        # @param [Boolean] show_deleted
+        #   Optional. Whether to return soft-deleted OauthClients.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListOauthClientsResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListOauthClientsResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_oauth_clients(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/oauthClients', options)
+          command.response_representation = Google::Apis::IamV1::ListOauthClientsResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListOauthClientsResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates an existing OauthClient.
+        # @param [String] name
+        #   Immutable. Identifier. The resource name of the OauthClient. Format:`projects/`
+        #   project`/locations/`location`/oauthClients/`oauth_client``.
+        # @param [Google::Apis::IamV1::OauthClient] oauth_client_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClient] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClient]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_project_location_oauth_client(name, oauth_client_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.request_object = oauth_client_object
+          command.response_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.response_class = Google::Apis::IamV1::OauthClient
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes an OauthClient, as long as it was deleted fewer than 30 days ago.
+        # @param [String] name
+        #   Required. The name of the OauthClient to undelete. Format: `projects/`project`/
+        #   locations/`location`/oauthClients/`oauth_client``.
+        # @param [Google::Apis::IamV1::UndeleteOauthClientRequest] undelete_oauth_client_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClient] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClient]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_oauth_client(name, undelete_oauth_client_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteOauthClientRequest::Representation
+          command.request_object = undelete_oauth_client_request_object
+          command.response_representation = Google::Apis::IamV1::OauthClient::Representation
+          command.response_class = Google::Apis::IamV1::OauthClient
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new OauthClientCredential.
+        # @param [String] parent
+        #   Required. The parent resource to create the OauthClientCredential in.
+        # @param [Google::Apis::IamV1::OauthClientCredential] oauth_client_credential_object
+        # @param [String] oauth_client_credential_id
+        #   Required. The ID to use for the OauthClientCredential, which becomes the final
+        #   component of the resource name. This value should be 4-32 characters, and may
+        #   contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by
+        #   Google, and may not be specified.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClientCredential] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClientCredential]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_project_location_oauth_client_credential(parent, oauth_client_credential_object = nil, oauth_client_credential_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/credentials', options)
+          command.request_representation = Google::Apis::IamV1::OauthClientCredential::Representation
+          command.request_object = oauth_client_credential_object
+          command.response_representation = Google::Apis::IamV1::OauthClientCredential::Representation
+          command.response_class = Google::Apis::IamV1::OauthClientCredential
+          command.params['parent'] = parent unless parent.nil?
+          command.query['oauthClientCredentialId'] = oauth_client_credential_id unless oauth_client_credential_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes an OauthClientCredential. Before deleting an OauthClientCredential, it
+        # should first be disabled.
+        # @param [String] name
+        #   Required. The name of the OauthClientCredential to delete. Format: `projects/`
+        #   project`/locations/`location`/oauthClients/`oauth_client`/credentials/`
+        #   credential``.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Empty] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Empty]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_project_location_oauth_client_credential(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Empty::Representation
+          command.response_class = Google::Apis::IamV1::Empty
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual OauthClientCredential.
+        # @param [String] name
+        #   Required. The name of the OauthClientCredential to retrieve. Format: `projects/
+        #   `project`/locations/`location`/oauthClients/`oauth_client`/credentials/`
+        #   credential``.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClientCredential] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClientCredential]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_project_location_oauth_client_credential(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::OauthClientCredential::Representation
+          command.response_class = Google::Apis::IamV1::OauthClientCredential
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all OauthClientCredentials in an OauthClient.
+        # @param [String] parent
+        #   Required. The parent to list OauthClientCredentials for.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListOauthClientCredentialsResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListOauthClientCredentialsResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_oauth_client_credentials(parent, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/credentials', options)
+          command.response_representation = Google::Apis::IamV1::ListOauthClientCredentialsResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListOauthClientCredentialsResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates an existing OauthClientCredential.
+        # @param [String] name
+        #   Immutable. Identifier. The resource name of the OauthClientCredential. Format:
+        #   `projects/`project`/locations/`location`/oauthClients/`oauth_client`/
+        #   credentials/`credential``
+        # @param [Google::Apis::IamV1::OauthClientCredential] oauth_client_credential_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::OauthClientCredential] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::OauthClientCredential]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_project_location_oauth_client_credential(name, oauth_client_credential_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::OauthClientCredential::Representation
+          command.request_object = oauth_client_credential_object
+          command.response_representation = Google::Apis::IamV1::OauthClientCredential::Representation
+          command.response_class = Google::Apis::IamV1::OauthClientCredential
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new WorkloadIdentityPool. You cannot reuse the name of a deleted
+        # pool until 30 days after deletion.
+        # @param [String] parent
+        #   Required. The parent resource to create the pool in. The only supported
+        #   location is `global`.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPool] workload_identity_pool_object
+        # @param [String] workload_identity_pool_id
+        #   Required. The ID to use for the pool, which becomes the final component of the
+        #   resource name. This value should be 4-32 characters, and may contain the
+        #   characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may
+        #   not be specified.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_project_location_workload_identity_pool(parent, workload_identity_pool_object = nil, workload_identity_pool_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/workloadIdentityPools', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPool::Representation
+          command.request_object = workload_identity_pool_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['parent'] = parent unless parent.nil?
+          command.query['workloadIdentityPoolId'] = workload_identity_pool_id unless workload_identity_pool_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes a WorkloadIdentityPool. You cannot use a deleted pool to exchange
+        # external credentials for Google Cloud credentials. However, deletion does not
+        # revoke credentials that have already been issued. Credentials issued for a
+        # deleted pool do not grant access to resources. If the pool is undeleted, and
+        # the credentials are not expired, they grant access again. You can undelete a
+        # pool for 30 days. After 30 days, deletion is permanent. You cannot update
+        # deleted pools. However, you can view and list them.
+        # @param [String] name
+        #   Required. The name of the pool to delete.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_project_location_workload_identity_pool(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual WorkloadIdentityPool.
+        # @param [String] name
+        #   Required. The name of the pool to retrieve.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::WorkloadIdentityPool] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::WorkloadIdentityPool]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_project_location_workload_identity_pool(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::WorkloadIdentityPool::Representation
+          command.response_class = Google::Apis::IamV1::WorkloadIdentityPool
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets the IAM policy of a WorkloadIdentityPool.
+        # @param [String] resource
+        #   REQUIRED: The resource for which the policy is being requested. See [Resource
+        #   names](https://cloud.google.com/apis/design/resource_names) for the
+        #   appropriate value for this field.
+        # @param [Google::Apis::IamV1::GetIamPolicyRequest] get_iam_policy_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Policy] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Policy]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_workload_identity_pool_iam_policy(resource, get_iam_policy_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:getIamPolicy', options)
+          command.request_representation = Google::Apis::IamV1::GetIamPolicyRequest::Representation
+          command.request_object = get_iam_policy_request_object
+          command.response_representation = Google::Apis::IamV1::Policy::Representation
+          command.response_class = Google::Apis::IamV1::Policy
+          command.params['resource'] = resource unless resource.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted WorkloadIdentityPools in a project. If `show_deleted` is
+        # set to `true`, then deleted pools are also listed.
+        # @param [String] parent
+        #   Required. The parent resource to list pools for.
+        # @param [Fixnum] page_size
+        #   The maximum number of pools to return. If unspecified, at most 50 pools are
+        #   returned. The maximum value is 1000; values above are 1000 truncated to 1000.
+        # @param [String] page_token
+        #   A page token, received from a previous `ListWorkloadIdentityPools` call.
+        #   Provide this to retrieve the subsequent page.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft-deleted pools.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_workload_identity_pools(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/workloadIdentityPools', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates an existing WorkloadIdentityPool.
+        # @param [String] name
+        #   Output only. The resource name of the pool.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPool] workload_identity_pool_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_project_location_workload_identity_pool(name, workload_identity_pool_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPool::Representation
+          command.request_object = workload_identity_pool_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Sets the IAM policies on a WorkloadIdentityPool
+        # @param [String] resource
+        #   REQUIRED: The resource for which the policy is being specified. See [Resource
+        #   names](https://cloud.google.com/apis/design/resource_names) for the
+        #   appropriate value for this field.
+        # @param [Google::Apis::IamV1::SetIamPolicyRequest] set_iam_policy_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Policy] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Policy]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def set_workload_identity_pool_iam_policy(resource, set_iam_policy_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:setIamPolicy', options)
+          command.request_representation = Google::Apis::IamV1::SetIamPolicyRequest::Representation
+          command.request_object = set_iam_policy_request_object
+          command.response_representation = Google::Apis::IamV1::Policy::Representation
+          command.response_class = Google::Apis::IamV1::Policy
+          command.params['resource'] = resource unless resource.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Returns the caller's permissions on a WorkloadIdentityPool
+        # @param [String] resource
+        #   REQUIRED: The resource for which the policy detail is being requested. See [
+        #   Resource names](https://cloud.google.com/apis/design/resource_names) for the
+        #   appropriate value for this field.
+        # @param [Google::Apis::IamV1::TestIamPermissionsRequest] test_iam_permissions_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::TestIamPermissionsResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::TestIamPermissionsResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def test_workload_identity_pool_iam_permissions(resource, test_iam_permissions_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:testIamPermissions', options)
+          command.request_representation = Google::Apis::IamV1::TestIamPermissionsRequest::Representation
+          command.request_object = test_iam_permissions_request_object
+          command.response_representation = Google::Apis::IamV1::TestIamPermissionsResponse::Representation
+          command.response_class = Google::Apis::IamV1::TestIamPermissionsResponse
+          command.params['resource'] = resource unless resource.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days
+        # ago.
+        # @param [String] name
+        #   Required. The name of the pool to undelete.
+        # @param [Google::Apis::IamV1::UndeleteWorkloadIdentityPoolRequest] undelete_workload_identity_pool_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_workload_identity_pool(name, undelete_workload_identity_pool_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkloadIdentityPoolRequest::Representation
+          command.request_object = undelete_workload_identity_pool_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new WorkloadIdentityPoolNamespace in a WorkloadIdentityPool.
+        # @param [String] parent
+        #   Required. The parent resource to create the namespace in. The only supported
+        #   location is `global`.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPoolNamespace] workload_identity_pool_namespace_object
+        # @param [String] workload_identity_pool_namespace_id
+        #   Required. The ID to use for the namespace. This value must: * contain at most
+        #   63 characters * contain only lowercase alphanumeric characters or `-` * start
+        #   with an alphanumeric character * end with an alphanumeric character The prefix
+        #   "gcp-" will be reserved for future uses.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_project_location_workload_identity_pool_namespace(parent, workload_identity_pool_namespace_object = nil, workload_identity_pool_namespace_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/namespaces', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPoolNamespace::Representation
+          command.request_object = workload_identity_pool_namespace_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['parent'] = parent unless parent.nil?
+          command.query['workloadIdentityPoolNamespaceId'] = workload_identity_pool_namespace_id unless workload_identity_pool_namespace_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes a WorkloadIdentityPoolNamespace. You can undelete a namespace for 30
+        # days. After 30 days, deletion is permanent.
+        # @param [String] name
+        #   Required. The name of the namespace to delete.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_project_location_workload_identity_pool_namespace(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual WorkloadIdentityPoolNamespace.
+        # @param [String] name
+        #   Required. The name of the namespace to retrieve.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::WorkloadIdentityPoolNamespace] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::WorkloadIdentityPoolNamespace]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_project_location_workload_identity_pool_namespace(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::WorkloadIdentityPoolNamespace::Representation
+          command.response_class = Google::Apis::IamV1::WorkloadIdentityPoolNamespace
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted WorkloadIdentityPoolNamespaces in a workload identity
+        # pool. If `show_deleted` is set to `true`, then deleted namespaces are also
+        # listed.
+        # @param [String] parent
+        #   Required. The parent resource to list namespaces for.
+        # @param [Fixnum] page_size
+        #   The maximum number of namespaces to return. If unspecified, at most 50
+        #   namespaces are returned. The maximum value is 1000; values above are 1000
+        #   truncated to 1000.
+        # @param [String] page_token
+        #   A page token, received from a previous `ListWorkloadIdentityPoolNamespaces`
+        #   call. Provide this to retrieve the subsequent page.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft-deleted namespaces.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListWorkloadIdentityPoolNamespacesResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListWorkloadIdentityPoolNamespacesResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_workload_identity_pool_namespaces(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/namespaces', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkloadIdentityPoolNamespacesResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkloadIdentityPoolNamespacesResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates an existing WorkloadIdentityPoolNamespace in a WorkloadIdentityPool.
+        # @param [String] name
+        #   Output only. The resource name of the namespace.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPoolNamespace] workload_identity_pool_namespace_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_project_location_workload_identity_pool_namespace(name, workload_identity_pool_namespace_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPoolNamespace::Representation
+          command.request_object = workload_identity_pool_namespace_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
         end
         
-        # Creates a new WorkloadIdentityPool. You cannot reuse the name of a deleted
-        # pool until 30 days after deletion.
+        # Undeletes a WorkloadIdentityPoolNamespace, as long as it was deleted fewer
+        # than 30 days ago.
+        # @param [String] name
+        #   Required. The name of the namespace to undelete.
+        # @param [Google::Apis::IamV1::UndeleteWorkloadIdentityPoolNamespaceRequest] undelete_workload_identity_pool_namespace_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_workload_identity_pool_namespace(name, undelete_workload_identity_pool_namespace_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkloadIdentityPoolNamespaceRequest::Representation
+          command.request_object = undelete_workload_identity_pool_namespace_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Add an AttestationRule on a WorkloadIdentityPoolManagedIdentity. The total
+        # attestation rules after addition must not exceed 50.
+        # @param [String] resource
+        #   Required. The resource name of the managed identity or namespace resource to
+        #   add an attestation rule to.
+        # @param [Google::Apis::IamV1::AddAttestationRuleRequest] add_attestation_rule_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def add_managed_identity_attestation_rule(resource, add_attestation_rule_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:addAttestationRule', options)
+          command.request_representation = Google::Apis::IamV1::AddAttestationRuleRequest::Representation
+          command.request_object = add_attestation_rule_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['resource'] = resource unless resource.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Creates a new WorkloadIdentityPoolManagedIdentity in a
+        # WorkloadIdentityPoolNamespace.
         # @param [String] parent
-        #   Required. The parent resource to create the pool in. The only supported
-        #   location is `global`.
-        # @param [Google::Apis::IamV1::WorkloadIdentityPool] workload_identity_pool_object
-        # @param [String] workload_identity_pool_id
-        #   Required. The ID to use for the pool, which becomes the final component of the
-        #   resource name. This value should be 4-32 characters, and may contain the
-        #   characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may
-        #   not be specified.
+        #   Required. The parent resource to create the manage identity in. The only
+        #   supported location is `global`.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity] workload_identity_pool_managed_identity_object
+        # @param [String] workload_identity_pool_managed_identity_id
+        #   Required. The ID to use for the managed identity. This value must: * contain
+        #   at most 63 characters * contain only lowercase alphanumeric characters or `-` *
+        #   start with an alphanumeric character * end with an alphanumeric character The
+        #   prefix "gcp-" will be reserved for future uses.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -620,28 +2416,249 @@ module Google
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def create_project_location_workload_identity_pool(parent, workload_identity_pool_object = nil, workload_identity_pool_id: nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:post, 'v1/{+parent}/workloadIdentityPools', options)
-          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPool::Representation
-          command.request_object = workload_identity_pool_object
+        def create_project_location_workload_identity_pool_namespace_managed_identity(parent, workload_identity_pool_managed_identity_object = nil, workload_identity_pool_managed_identity_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/managedIdentities', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity::Representation
+          command.request_object = workload_identity_pool_managed_identity_object
           command.response_representation = Google::Apis::IamV1::Operation::Representation
           command.response_class = Google::Apis::IamV1::Operation
           command.params['parent'] = parent unless parent.nil?
-          command.query['workloadIdentityPoolId'] = workload_identity_pool_id unless workload_identity_pool_id.nil?
+          command.query['workloadIdentityPoolManagedIdentityId'] = workload_identity_pool_managed_identity_id unless workload_identity_pool_managed_identity_id.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Deletes a WorkloadIdentityPool. You cannot use a deleted pool to exchange
-        # external credentials for Google Cloud credentials. However, deletion does not
-        # revoke credentials that have already been issued. Credentials issued for a
-        # deleted pool do not grant access to resources. If the pool is undeleted, and
-        # the credentials are not expired, they grant access again. You can undelete a
-        # pool for 30 days. After 30 days, deletion is permanent. You cannot update
-        # deleted pools. However, you can view and list them.
+        # Deletes a WorkloadIdentityPoolManagedIdentity. You can undelete a managed
+        # identity for 30 days. After 30 days, deletion is permanent.
         # @param [String] name
-        #   Required. The name of the pool to delete.
+        #   Required. The name of the managed identity to delete.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_project_location_workload_identity_pool_namespace_managed_identity(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual WorkloadIdentityPoolManagedIdentity.
+        # @param [String] name
+        #   Required. The name of the managed identity to retrieve.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_project_location_workload_identity_pool_namespace_managed_identity(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity::Representation
+          command.response_class = Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted WorkloadIdentityPoolManagedIdentitys in a namespace. If `
+        # show_deleted` is set to `true`, then deleted managed identities are also
+        # listed.
+        # @param [String] parent
+        #   Required. The parent resource to list managed identities for.
+        # @param [Fixnum] page_size
+        #   The maximum number of managed identities to return. If unspecified, at most 50
+        #   managed identities are returned. The maximum value is 1000; values above are
+        #   1000 truncated to 1000.
+        # @param [String] page_token
+        #   A page token, received from a previous `
+        #   ListWorkloadIdentityPoolManagedIdentities` call. Provide this to retrieve the
+        #   subsequent page.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft-deleted managed identities.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListWorkloadIdentityPoolManagedIdentitiesResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListWorkloadIdentityPoolManagedIdentitiesResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_workload_identity_pool_namespace_managed_identities(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/managedIdentities', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkloadIdentityPoolManagedIdentitiesResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkloadIdentityPoolManagedIdentitiesResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # List all AttestationRule on a WorkloadIdentityPoolManagedIdentity.
+        # @param [String] resource
+        #   Required. The resource name of the managed identity or namespace resource to
+        #   list attestation rules of.
+        # @param [String] filter
+        #   Optional. A query filter. Supports the following function: * `container_ids()`:
+        #   Returns only the AttestationRules under the specific container ids. The
+        #   function expects a comma-delimited list with only project numbers and must use
+        #   the format `projects/`. For example: `container_ids(projects/, projects/,...)`.
+        # @param [Fixnum] page_size
+        #   Optional. The maximum number of AttestationRules to return. If unspecified, at
+        #   most 50 AttestationRules are returned. The maximum value is 100; values above
+        #   100 are truncated to 100.
+        # @param [String] page_token
+        #   Optional. A page token, received from a previous `
+        #   ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve the
+        #   subsequent page.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListAttestationRulesResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListAttestationRulesResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_workload_identity_pool_namespace_managed_identity_attestation_rules(resource, filter: nil, page_size: nil, page_token: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+resource}:listAttestationRules', options)
+          command.response_representation = Google::Apis::IamV1::ListAttestationRulesResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListAttestationRulesResponse
+          command.params['resource'] = resource unless resource.nil?
+          command.query['filter'] = filter unless filter.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Updates an existing WorkloadIdentityPoolManagedIdentity in a
+        # WorkloadIdentityPoolNamespace.
+        # @param [String] name
+        #   Output only. The resource name of the managed identity.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity] workload_identity_pool_managed_identity_object
+        # @param [String] update_mask
+        #   Required. The list of fields to update.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def patch_project_location_workload_identity_pool_namespace_managed_identity(name, workload_identity_pool_managed_identity_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:patch, 'v1/{+name}', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPoolManagedIdentity::Representation
+          command.request_object = workload_identity_pool_managed_identity_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['updateMask'] = update_mask unless update_mask.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Remove an AttestationRule on a WorkloadIdentityPoolManagedIdentity.
+        # @param [String] resource
+        #   Required. The resource name of the managed identity or namespace resource to
+        #   remove an attestation rule from.
+        # @param [Google::Apis::IamV1::RemoveAttestationRuleRequest] remove_attestation_rule_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def remove_managed_identity_attestation_rule(resource, remove_attestation_rule_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:removeAttestationRule', options)
+          command.request_representation = Google::Apis::IamV1::RemoveAttestationRuleRequest::Representation
+          command.request_object = remove_attestation_rule_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['resource'] = resource unless resource.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Set all AttestationRule on a WorkloadIdentityPoolManagedIdentity. A maximum of
+        # 50 AttestationRules can be set.
+        # @param [String] resource
+        #   Required. The resource name of the managed identity or namespace resource to
+        #   add an attestation rule to.
+        # @param [Google::Apis::IamV1::SetAttestationRulesRequest] set_attestation_rules_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -659,19 +2676,23 @@ module Google
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def delete_project_location_workload_identity_pool(name, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:delete, 'v1/{+name}', options)
+        def set_managed_identity_attestation_rules(resource, set_attestation_rules_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+resource}:setAttestationRules', options)
+          command.request_representation = Google::Apis::IamV1::SetAttestationRulesRequest::Representation
+          command.request_object = set_attestation_rules_request_object
           command.response_representation = Google::Apis::IamV1::Operation::Representation
           command.response_class = Google::Apis::IamV1::Operation
-          command.params['name'] = name unless name.nil?
+          command.params['resource'] = resource unless resource.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Gets an individual WorkloadIdentityPool.
+        # Undeletes a WorkloadIdentityPoolManagedIdentity, as long as it was deleted
+        # fewer than 30 days ago.
         # @param [String] name
-        #   Required. The name of the pool to retrieve.
+        #   Required. The name of the managed identity to undelete.
+        # @param [Google::Apis::IamV1::UndeleteWorkloadIdentityPoolManagedIdentityRequest] undelete_workload_identity_pool_managed_identity_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -681,36 +2702,30 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::WorkloadIdentityPool] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::WorkloadIdentityPool]
+        # @return [Google::Apis::IamV1::Operation]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def get_project_location_workload_identity_pool(name, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+name}', options)
-          command.response_representation = Google::Apis::IamV1::WorkloadIdentityPool::Representation
-          command.response_class = Google::Apis::IamV1::WorkloadIdentityPool
+        def undelete_workload_identity_pool_managed_identity(name, undelete_workload_identity_pool_managed_identity_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkloadIdentityPoolManagedIdentityRequest::Representation
+          command.request_object = undelete_workload_identity_pool_managed_identity_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Lists all non-deleted WorkloadIdentityPools in a project. If `show_deleted` is
-        # set to `true`, then deleted pools are also listed.
-        # @param [String] parent
-        #   Required. The parent resource to list pools for.
-        # @param [Fixnum] page_size
-        #   The maximum number of pools to return. If unspecified, at most 50 pools are
-        #   returned. The maximum value is 1000; values above are 1000 truncated to 1000.
-        # @param [String] page_token
-        #   A page token, received from a previous `ListWorkloadIdentityPools` call.
-        #   Provide this to retrieve the subsequent page.
-        # @param [Boolean] show_deleted
-        #   Whether to return soft-deleted pools.
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
+        # @param [String] name
+        #   The name of the operation resource.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -720,33 +2735,28 @@ module Google
         #   Request-specific options
         #
         # @yield [result, err] Result & error if block supplied
-        # @yieldparam result [Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse] parsed result object
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
         # @yieldparam err [StandardError] error object if request failed
         #
-        # @return [Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse]
+        # @return [Google::Apis::IamV1::Operation]
         #
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def list_project_location_workload_identity_pools(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:get, 'v1/{+parent}/workloadIdentityPools', options)
-          command.response_representation = Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse::Representation
-          command.response_class = Google::Apis::IamV1::ListWorkloadIdentityPoolsResponse
-          command.params['parent'] = parent unless parent.nil?
-          command.query['pageSize'] = page_size unless page_size.nil?
-          command.query['pageToken'] = page_token unless page_token.nil?
-          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+        def get_project_location_workload_identity_pool_namespace_managed_identity_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Updates an existing WorkloadIdentityPool.
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
         # @param [String] name
-        #   Output only. The resource name of the pool.
-        # @param [Google::Apis::IamV1::WorkloadIdentityPool] workload_identity_pool_object
-        # @param [String] update_mask
-        #   Required. The list of fields to update.
+        #   The name of the operation resource.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -764,24 +2774,20 @@ module Google
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def patch_project_location_workload_identity_pool(name, workload_identity_pool_object = nil, update_mask: nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:patch, 'v1/{+name}', options)
-          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPool::Representation
-          command.request_object = workload_identity_pool_object
+        def get_project_location_workload_identity_pool_namespace_managed_identity_workload_source_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
           command.response_representation = Google::Apis::IamV1::Operation::Representation
           command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
-          command.query['updateMask'] = update_mask unless update_mask.nil?
           command.query['fields'] = fields unless fields.nil?
           command.query['quotaUser'] = quota_user unless quota_user.nil?
           execute_or_queue_command(command, &block)
         end
         
-        # Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days
-        # ago.
+        # Gets the latest state of a long-running operation. Clients can use this method
+        # to poll the operation result at intervals as recommended by the API service.
         # @param [String] name
-        #   Required. The name of the pool to undelete.
-        # @param [Google::Apis::IamV1::UndeleteWorkloadIdentityPoolRequest] undelete_workload_identity_pool_request_object
+        #   The name of the operation resource.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -799,10 +2805,8 @@ module Google
         # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
         # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
         # @raise [Google::Apis::AuthorizationError] Authorization is required
-        def undelete_workload_identity_pool(name, undelete_workload_identity_pool_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
-          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
-          command.request_representation = Google::Apis::IamV1::UndeleteWorkloadIdentityPoolRequest::Representation
-          command.request_object = undelete_workload_identity_pool_request_object
+        def get_project_location_workload_identity_pool_namespace_operation(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
           command.response_representation = Google::Apis::IamV1::Operation::Representation
           command.response_class = Google::Apis::IamV1::Operation
           command.params['name'] = name unless name.nil?
@@ -1058,6 +3062,181 @@ module Google
           execute_or_queue_command(command, &block)
         end
         
+        # Create a new WorkloadIdentityPoolProviderKey in a WorkloadIdentityPoolProvider.
+        # @param [String] parent
+        #   Required. The parent provider resource to create the key in.
+        # @param [Google::Apis::IamV1::WorkloadIdentityPoolProviderKey] workload_identity_pool_provider_key_object
+        # @param [String] workload_identity_pool_provider_key_id
+        #   Required. The ID to use for the key, which becomes the final component of the
+        #   resource name. This value should be 4-32 characters, and may contain the
+        #   characters [a-z0-9-].
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def create_project_location_workload_identity_pool_provider_key(parent, workload_identity_pool_provider_key_object = nil, workload_identity_pool_provider_key_id: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+parent}/keys', options)
+          command.request_representation = Google::Apis::IamV1::WorkloadIdentityPoolProviderKey::Representation
+          command.request_object = workload_identity_pool_provider_key_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['parent'] = parent unless parent.nil?
+          command.query['workloadIdentityPoolProviderKeyId'] = workload_identity_pool_provider_key_id unless workload_identity_pool_provider_key_id.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Deletes an WorkloadIdentityPoolProviderKey. You can undelete a key for 30 days.
+        # After 30 days, deletion is permanent.
+        # @param [String] name
+        #   Required. The name of the encryption key to delete.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def delete_project_location_workload_identity_pool_provider_key(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:delete, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Gets an individual WorkloadIdentityPoolProviderKey.
+        # @param [String] name
+        #   Required. The name of the key to retrieve.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::WorkloadIdentityPoolProviderKey] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::WorkloadIdentityPoolProviderKey]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def get_project_location_workload_identity_pool_provider_key(name, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+name}', options)
+          command.response_representation = Google::Apis::IamV1::WorkloadIdentityPoolProviderKey::Representation
+          command.response_class = Google::Apis::IamV1::WorkloadIdentityPoolProviderKey
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Lists all non-deleted WorkloadIdentityPoolProviderKeys in a project. If
+        # show_deleted is set to `true`, then deleted pools are also listed.
+        # @param [String] parent
+        #   Required. The parent provider resource to list encryption keys for.
+        # @param [Fixnum] page_size
+        #   The maximum number of keys to return. If unspecified, all keys are returned.
+        #   The maximum value is 10; values above 10 are truncated to 10.
+        # @param [String] page_token
+        #   A page token, received from a previous `ListWorkloadIdentityPoolProviderKeys`
+        #   call. Provide this to retrieve the subsequent page.
+        # @param [Boolean] show_deleted
+        #   Whether to return soft deleted resources as well.
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::ListWorkloadIdentityPoolProviderKeysResponse] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::ListWorkloadIdentityPoolProviderKeysResponse]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def list_project_location_workload_identity_pool_provider_keys(parent, page_size: nil, page_token: nil, show_deleted: nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:get, 'v1/{+parent}/keys', options)
+          command.response_representation = Google::Apis::IamV1::ListWorkloadIdentityPoolProviderKeysResponse::Representation
+          command.response_class = Google::Apis::IamV1::ListWorkloadIdentityPoolProviderKeysResponse
+          command.params['parent'] = parent unless parent.nil?
+          command.query['pageSize'] = page_size unless page_size.nil?
+          command.query['pageToken'] = page_token unless page_token.nil?
+          command.query['showDeleted'] = show_deleted unless show_deleted.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
+        # Undeletes an WorkloadIdentityPoolProviderKey, as long as it was deleted fewer
+        # than 30 days ago.
+        # @param [String] name
+        #   Required. The name of the encryption key to undelete.
+        # @param [Google::Apis::IamV1::UndeleteWorkloadIdentityPoolProviderKeyRequest] undelete_workload_identity_pool_provider_key_request_object
+        # @param [String] fields
+        #   Selector specifying which fields to include in a partial response.
+        # @param [String] quota_user
+        #   Available to use for quota purposes for server-side applications. Can be any
+        #   arbitrary string assigned to a user, but should not exceed 40 characters.
+        # @param [Google::Apis::RequestOptions] options
+        #   Request-specific options
+        #
+        # @yield [result, err] Result & error if block supplied
+        # @yieldparam result [Google::Apis::IamV1::Operation] parsed result object
+        # @yieldparam err [StandardError] error object if request failed
+        #
+        # @return [Google::Apis::IamV1::Operation]
+        #
+        # @raise [Google::Apis::ServerError] An error occurred on the server and the request can be retried
+        # @raise [Google::Apis::ClientError] The request is invalid and should not be retried without modification
+        # @raise [Google::Apis::AuthorizationError] Authorization is required
+        def undelete_workload_identity_pool_provider_key(name, undelete_workload_identity_pool_provider_key_request_object = nil, fields: nil, quota_user: nil, options: nil, &block)
+          command = make_simple_command(:post, 'v1/{+name}:undelete', options)
+          command.request_representation = Google::Apis::IamV1::UndeleteWorkloadIdentityPoolProviderKeyRequest::Representation
+          command.request_object = undelete_workload_identity_pool_provider_key_request_object
+          command.response_representation = Google::Apis::IamV1::Operation::Representation
+          command.response_class = Google::Apis::IamV1::Operation
+          command.params['name'] = name unless name.nil?
+          command.query['fields'] = fields unless fields.nil?
+          command.query['quotaUser'] = quota_user unless quota_user.nil?
+          execute_or_queue_command(command, &block)
+        end
+        
         # Gets the latest state of a long-running operation. Clients can use this method
         # to poll the operation result at intervals as recommended by the API service.
         # @param [String] name
@@ -1123,15 +3302,15 @@ module Google
         # Creates a new custom Role.
         # @param [String] parent
         #   The `parent` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
         #   organizations.roles). Each resource type's `parent` value format is described
-        #   below: * [`projects.roles.create()`](https://cloud.google.com/iam/reference/
+        #   below: * [projects.roles.create](https://cloud.google.com/iam/docs/reference/
         #   rest/v1/projects.roles/create): `projects/`PROJECT_ID``. This method creates
         #   project-level [custom roles](https://cloud.google.com/iam/docs/understanding-
         #   custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/`
-        #   PROJECT_ID`/roles` * [`organizations.roles.create()`](https://cloud.google.com/
-        #   iam/reference/rest/v1/organizations.roles/create): `organizations/`
+        #   PROJECT_ID`/roles` * [organizations.roles.create](https://cloud.google.com/iam/
+        #   docs/reference/rest/v1/organizations.roles/create): `organizations/`
         #   ORGANIZATION_ID``. This method creates organization-level [custom roles](https:
         #   //cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `
         #   https://iam.googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles` Note:
@@ -1171,22 +3350,25 @@ module Google
         # occur immediately: * You cannot bind a principal to the custom role in an IAM
         # Policy. * Existing bindings to the custom role are not changed, but they have
         # no effect. * By default, the response from ListRoles does not include the
-        # custom role. You have 7 days to undelete the custom role. After 7 days, the
-        # following changes occur: * The custom role is permanently deleted and cannot
-        # be recovered. * If an IAM policy contains a binding to the custom role, the
-        # binding is permanently removed.
+        # custom role. A deleted custom role still counts toward the [custom role limit](
+        # https://cloud.google.com/iam/help/limits) until it is permanently deleted. You
+        # have 7 days to undelete the custom role. After 7 days, the following changes
+        # occur: * The custom role is permanently deleted and cannot be recovered. * If
+        # an IAM policy contains a binding to the custom role, the binding is
+        # permanently removed. * The custom role no longer counts toward your custom
+        # role limit.
         # @param [String] name
         #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
         #   organizations.roles). Each resource type's `name` value format is described
-        #   below: * [`projects.roles.delete()`](https://cloud.google.com/iam/reference/
+        #   below: * [projects.roles.delete](https://cloud.google.com/iam/docs/reference/
         #   rest/v1/projects.roles/delete): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``.
         #   This method deletes only [custom roles](https://cloud.google.com/iam/docs/
         #   understanding-custom-roles) that have been created at the project level.
         #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
-        #   roles/`CUSTOM_ROLE_ID`` * [`organizations.roles.delete()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/delete): `organizations/`
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.delete](https://cloud.google.
+        #   com/iam/docs/reference/rest/v1/organizations.roles/delete): `organizations/`
         #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method deletes only [custom
         #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
         #   been created at the organization level. Example request URL: `https://iam.
@@ -1226,26 +3408,27 @@ module Google
         # Gets the definition of a Role.
         # @param [String] name
         #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), [`
-        #   projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), or [
-        #   `organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.
-        #   roles). Each resource type's `name` value format is described below: * [`roles.
-        #   get()`](https://cloud.google.com/iam/reference/rest/v1/roles/get): `roles/`
-        #   ROLE_NAME``. This method returns results from all [predefined roles](https://
-        #   cloud.google.com/iam/docs/understanding-roles#predefined_roles) in Cloud IAM.
-        #   Example request URL: `https://iam.googleapis.com/v1/roles/`ROLE_NAME`` * [`
-        #   projects.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles/get): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``. This method
-        #   returns only [custom roles](https://cloud.google.com/iam/docs/understanding-
-        #   custom-roles) that have been created at the project level. Example request URL:
-        #   `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID`` *
-        #   [`organizations.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles/get): `organizations/`ORGANIZATION_ID`/roles/`
-        #   CUSTOM_ROLE_ID``. This method returns only [custom roles](https://cloud.google.
-        #   com/iam/docs/understanding-custom-roles) that have been created at the
-        #   organization level. Example request URL: `https://iam.googleapis.com/v1/
-        #   organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note: Wildcard (*)
-        #   values are invalid; you must specify a complete project ID or organization ID.
+        #   namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [
+        #   projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles),
+        #   or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `name` value format is described
+        #   below: * [roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/roles/
+        #   get): `roles/`ROLE_NAME``. This method returns results from all [predefined
+        #   roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles)
+        #   in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/`ROLE_NAME``
+        #   * [projects.roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   projects.roles/get): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``. This
+        #   method returns only [custom roles](https://cloud.google.com/iam/docs/
+        #   understanding-custom-roles) that have been created at the project level.
+        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.get](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/organizations.roles/get): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method returns only [custom
+        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
+        #   been created at the organization level. Example request URL: `https://iam.
+        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -1277,25 +3460,25 @@ module Google
         # defined for an organization or project.
         # @param [String] parent
         #   The `parent` parameter's value depends on the target resource for the request,
-        #   namely [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), [`
-        #   projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), or [
-        #   `organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.
-        #   roles). Each resource type's `parent` value format is described below: * [`
-        #   roles.list()`](https://cloud.google.com/iam/reference/rest/v1/roles/list): An
-        #   empty string. This method doesn't require a resource; it simply returns all [
-        #   predefined roles](https://cloud.google.com/iam/docs/understanding-roles#
-        #   predefined_roles) in Cloud IAM. Example request URL: `https://iam.googleapis.
-        #   com/v1/roles` * [`projects.roles.list()`](https://cloud.google.com/iam/
-        #   reference/rest/v1/projects.roles/list): `projects/`PROJECT_ID``. This method
-        #   lists all project-level [custom roles](https://cloud.google.com/iam/docs/
-        #   understanding-custom-roles). Example request URL: `https://iam.googleapis.com/
-        #   v1/projects/`PROJECT_ID`/roles` * [`organizations.roles.list()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/list): `organizations/`
-        #   ORGANIZATION_ID``. This method lists all organization-level [custom roles](
-        #   https://cloud.google.com/iam/docs/understanding-custom-roles). Example request
-        #   URL: `https://iam.googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles`
-        #   Note: Wildcard (*) values are invalid; you must specify a complete project ID
-        #   or organization ID.
+        #   namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [
+        #   projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles),
+        #   or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `parent` value format is described
+        #   below: * [roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   roles/list): An empty string. This method doesn't require a resource; it
+        #   simply returns all [predefined roles](https://cloud.google.com/iam/docs/
+        #   understanding-roles#predefined_roles) in IAM. Example request URL: `https://
+        #   iam.googleapis.com/v1/roles` * [projects.roles.list](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/projects.roles/list): `projects/`PROJECT_ID``. This
+        #   method lists all project-level [custom roles](https://cloud.google.com/iam/
+        #   docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.
+        #   com/v1/projects/`PROJECT_ID`/roles` * [organizations.roles.list](https://cloud.
+        #   google.com/iam/docs/reference/rest/v1/organizations.roles/list): `
+        #   organizations/`ORGANIZATION_ID``. This method lists all organization-level [
+        #   custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+        #   Example request URL: `https://iam.googleapis.com/v1/organizations/`
+        #   ORGANIZATION_ID`/roles` Note: Wildcard (*) values are invalid; you must
+        #   specify a complete project ID or organization ID.
         # @param [Fixnum] page_size
         #   Optional limit on the number of roles to include in the response. The default
         #   is 300, and the maximum is 1,000.
@@ -1342,16 +3525,16 @@ module Google
         # Updates the definition of a custom Role.
         # @param [String] name
         #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
         #   organizations.roles). Each resource type's `name` value format is described
-        #   below: * [`projects.roles.patch()`](https://cloud.google.com/iam/reference/
+        #   below: * [projects.roles.patch](https://cloud.google.com/iam/docs/reference/
         #   rest/v1/projects.roles/patch): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``.
         #   This method updates only [custom roles](https://cloud.google.com/iam/docs/
         #   understanding-custom-roles) that have been created at the project level.
         #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
-        #   roles/`CUSTOM_ROLE_ID`` * [`organizations.roles.patch()`](https://cloud.google.
-        #   com/iam/reference/rest/v1/organizations.roles/patch): `organizations/`
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.patch](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/organizations.roles/patch): `organizations/`
         #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method updates only [custom
         #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
         #   been created at the organization level. Example request URL: `https://iam.
@@ -1394,17 +3577,17 @@ module Google
         # Undeletes a custom Role.
         # @param [String] name
         #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles) or [`organizations`](https://cloud.google.com/iam/reference/rest/v1/
+        #   namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.
+        #   roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
         #   organizations.roles). Each resource type's `name` value format is described
-        #   below: * [`projects.roles.undelete()`](https://cloud.google.com/iam/reference/
+        #   below: * [projects.roles.undelete](https://cloud.google.com/iam/docs/reference/
         #   rest/v1/projects.roles/undelete): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID`
         #   `. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/
         #   understanding-custom-roles) that have been created at the project level.
         #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
-        #   roles/`CUSTOM_ROLE_ID`` * [`organizations.roles.undelete()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/undelete): `organizations/
-        #   `ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method undeletes only [custom
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.undelete](https://cloud.google.
+        #   com/iam/docs/reference/rest/v1/organizations.roles/undelete): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method undeletes only [custom
         #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
         #   been created at the organization level. Example request URL: `https://iam.
         #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
@@ -1485,10 +3668,16 @@ module Google
         # hours and watch for unintended consequences. If there are no unintended
         # consequences, you can delete the service account.
         # @param [String] name
-        #   Required. The resource name of the service account in the following format: `
-        #   projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for
-        #   the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value
-        #   can be the `email` address or the `unique_id` of the service account.
+        #   Required. The resource name of the service account. Use one of the following
+        #   formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/
+        #   `PROJECT_ID`/serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-
+        #   ` wildcard character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -1528,10 +3717,16 @@ module Google
         # consequences. If there are no unintended consequences, you can delete the
         # service account with DeleteServiceAccount.
         # @param [String] name
-        #   The resource name of the service account in the following format: `projects/`
-        #   PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for the `
-        #   PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can
-        #   be the `email` address or the `unique_id` of the service account.
+        #   The resource name of the service account. Use one of the following formats: * `
+        #   projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/`PROJECT_ID`
+        #   /serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-` wildcard
+        #   character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::DisableServiceAccountRequest] disable_service_account_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -1568,10 +3763,16 @@ module Google
         # the service account because it was compromised—you cannot use this method to
         # enable the service account.
         # @param [String] name
-        #   The resource name of the service account in the following format: `projects/`
-        #   PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for the `
-        #   PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can
-        #   be the `email` address or the `unique_id` of the service account.
+        #   The resource name of the service account. Use one of the following formats: * `
+        #   projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/`PROJECT_ID`
+        #   /serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-` wildcard
+        #   character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::EnableServiceAccountRequest] enable_service_account_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -1604,10 +3805,16 @@ module Google
         
         # Gets a ServiceAccount.
         # @param [String] name
-        #   Required. The resource name of the service account in the following format: `
-        #   projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for
-        #   the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value
-        #   can be the `email` address or the `unique_id` of the service account.
+        #   Required. The resource name of the service account. Use one of the following
+        #   formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/
+        #   `PROJECT_ID`/serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-
+        #   ` wildcard character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -1640,8 +3847,8 @@ module Google
         # does not tell you whether the service account has been granted any roles on
         # other resources. To check whether a service account has role grants on a
         # resource, use the `getIamPolicy` method for that resource. For example, to
-        # view the role grants for a project, call the Resource Manager API's [`projects.
-        # getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/
+        # view the role grants for a project, call the Resource Manager API's [projects.
+        # getIamPolicy](https://cloud.google.com/resource-manager/reference/rest/v1/
         # projects/getIamPolicy) method.
         # @param [String] resource
         #   REQUIRED: The resource for which the policy is being requested. See [Resource
@@ -1735,10 +3942,10 @@ module Google
         #   character instead of the project ID: * `projects/-/serviceAccounts/`
         #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
         #   avoid using the `-` wildcard character, because it can cause response messages
-        #   to contain misleading error codes. For example, if you try to get the service
-        #   account `projects/-/serviceAccounts/fake@example.com`, which does not exist,
-        #   the response contains an HTTP `403 Forbidden` error instead of a `404 Not
-        #   Found` error.
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::PatchServiceAccountRequest] patch_service_account_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -1815,19 +4022,19 @@ module Google
           execute_or_queue_command(command, &block)
         end
         
-        # **Note:** This method is deprecated. Use the [`signBlob`](https://cloud.google.
-        # com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob) method in
-        # the IAM Service Account Credentials API instead. If you currently use this
-        # method, see the [migration guide](https://cloud.google.com/iam/help/
-        # credentials/migrate-api) for instructions. Signs a blob using the system-
-        # managed private key for a ServiceAccount.
+        # Signs a blob using the system-managed private key for a ServiceAccount.
         # @param [String] name
         #   Required. Deprecated. [Migrate to Service Account Credentials API](https://
         #   cloud.google.com/iam/help/credentials/migrate-api). The resource name of the
-        #   service account in the following format: `projects/`PROJECT_ID`/
-        #   serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for the `PROJECT_ID` will
-        #   infer the project from the account. The `ACCOUNT` value can be the `email`
-        #   address or the `unique_id` of the service account.
+        #   service account. Use one of the following formats: * `projects/`PROJECT_ID`/
+        #   serviceAccounts/`EMAIL_ADDRESS`` * `projects/`PROJECT_ID`/serviceAccounts/`
+        #   UNIQUE_ID`` As an alternative, you can use the `-` wildcard character instead
+        #   of the project ID: * `projects/-/serviceAccounts/`EMAIL_ADDRESS`` * `projects/-
+        #   /serviceAccounts/`UNIQUE_ID`` When possible, avoid using the `-` wildcard
+        #   character, because it can cause response messages to contain misleading error
+        #   codes. For example, if you try to access the service account `projects/-/
+        #   serviceAccounts/fake@example.com`, which does not exist, the response contains
+        #   an HTTP `403 Forbidden` error instead of a `404 Not Found` error.
         # @param [Google::Apis::IamV1::SignBlobRequest] sign_blob_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -1858,19 +4065,20 @@ module Google
           execute_or_queue_command(command, &block)
         end
         
-        # **Note:** This method is deprecated. Use the [`signJwt`](https://cloud.google.
-        # com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt) method in
-        # the IAM Service Account Credentials API instead. If you currently use this
-        # method, see the [migration guide](https://cloud.google.com/iam/help/
-        # credentials/migrate-api) for instructions. Signs a JSON Web Token (JWT) using
-        # the system-managed private key for a ServiceAccount.
+        # Signs a JSON Web Token (JWT) using the system-managed private key for a
+        # ServiceAccount.
         # @param [String] name
         #   Required. Deprecated. [Migrate to Service Account Credentials API](https://
         #   cloud.google.com/iam/help/credentials/migrate-api). The resource name of the
-        #   service account in the following format: `projects/`PROJECT_ID`/
-        #   serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for the `PROJECT_ID` will
-        #   infer the project from the account. The `ACCOUNT` value can be the `email`
-        #   address or the `unique_id` of the service account.
+        #   service account. Use one of the following formats: * `projects/`PROJECT_ID`/
+        #   serviceAccounts/`EMAIL_ADDRESS`` * `projects/`PROJECT_ID`/serviceAccounts/`
+        #   UNIQUE_ID`` As an alternative, you can use the `-` wildcard character instead
+        #   of the project ID: * `projects/-/serviceAccounts/`EMAIL_ADDRESS`` * `projects/-
+        #   /serviceAccounts/`UNIQUE_ID`` When possible, avoid using the `-` wildcard
+        #   character, because it can cause response messages to contain misleading error
+        #   codes. For example, if you try to access the service account `projects/-/
+        #   serviceAccounts/fake@example.com`, which does not exist, the response contains
+        #   an HTTP `403 Forbidden` error instead of a `404 Not Found` error.
         # @param [Google::Apis::IamV1::SignJwtRequest] sign_jwt_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -1942,9 +4150,16 @@ module Google
         # account 30 days later. There is no way to restore a deleted service account
         # that has been permanently removed.
         # @param [String] name
-        #   The resource name of the service account in the following format: `projects/`
-        #   PROJECT_ID`/serviceAccounts/`ACCOUNT_UNIQUE_ID``. Using `-` as a wildcard for
-        #   the `PROJECT_ID` will infer the project from the account.
+        #   The resource name of the service account. Use one of the following formats: * `
+        #   projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/`PROJECT_ID`
+        #   /serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-` wildcard
+        #   character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::UndeleteServiceAccountRequest] undelete_service_account_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -1985,10 +4200,10 @@ module Google
         #   character instead of the project ID: * `projects/-/serviceAccounts/`
         #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
         #   avoid using the `-` wildcard character, because it can cause response messages
-        #   to contain misleading error codes. For example, if you try to get the service
-        #   account `projects/-/serviceAccounts/fake@example.com`, which does not exist,
-        #   the response contains an HTTP `403 Forbidden` error instead of a `404 Not
-        #   Found` error.
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::ServiceAccount] service_account_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -2021,10 +4236,16 @@ module Google
         
         # Creates a ServiceAccountKey.
         # @param [String] name
-        #   Required. The resource name of the service account in the following format: `
-        #   projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for
-        #   the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` value
-        #   can be the `email` address or the `unique_id` of the service account.
+        #   Required. The resource name of the service account. Use one of the following
+        #   formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/
+        #   `PROJECT_ID`/serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-
+        #   ` wildcard character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::CreateServiceAccountKeyRequest] create_service_account_key_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -2058,11 +4279,17 @@ module Google
         # Deletes a ServiceAccountKey. Deleting a service account key does not revoke
         # short-lived credentials that have been issued based on the service account key.
         # @param [String] name
-        #   Required. The resource name of the service account key in the following format:
-        #   `projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT`/keys/`key``. Using `-` as a
-        #   wildcard for the `PROJECT_ID` will infer the project from the account. The `
-        #   ACCOUNT` value can be the `email` address or the `unique_id` of the service
-        #   account.
+        #   Required. The resource name of the service account key. Use one of the
+        #   following formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`/
+        #   keys/`KEY_ID`` * `projects/`PROJECT_ID`/serviceAccounts/`UNIQUE_ID`/keys/`
+        #   KEY_ID`` As an alternative, you can use the `-` wildcard character instead of
+        #   the project ID: * `projects/-/serviceAccounts/`EMAIL_ADDRESS`/keys/`KEY_ID`` *
+        #   `projects/-/serviceAccounts/`UNIQUE_ID`/keys/`KEY_ID`` When possible, avoid
+        #   using the `-` wildcard character, because it can cause response messages to
+        #   contain misleading error codes. For example, if you try to access the service
+        #   account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which
+        #   does not exist, the response contains an HTTP `403 Forbidden` error instead of
+        #   a `404 Not Found` error.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -2093,11 +4320,17 @@ module Google
         # Disable a ServiceAccountKey. A disabled service account key can be re-enabled
         # with EnableServiceAccountKey.
         # @param [String] name
-        #   Required. The resource name of the service account key in the following format:
-        #   `projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT`/keys/`key``. Using `-` as a
-        #   wildcard for the `PROJECT_ID` will infer the project from the account. The `
-        #   ACCOUNT` value can be the `email` address or the `unique_id` of the service
-        #   account.
+        #   Required. The resource name of the service account key. Use one of the
+        #   following formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`/
+        #   keys/`KEY_ID`` * `projects/`PROJECT_ID`/serviceAccounts/`UNIQUE_ID`/keys/`
+        #   KEY_ID`` As an alternative, you can use the `-` wildcard character instead of
+        #   the project ID: * `projects/-/serviceAccounts/`EMAIL_ADDRESS`/keys/`KEY_ID`` *
+        #   `projects/-/serviceAccounts/`UNIQUE_ID`/keys/`KEY_ID`` When possible, avoid
+        #   using the `-` wildcard character, because it can cause response messages to
+        #   contain misleading error codes. For example, if you try to access the service
+        #   account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which
+        #   does not exist, the response contains an HTTP `403 Forbidden` error instead of
+        #   a `404 Not Found` error.
         # @param [Google::Apis::IamV1::DisableServiceAccountKeyRequest] disable_service_account_key_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -2130,11 +4363,17 @@ module Google
         
         # Enable a ServiceAccountKey.
         # @param [String] name
-        #   Required. The resource name of the service account key in the following format:
-        #   `projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT`/keys/`key``. Using `-` as a
-        #   wildcard for the `PROJECT_ID` will infer the project from the account. The `
-        #   ACCOUNT` value can be the `email` address or the `unique_id` of the service
-        #   account.
+        #   Required. The resource name of the service account key. Use one of the
+        #   following formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`/
+        #   keys/`KEY_ID`` * `projects/`PROJECT_ID`/serviceAccounts/`UNIQUE_ID`/keys/`
+        #   KEY_ID`` As an alternative, you can use the `-` wildcard character instead of
+        #   the project ID: * `projects/-/serviceAccounts/`EMAIL_ADDRESS`/keys/`KEY_ID`` *
+        #   `projects/-/serviceAccounts/`UNIQUE_ID`/keys/`KEY_ID`` When possible, avoid
+        #   using the `-` wildcard character, because it can cause response messages to
+        #   contain misleading error codes. For example, if you try to access the service
+        #   account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which
+        #   does not exist, the response contains an HTTP `403 Forbidden` error instead of
+        #   a `404 Not Found` error.
         # @param [Google::Apis::IamV1::EnableServiceAccountKeyRequest] enable_service_account_key_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -2167,11 +4406,17 @@ module Google
         
         # Gets a ServiceAccountKey.
         # @param [String] name
-        #   Required. The resource name of the service account key in the following format:
-        #   `projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT`/keys/`key``. Using `-` as a
-        #   wildcard for the `PROJECT_ID` will infer the project from the account. The `
-        #   ACCOUNT` value can be the `email` address or the `unique_id` of the service
-        #   account.
+        #   Required. The resource name of the service account key. Use one of the
+        #   following formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`/
+        #   keys/`KEY_ID`` * `projects/`PROJECT_ID`/serviceAccounts/`UNIQUE_ID`/keys/`
+        #   KEY_ID`` As an alternative, you can use the `-` wildcard character instead of
+        #   the project ID: * `projects/-/serviceAccounts/`EMAIL_ADDRESS`/keys/`KEY_ID`` *
+        #   `projects/-/serviceAccounts/`UNIQUE_ID`/keys/`KEY_ID`` When possible, avoid
+        #   using the `-` wildcard character, because it can cause response messages to
+        #   contain misleading error codes. For example, if you try to access the service
+        #   account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which
+        #   does not exist, the response contains an HTTP `403 Forbidden` error instead of
+        #   a `404 Not Found` error.
         # @param [String] public_key_type
         #   Optional. The output format of the public key. The default is `TYPE_NONE`,
         #   which means that the public key is not returned.
@@ -2205,10 +4450,16 @@ module Google
         
         # Lists every ServiceAccountKey for a service account.
         # @param [String] name
-        #   Required. The resource name of the service account in the following format: `
-        #   projects/`PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for
-        #   the `PROJECT_ID`, will infer the project from the account. The `ACCOUNT` value
-        #   can be the `email` address or the `unique_id` of the service account.
+        #   Required. The resource name of the service account. Use one of the following
+        #   formats: * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/
+        #   `PROJECT_ID`/serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-
+        #   ` wildcard character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Array<String>, String] key_types
         #   Filters the types of keys the user wants to include in the list response.
         #   Duplicate key types are not allowed. If no key type is provided, all keys are
@@ -2245,10 +4496,16 @@ module Google
         # the public key with a ServiceAccount. After you upload the public key, you can
         # use the private key from the key pair as a service account key.
         # @param [String] name
-        #   The resource name of the service account in the following format: `projects/`
-        #   PROJECT_ID`/serviceAccounts/`ACCOUNT``. Using `-` as a wildcard for the `
-        #   PROJECT_ID` will infer the project from the account. The `ACCOUNT` value can
-        #   be the `email` address or the `unique_id` of the service account.
+        #   The resource name of the service account key. Use one of the following formats:
+        #   * `projects/`PROJECT_ID`/serviceAccounts/`EMAIL_ADDRESS`` * `projects/`
+        #   PROJECT_ID`/serviceAccounts/`UNIQUE_ID`` As an alternative, you can use the `-`
+        #   wildcard character instead of the project ID: * `projects/-/serviceAccounts/`
+        #   EMAIL_ADDRESS`` * `projects/-/serviceAccounts/`UNIQUE_ID`` When possible,
+        #   avoid using the `-` wildcard character, because it can cause response messages
+        #   to contain misleading error codes. For example, if you try to access the
+        #   service account `projects/-/serviceAccounts/fake@example.com`, which does not
+        #   exist, the response contains an HTTP `403 Forbidden` error instead of a `404
+        #   Not Found` error.
         # @param [Google::Apis::IamV1::UploadServiceAccountKeyRequest] upload_service_account_key_request_object
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
@@ -2282,26 +4539,27 @@ module Google
         # Gets the definition of a Role.
         # @param [String] name
         #   The `name` parameter's value depends on the target resource for the request,
-        #   namely [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), [`
-        #   projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), or [
-        #   `organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.
-        #   roles). Each resource type's `name` value format is described below: * [`roles.
-        #   get()`](https://cloud.google.com/iam/reference/rest/v1/roles/get): `roles/`
-        #   ROLE_NAME``. This method returns results from all [predefined roles](https://
-        #   cloud.google.com/iam/docs/understanding-roles#predefined_roles) in Cloud IAM.
-        #   Example request URL: `https://iam.googleapis.com/v1/roles/`ROLE_NAME`` * [`
-        #   projects.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/projects.
-        #   roles/get): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``. This method
-        #   returns only [custom roles](https://cloud.google.com/iam/docs/understanding-
-        #   custom-roles) that have been created at the project level. Example request URL:
-        #   `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID`` *
-        #   [`organizations.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/
-        #   organizations.roles/get): `organizations/`ORGANIZATION_ID`/roles/`
-        #   CUSTOM_ROLE_ID``. This method returns only [custom roles](https://cloud.google.
-        #   com/iam/docs/understanding-custom-roles) that have been created at the
-        #   organization level. Example request URL: `https://iam.googleapis.com/v1/
-        #   organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note: Wildcard (*)
-        #   values are invalid; you must specify a complete project ID or organization ID.
+        #   namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [
+        #   projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles),
+        #   or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `name` value format is described
+        #   below: * [roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/roles/
+        #   get): `roles/`ROLE_NAME``. This method returns results from all [predefined
+        #   roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles)
+        #   in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/`ROLE_NAME``
+        #   * [projects.roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   projects.roles/get): `projects/`PROJECT_ID`/roles/`CUSTOM_ROLE_ID``. This
+        #   method returns only [custom roles](https://cloud.google.com/iam/docs/
+        #   understanding-custom-roles) that have been created at the project level.
+        #   Example request URL: `https://iam.googleapis.com/v1/projects/`PROJECT_ID`/
+        #   roles/`CUSTOM_ROLE_ID`` * [organizations.roles.get](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/organizations.roles/get): `organizations/`
+        #   ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID``. This method returns only [custom
+        #   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have
+        #   been created at the organization level. Example request URL: `https://iam.
+        #   googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles/`CUSTOM_ROLE_ID`` Note:
+        #   Wildcard (*) values are invalid; you must specify a complete project ID or
+        #   organization ID.
         # @param [String] fields
         #   Selector specifying which fields to include in a partial response.
         # @param [String] quota_user
@@ -2338,25 +4596,25 @@ module Google
         #   Optional pagination token returned in an earlier ListRolesResponse.
         # @param [String] parent
         #   The `parent` parameter's value depends on the target resource for the request,
-        #   namely [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles), [`
-        #   projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles), or [
-        #   `organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.
-        #   roles). Each resource type's `parent` value format is described below: * [`
-        #   roles.list()`](https://cloud.google.com/iam/reference/rest/v1/roles/list): An
-        #   empty string. This method doesn't require a resource; it simply returns all [
-        #   predefined roles](https://cloud.google.com/iam/docs/understanding-roles#
-        #   predefined_roles) in Cloud IAM. Example request URL: `https://iam.googleapis.
-        #   com/v1/roles` * [`projects.roles.list()`](https://cloud.google.com/iam/
-        #   reference/rest/v1/projects.roles/list): `projects/`PROJECT_ID``. This method
-        #   lists all project-level [custom roles](https://cloud.google.com/iam/docs/
-        #   understanding-custom-roles). Example request URL: `https://iam.googleapis.com/
-        #   v1/projects/`PROJECT_ID`/roles` * [`organizations.roles.list()`](https://cloud.
-        #   google.com/iam/reference/rest/v1/organizations.roles/list): `organizations/`
-        #   ORGANIZATION_ID``. This method lists all organization-level [custom roles](
-        #   https://cloud.google.com/iam/docs/understanding-custom-roles). Example request
-        #   URL: `https://iam.googleapis.com/v1/organizations/`ORGANIZATION_ID`/roles`
-        #   Note: Wildcard (*) values are invalid; you must specify a complete project ID
-        #   or organization ID.
+        #   namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [
+        #   projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles),
+        #   or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   organizations.roles). Each resource type's `parent` value format is described
+        #   below: * [roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/
+        #   roles/list): An empty string. This method doesn't require a resource; it
+        #   simply returns all [predefined roles](https://cloud.google.com/iam/docs/
+        #   understanding-roles#predefined_roles) in IAM. Example request URL: `https://
+        #   iam.googleapis.com/v1/roles` * [projects.roles.list](https://cloud.google.com/
+        #   iam/docs/reference/rest/v1/projects.roles/list): `projects/`PROJECT_ID``. This
+        #   method lists all project-level [custom roles](https://cloud.google.com/iam/
+        #   docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.
+        #   com/v1/projects/`PROJECT_ID`/roles` * [organizations.roles.list](https://cloud.
+        #   google.com/iam/docs/reference/rest/v1/organizations.roles/list): `
+        #   organizations/`ORGANIZATION_ID``. This method lists all organization-level [
+        #   custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+        #   Example request URL: `https://iam.googleapis.com/v1/organizations/`
+        #   ORGANIZATION_ID`/roles` Note: Wildcard (*) values are invalid; you must
+        #   specify a complete project ID or organization ID.
         # @param [Boolean] show_deleted
         #   Include Roles that have been deleted.
         # @param [String] view