vagrant-unbundled 2.3.2.0 → 2.3.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/Gemfile.lock +12 -12
- data/LICENSE +1 -3
- data/lib/vagrant/errors.rb +4 -0
- data/lib/vagrant/util/install_cli_autocomplete.rb +3 -3
- data/lib/vagrant.rb +0 -3
- data/pkg/vagrant-unbundled-2.3.2.0.gem +0 -0
- data/plugins/commands/serve/command.rb +1 -1
- data/plugins/guests/solaris/cap/remove_public_key.rb +2 -2
- data/plugins/hosts/gentoo/host.rb +1 -1
- data/plugins/hosts/slackware/host.rb +1 -1
- data/plugins/providers/virtualbox/action/network.rb +8 -5
- data/plugins/providers/virtualbox/driver/base.rb +3 -1
- data/plugins/providers/virtualbox/driver/version_5_0.rb +40 -36
- data/plugins/providers/virtualbox/driver/version_7_0.rb +223 -5
- data/plugins/provisioners/ansible/cap/guest/debian/ansible_install.rb +1 -1
- data/plugins/provisioners/ansible/provisioner/host.rb +1 -1
- data/plugins/provisioners/chef/config/chef_zero.rb +1 -1
- data/plugins/synced_folders/rsync/helper.rb +1 -0
- data/templates/locales/en.yml +4 -0
- data/thirdparty/proto/api-common-protos/.bazelrc +2 -0
- data/thirdparty/proto/api-common-protos/.git +1 -0
- data/thirdparty/proto/api-common-protos/.gitignore +11 -0
- data/thirdparty/proto/api-common-protos/BUILD.bazel +129 -0
- data/thirdparty/proto/api-common-protos/CODE_OF_CONDUCT.md +43 -0
- data/thirdparty/proto/api-common-protos/CONTRIBUTING.md +42 -0
- data/thirdparty/proto/api-common-protos/Dockerfile +18 -0
- data/thirdparty/proto/api-common-protos/LICENSE +201 -0
- data/thirdparty/proto/api-common-protos/README.md +113 -0
- data/thirdparty/proto/api-common-protos/SECURITY.md +7 -0
- data/thirdparty/proto/api-common-protos/WORKSPACE +154 -0
- data/thirdparty/proto/api-common-protos/google/api/BUILD.bazel +246 -0
- data/thirdparty/proto/api-common-protos/google/api/README.md +46 -0
- data/thirdparty/proto/api-common-protos/google/api/annotations.proto +31 -0
- data/thirdparty/proto/api-common-protos/google/api/auth.proto +181 -0
- data/thirdparty/proto/api-common-protos/google/api/backend.proto +51 -0
- data/thirdparty/proto/api-common-protos/google/api/billing.proto +67 -0
- data/thirdparty/proto/api-common-protos/google/api/client.proto +99 -0
- data/thirdparty/proto/api-common-protos/google/api/config_change.proto +85 -0
- data/thirdparty/proto/api-common-protos/google/api/consumer.proto +83 -0
- data/thirdparty/proto/api-common-protos/google/api/context.proto +63 -0
- data/thirdparty/proto/api-common-protos/google/api/control.proto +33 -0
- data/thirdparty/proto/api-common-protos/google/api/distribution.proto +213 -0
- data/thirdparty/proto/api-common-protos/google/api/documentation.proto +157 -0
- data/thirdparty/proto/api-common-protos/google/api/endpoint.proto +71 -0
- data/thirdparty/proto/api-common-protos/google/api/field_behavior.proto +84 -0
- data/thirdparty/proto/api-common-protos/google/api/http.proto +318 -0
- data/thirdparty/proto/api-common-protos/google/api/httpbody.proto +76 -0
- data/thirdparty/proto/api-common-protos/google/api/label.proto +49 -0
- data/thirdparty/proto/api-common-protos/google/api/launch_stage.proto +67 -0
- data/thirdparty/proto/api-common-protos/google/api/log.proto +55 -0
- data/thirdparty/proto/api-common-protos/google/api/logging.proto +83 -0
- data/thirdparty/proto/api-common-protos/google/api/metric.proto +192 -0
- data/thirdparty/proto/api-common-protos/google/api/monitored_resource.proto +116 -0
- data/thirdparty/proto/api-common-protos/google/api/monitoring.proto +89 -0
- data/thirdparty/proto/api-common-protos/google/api/quota.proto +259 -0
- data/thirdparty/proto/api-common-protos/google/api/resource.proto +299 -0
- data/thirdparty/proto/api-common-protos/google/api/routing.proto +461 -0
- data/thirdparty/proto/api-common-protos/google/api/service.proto +175 -0
- data/thirdparty/proto/api-common-protos/google/api/source_info.proto +32 -0
- data/thirdparty/proto/api-common-protos/google/api/system_parameter.proto +96 -0
- data/thirdparty/proto/api-common-protos/google/api/usage.proto +92 -0
- data/thirdparty/proto/api-common-protos/google/cloud/extended_operations.proto +150 -0
- data/thirdparty/proto/api-common-protos/google/iam/README.md +14 -0
- data/thirdparty/proto/api-common-protos/google/iam/admin/v1/iam.proto +1087 -0
- data/thirdparty/proto/api-common-protos/google/iam/v1/iam_policy.proto +145 -0
- data/thirdparty/proto/api-common-protos/google/iam/v1/logging/audit_data.proto +34 -0
- data/thirdparty/proto/api-common-protos/google/iam/v1/options.proto +41 -0
- data/thirdparty/proto/api-common-protos/google/iam/v1/policy.proto +240 -0
- data/thirdparty/proto/api-common-protos/google/logging/type/README.md +12 -0
- data/thirdparty/proto/api-common-protos/google/logging/type/http_request.proto +92 -0
- data/thirdparty/proto/api-common-protos/google/logging/type/log_severity.proto +72 -0
- data/thirdparty/proto/api-common-protos/google/longrunning/README.md +31 -0
- data/thirdparty/proto/api-common-protos/google/longrunning/operations.proto +247 -0
- data/thirdparty/proto/api-common-protos/google/rpc/README.md +18 -0
- data/thirdparty/proto/api-common-protos/google/rpc/code.proto +186 -0
- data/thirdparty/proto/api-common-protos/google/rpc/context/attribute_context.proto +287 -0
- data/thirdparty/proto/api-common-protos/google/rpc/error_details.proto +246 -0
- data/thirdparty/proto/api-common-protos/google/rpc/status.proto +47 -0
- data/thirdparty/proto/api-common-protos/google/type/README.md +7 -0
- data/thirdparty/proto/api-common-protos/google/type/calendar_period.proto +57 -0
- data/thirdparty/proto/api-common-protos/google/type/color.proto +170 -0
- data/thirdparty/proto/api-common-protos/google/type/date.proto +50 -0
- data/thirdparty/proto/api-common-protos/google/type/datetime.proto +97 -0
- data/thirdparty/proto/api-common-protos/google/type/dayofweek.proto +51 -0
- data/thirdparty/proto/api-common-protos/google/type/expr.proto +51 -0
- data/thirdparty/proto/api-common-protos/google/type/fraction.proto +34 -0
- data/thirdparty/proto/api-common-protos/google/type/latlng.proto +37 -0
- data/thirdparty/proto/api-common-protos/google/type/money.proto +43 -0
- data/thirdparty/proto/api-common-protos/google/type/month.proto +66 -0
- data/thirdparty/proto/api-common-protos/google/type/postal_address.proto +135 -0
- data/thirdparty/proto/api-common-protos/google/type/quaternion.proto +95 -0
- data/thirdparty/proto/api-common-protos/google/type/timeofday.proto +44 -0
- data/thirdparty/proto/api-common-protos/renovate.json +5 -0
- data/thirdparty/proto/api-common-protos/repository_rules.bzl +222 -0
- data/vagrant.gemspec +4 -4
- data/version.txt +1 -1
- metadata +89 -20
- data/lib/vagrant/patches/net-ssh.rb +0 -286
@@ -0,0 +1,1087 @@
|
|
1
|
+
// Copyright 2019 Google LLC.
|
2
|
+
//
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
// you may not use this file except in compliance with the License.
|
5
|
+
// You may obtain a copy of the License at
|
6
|
+
//
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
//
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
// See the License for the specific language governing permissions and
|
13
|
+
// limitations under the License.
|
14
|
+
|
15
|
+
syntax = "proto3";
|
16
|
+
|
17
|
+
package google.iam.admin.v1;
|
18
|
+
|
19
|
+
import "google/api/annotations.proto";
|
20
|
+
import "google/api/client.proto";
|
21
|
+
import "google/api/field_behavior.proto";
|
22
|
+
import "google/api/resource.proto";
|
23
|
+
import "google/iam/v1/iam_policy.proto";
|
24
|
+
import "google/iam/v1/policy.proto";
|
25
|
+
import "google/protobuf/empty.proto";
|
26
|
+
import "google/protobuf/field_mask.proto";
|
27
|
+
import "google/protobuf/timestamp.proto";
|
28
|
+
|
29
|
+
option cc_enable_arenas = true;
|
30
|
+
option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin";
|
31
|
+
option java_multiple_files = true;
|
32
|
+
option java_outer_classname = "IamProto";
|
33
|
+
option java_package = "com.google.iam.admin.v1";
|
34
|
+
|
35
|
+
// Creates and manages service account objects.
|
36
|
+
//
|
37
|
+
// Service account is an account that belongs to your project instead
|
38
|
+
// of to an individual end user. It is used to authenticate calls
|
39
|
+
// to a Google API.
|
40
|
+
//
|
41
|
+
// To create a service account, specify the `project_id` and `account_id`
|
42
|
+
// for the account. The `account_id` is unique within the project, and used
|
43
|
+
// to generate the service account email address and a stable
|
44
|
+
// `unique_id`.
|
45
|
+
//
|
46
|
+
// All other methods can identify accounts using the format
|
47
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
48
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
49
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
50
|
+
// `unique_id` of the service account.
|
51
|
+
service IAM {
|
52
|
+
option (google.api.default_host) = "iam.googleapis.com";
|
53
|
+
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
|
54
|
+
|
55
|
+
// Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
|
56
|
+
rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
|
57
|
+
option (google.api.http) = {
|
58
|
+
get: "/v1/{name=projects/*}/serviceAccounts"
|
59
|
+
};
|
60
|
+
option (google.api.method_signature) = "name";
|
61
|
+
}
|
62
|
+
|
63
|
+
// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
64
|
+
rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
|
65
|
+
option (google.api.http) = {
|
66
|
+
get: "/v1/{name=projects/*/serviceAccounts/*}"
|
67
|
+
};
|
68
|
+
option (google.api.method_signature) = "name";
|
69
|
+
}
|
70
|
+
|
71
|
+
// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
|
72
|
+
// and returns it.
|
73
|
+
rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
|
74
|
+
option (google.api.http) = {
|
75
|
+
post: "/v1/{name=projects/*}/serviceAccounts"
|
76
|
+
body: "*"
|
77
|
+
};
|
78
|
+
option (google.api.method_signature) = "name,account_id,service_account";
|
79
|
+
}
|
80
|
+
|
81
|
+
// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
82
|
+
//
|
83
|
+
// Currently, only the following fields are updatable:
|
84
|
+
// `display_name` and `description`.
|
85
|
+
rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
|
86
|
+
option (google.api.http) = {
|
87
|
+
put: "/v1/{name=projects/*/serviceAccounts/*}"
|
88
|
+
body: "*"
|
89
|
+
};
|
90
|
+
}
|
91
|
+
|
92
|
+
// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
93
|
+
rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
|
94
|
+
option (google.api.http) = {
|
95
|
+
delete: "/v1/{name=projects/*/serviceAccounts/*}"
|
96
|
+
};
|
97
|
+
option (google.api.method_signature) = "name";
|
98
|
+
}
|
99
|
+
|
100
|
+
// Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
|
101
|
+
rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
|
102
|
+
option (google.api.http) = {
|
103
|
+
get: "/v1/{name=projects/*/serviceAccounts/*}/keys"
|
104
|
+
};
|
105
|
+
option (google.api.method_signature) = "name,key_types";
|
106
|
+
}
|
107
|
+
|
108
|
+
// Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
|
109
|
+
// by key id.
|
110
|
+
rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
|
111
|
+
option (google.api.http) = {
|
112
|
+
get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
|
113
|
+
};
|
114
|
+
option (google.api.method_signature) = "name,public_key_type";
|
115
|
+
}
|
116
|
+
|
117
|
+
// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
|
118
|
+
// and returns it.
|
119
|
+
rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
|
120
|
+
option (google.api.http) = {
|
121
|
+
post: "/v1/{name=projects/*/serviceAccounts/*}/keys"
|
122
|
+
body: "*"
|
123
|
+
};
|
124
|
+
option (google.api.method_signature) = "name,private_key_type,key_algorithm";
|
125
|
+
}
|
126
|
+
|
127
|
+
// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
|
128
|
+
rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
|
129
|
+
option (google.api.http) = {
|
130
|
+
delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
|
131
|
+
};
|
132
|
+
option (google.api.method_signature) = "name";
|
133
|
+
}
|
134
|
+
|
135
|
+
// Signs a blob using a service account's system-managed private key.
|
136
|
+
rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
|
137
|
+
option (google.api.http) = {
|
138
|
+
post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
|
139
|
+
body: "*"
|
140
|
+
};
|
141
|
+
option (google.api.method_signature) = "name,bytes_to_sign";
|
142
|
+
}
|
143
|
+
|
144
|
+
// Signs a JWT using a service account's system-managed private key.
|
145
|
+
//
|
146
|
+
// If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an
|
147
|
+
// an expiry time of one hour by default. If you request an expiry time of
|
148
|
+
// more than one hour, the request will fail.
|
149
|
+
rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {
|
150
|
+
option (google.api.http) = {
|
151
|
+
post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
|
152
|
+
body: "*"
|
153
|
+
};
|
154
|
+
option (google.api.method_signature) = "name,payload";
|
155
|
+
}
|
156
|
+
|
157
|
+
// Returns the Cloud IAM access control policy for a
|
158
|
+
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
159
|
+
//
|
160
|
+
// Note: Service accounts are both
|
161
|
+
// [resources and
|
162
|
+
// identities](/iam/docs/service-accounts#service_account_permissions). This
|
163
|
+
// method treats the service account as a resource. It returns the Cloud IAM
|
164
|
+
// policy that reflects what members have access to the service account.
|
165
|
+
//
|
166
|
+
// This method does not return what resources the service account has access
|
167
|
+
// to. To see if a service account has access to a resource, call the
|
168
|
+
// `getIamPolicy` method on the target resource. For example, to view grants
|
169
|
+
// for a project, call the
|
170
|
+
// [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy)
|
171
|
+
// method.
|
172
|
+
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
|
173
|
+
option (google.api.http) = {
|
174
|
+
post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
|
175
|
+
};
|
176
|
+
option (google.api.method_signature) = "resource";
|
177
|
+
}
|
178
|
+
|
179
|
+
// Sets the Cloud IAM access control policy for a
|
180
|
+
// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
181
|
+
//
|
182
|
+
// Note: Service accounts are both
|
183
|
+
// [resources and
|
184
|
+
// identities](/iam/docs/service-accounts#service_account_permissions). This
|
185
|
+
// method treats the service account as a resource. Use it to grant members
|
186
|
+
// access to the service account, such as when they need to impersonate it.
|
187
|
+
//
|
188
|
+
// This method does not grant the service account access to other resources,
|
189
|
+
// such as projects. To grant a service account access to resources, include
|
190
|
+
// the service account in the Cloud IAM policy for the desired resource, then
|
191
|
+
// call the appropriate `setIamPolicy` method on the target resource. For
|
192
|
+
// example, to grant a service account access to a project, call the
|
193
|
+
// [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy)
|
194
|
+
// method.
|
195
|
+
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
|
196
|
+
option (google.api.http) = {
|
197
|
+
post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
|
198
|
+
body: "*"
|
199
|
+
};
|
200
|
+
option (google.api.method_signature) = "resource,policy";
|
201
|
+
}
|
202
|
+
|
203
|
+
// Tests the specified permissions against the IAM access control policy
|
204
|
+
// for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
|
205
|
+
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
|
206
|
+
option (google.api.http) = {
|
207
|
+
post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
|
208
|
+
body: "*"
|
209
|
+
};
|
210
|
+
option (google.api.method_signature) = "resource,permissions";
|
211
|
+
}
|
212
|
+
|
213
|
+
// Queries roles that can be granted on a particular resource.
|
214
|
+
// A role is grantable if it can be used as the role in a binding for a policy
|
215
|
+
// for that resource.
|
216
|
+
rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
|
217
|
+
option (google.api.http) = {
|
218
|
+
post: "/v1/roles:queryGrantableRoles"
|
219
|
+
body: "*"
|
220
|
+
};
|
221
|
+
option (google.api.method_signature) = "full_resource_name";
|
222
|
+
}
|
223
|
+
|
224
|
+
// Lists the Roles defined on a resource.
|
225
|
+
rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
|
226
|
+
option (google.api.http) = {
|
227
|
+
get: "/v1/roles"
|
228
|
+
additional_bindings {
|
229
|
+
get: "/v1/{parent=organizations/*}/roles"
|
230
|
+
}
|
231
|
+
additional_bindings {
|
232
|
+
get: "/v1/{parent=projects/*}/roles"
|
233
|
+
}
|
234
|
+
};
|
235
|
+
}
|
236
|
+
|
237
|
+
// Gets a Role definition.
|
238
|
+
rpc GetRole(GetRoleRequest) returns (Role) {
|
239
|
+
option (google.api.http) = {
|
240
|
+
get: "/v1/{name=roles/*}"
|
241
|
+
additional_bindings {
|
242
|
+
get: "/v1/{name=organizations/*/roles/*}"
|
243
|
+
}
|
244
|
+
additional_bindings {
|
245
|
+
get: "/v1/{name=projects/*/roles/*}"
|
246
|
+
}
|
247
|
+
};
|
248
|
+
}
|
249
|
+
|
250
|
+
// Creates a new Role.
|
251
|
+
rpc CreateRole(CreateRoleRequest) returns (Role) {
|
252
|
+
option (google.api.http) = {
|
253
|
+
post: "/v1/{parent=organizations/*}/roles"
|
254
|
+
body: "*"
|
255
|
+
additional_bindings {
|
256
|
+
post: "/v1/{parent=projects/*}/roles"
|
257
|
+
body: "*"
|
258
|
+
}
|
259
|
+
};
|
260
|
+
}
|
261
|
+
|
262
|
+
// Updates a Role definition.
|
263
|
+
rpc UpdateRole(UpdateRoleRequest) returns (Role) {
|
264
|
+
option (google.api.http) = {
|
265
|
+
patch: "/v1/{name=organizations/*/roles/*}"
|
266
|
+
body: "role"
|
267
|
+
additional_bindings {
|
268
|
+
patch: "/v1/{name=projects/*/roles/*}"
|
269
|
+
body: "role"
|
270
|
+
}
|
271
|
+
};
|
272
|
+
}
|
273
|
+
|
274
|
+
// Soft deletes a role. The role is suspended and cannot be used to create new
|
275
|
+
// IAM Policy Bindings.
|
276
|
+
// The Role will not be included in `ListRoles()` unless `show_deleted` is set
|
277
|
+
// in the `ListRolesRequest`. The Role contains the deleted boolean set.
|
278
|
+
// Existing Bindings remains, but are inactive. The Role can be undeleted
|
279
|
+
// within 7 days. After 7 days the Role is deleted and all Bindings associated
|
280
|
+
// with the role are removed.
|
281
|
+
rpc DeleteRole(DeleteRoleRequest) returns (Role) {
|
282
|
+
option (google.api.http) = {
|
283
|
+
delete: "/v1/{name=organizations/*/roles/*}"
|
284
|
+
additional_bindings {
|
285
|
+
delete: "/v1/{name=projects/*/roles/*}"
|
286
|
+
}
|
287
|
+
};
|
288
|
+
}
|
289
|
+
|
290
|
+
// Undelete a Role, bringing it back in its previous state.
|
291
|
+
rpc UndeleteRole(UndeleteRoleRequest) returns (Role) {
|
292
|
+
option (google.api.http) = {
|
293
|
+
post: "/v1/{name=organizations/*/roles/*}:undelete"
|
294
|
+
body: "*"
|
295
|
+
additional_bindings {
|
296
|
+
post: "/v1/{name=projects/*/roles/*}:undelete"
|
297
|
+
body: "*"
|
298
|
+
}
|
299
|
+
};
|
300
|
+
}
|
301
|
+
|
302
|
+
// Lists the permissions testable on a resource.
|
303
|
+
// A permission is testable if it can be tested for an identity on a resource.
|
304
|
+
rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) {
|
305
|
+
option (google.api.http) = {
|
306
|
+
post: "/v1/permissions:queryTestablePermissions"
|
307
|
+
body: "*"
|
308
|
+
};
|
309
|
+
}
|
310
|
+
}
|
311
|
+
|
312
|
+
// A service account in the Identity and Access Management API.
|
313
|
+
//
|
314
|
+
// To create a service account, specify the `project_id` and the `account_id`
|
315
|
+
// for the account. The `account_id` is unique within the project, and is used
|
316
|
+
// to generate the service account email address and a stable
|
317
|
+
// `unique_id`.
|
318
|
+
//
|
319
|
+
// If the account already exists, the account's resource name is returned
|
320
|
+
// in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
|
321
|
+
// can use the name in other methods to access the account.
|
322
|
+
//
|
323
|
+
// All other methods can identify the service account using the format
|
324
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
325
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
326
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
327
|
+
// `unique_id` of the service account.
|
328
|
+
message ServiceAccount {
|
329
|
+
option (google.api.resource) = {
|
330
|
+
type: "iam.googleapis.com/ServiceAccount"
|
331
|
+
pattern: "projects/{project}/serviceAccounts/{service_account}"
|
332
|
+
};
|
333
|
+
|
334
|
+
// The resource name of the service account in the following format:
|
335
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
336
|
+
//
|
337
|
+
// Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
|
338
|
+
// project from the `account` and the `ACCOUNT` value can be the `email`
|
339
|
+
// address or the `unique_id` of the service account.
|
340
|
+
//
|
341
|
+
// In responses the resource name will always be in the format
|
342
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
343
|
+
string name = 1;
|
344
|
+
|
345
|
+
// @OutputOnly The id of the project that owns the service account.
|
346
|
+
string project_id = 2;
|
347
|
+
|
348
|
+
// @OutputOnly The unique and stable id of the service account.
|
349
|
+
string unique_id = 4;
|
350
|
+
|
351
|
+
// @OutputOnly The email address of the service account.
|
352
|
+
string email = 5;
|
353
|
+
|
354
|
+
// Optional. A user-specified name for the service account.
|
355
|
+
// Must be less than or equal to 100 UTF-8 bytes.
|
356
|
+
string display_name = 6;
|
357
|
+
|
358
|
+
// Optional. Note: `etag` is an inoperable legacy field that is only returned
|
359
|
+
// for backwards compatibility.
|
360
|
+
bytes etag = 7;
|
361
|
+
|
362
|
+
// @OutputOnly. The OAuth2 client id for the service account.
|
363
|
+
// This is used in conjunction with the OAuth2 clientconfig API to make
|
364
|
+
// three legged OAuth2 (3LO) flows to access the data of Google users.
|
365
|
+
string oauth2_client_id = 9;
|
366
|
+
}
|
367
|
+
|
368
|
+
// The service account create request.
|
369
|
+
message CreateServiceAccountRequest {
|
370
|
+
// Required. The resource name of the project associated with the service
|
371
|
+
// accounts, such as `projects/my-project-123`.
|
372
|
+
string name = 1 [
|
373
|
+
(google.api.field_behavior) = REQUIRED,
|
374
|
+
(google.api.resource_reference) = {
|
375
|
+
type: "cloudresourcemanager.googleapis.com/Project"
|
376
|
+
}
|
377
|
+
];
|
378
|
+
|
379
|
+
// Required. The account id that is used to generate the service account
|
380
|
+
// email address and a stable unique id. It is unique within a project,
|
381
|
+
// must be 6-30 characters long, and match the regular expression
|
382
|
+
// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
|
383
|
+
string account_id = 2 [(google.api.field_behavior) = REQUIRED];
|
384
|
+
|
385
|
+
// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
|
386
|
+
// create. Currently, only the following values are user assignable:
|
387
|
+
// `display_name` and `description`.
|
388
|
+
ServiceAccount service_account = 3;
|
389
|
+
}
|
390
|
+
|
391
|
+
// The service account list request.
|
392
|
+
message ListServiceAccountsRequest {
|
393
|
+
// Required. The resource name of the project associated with the service
|
394
|
+
// accounts, such as `projects/my-project-123`.
|
395
|
+
string name = 1 [
|
396
|
+
(google.api.field_behavior) = REQUIRED,
|
397
|
+
(google.api.resource_reference) = {
|
398
|
+
type: "cloudresourcemanager.googleapis.com/Project"
|
399
|
+
}
|
400
|
+
];
|
401
|
+
|
402
|
+
// Optional limit on the number of service accounts to include in the
|
403
|
+
// response. Further accounts can subsequently be obtained by including the
|
404
|
+
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
|
405
|
+
// in a subsequent request.
|
406
|
+
int32 page_size = 2;
|
407
|
+
|
408
|
+
// Optional pagination token returned in an earlier
|
409
|
+
// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
|
410
|
+
string page_token = 3;
|
411
|
+
}
|
412
|
+
|
413
|
+
// The service account list response.
|
414
|
+
message ListServiceAccountsResponse {
|
415
|
+
// The list of matching service accounts.
|
416
|
+
repeated ServiceAccount accounts = 1;
|
417
|
+
|
418
|
+
// To retrieve the next page of results, set
|
419
|
+
// [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
|
420
|
+
// to this value.
|
421
|
+
string next_page_token = 2;
|
422
|
+
}
|
423
|
+
|
424
|
+
// The service account get request.
|
425
|
+
message GetServiceAccountRequest {
|
426
|
+
// Required. The resource name of the service account in the following format:
|
427
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
428
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
429
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
430
|
+
// `unique_id` of the service account.
|
431
|
+
string name = 1 [
|
432
|
+
(google.api.field_behavior) = REQUIRED,
|
433
|
+
(google.api.resource_reference) = {
|
434
|
+
type: "iam.googleapis.com/ServiceAccount"
|
435
|
+
}
|
436
|
+
];
|
437
|
+
}
|
438
|
+
|
439
|
+
// The service account delete request.
|
440
|
+
message DeleteServiceAccountRequest {
|
441
|
+
// Required. The resource name of the service account in the following format:
|
442
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
443
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
444
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
445
|
+
// `unique_id` of the service account.
|
446
|
+
string name = 1 [
|
447
|
+
(google.api.field_behavior) = REQUIRED,
|
448
|
+
(google.api.resource_reference) = {
|
449
|
+
type: "iam.googleapis.com/ServiceAccount"
|
450
|
+
}
|
451
|
+
];
|
452
|
+
}
|
453
|
+
|
454
|
+
// The service account keys list request.
|
455
|
+
message ListServiceAccountKeysRequest {
|
456
|
+
// `KeyType` filters to selectively retrieve certain varieties
|
457
|
+
// of keys.
|
458
|
+
enum KeyType {
|
459
|
+
// Unspecified key type. The presence of this in the
|
460
|
+
// message will immediately result in an error.
|
461
|
+
KEY_TYPE_UNSPECIFIED = 0;
|
462
|
+
|
463
|
+
// User-managed keys (managed and rotated by the user).
|
464
|
+
USER_MANAGED = 1;
|
465
|
+
|
466
|
+
// System-managed keys (managed and rotated by Google).
|
467
|
+
SYSTEM_MANAGED = 2;
|
468
|
+
}
|
469
|
+
|
470
|
+
// Required. The resource name of the service account in the following format:
|
471
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
472
|
+
//
|
473
|
+
// Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from
|
474
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
475
|
+
// `unique_id` of the service account.
|
476
|
+
string name = 1 [
|
477
|
+
(google.api.field_behavior) = REQUIRED,
|
478
|
+
(google.api.resource_reference) = {
|
479
|
+
type: "iam.googleapis.com/ServiceAccount"
|
480
|
+
}
|
481
|
+
];
|
482
|
+
|
483
|
+
// Filters the types of keys the user wants to include in the list
|
484
|
+
// response. Duplicate key types are not allowed. If no key type
|
485
|
+
// is provided, all keys are returned.
|
486
|
+
repeated KeyType key_types = 2;
|
487
|
+
}
|
488
|
+
|
489
|
+
// The service account keys list response.
|
490
|
+
message ListServiceAccountKeysResponse {
|
491
|
+
// The public keys for the service account.
|
492
|
+
repeated ServiceAccountKey keys = 1;
|
493
|
+
}
|
494
|
+
|
495
|
+
// The service account key get by id request.
|
496
|
+
message GetServiceAccountKeyRequest {
|
497
|
+
// Required. The resource name of the service account key in the following format:
|
498
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
|
499
|
+
//
|
500
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
501
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
502
|
+
// `unique_id` of the service account.
|
503
|
+
string name = 1 [
|
504
|
+
(google.api.field_behavior) = REQUIRED,
|
505
|
+
(google.api.resource_reference) = {
|
506
|
+
type: "iam.googleapis.com/Key"
|
507
|
+
}
|
508
|
+
];
|
509
|
+
|
510
|
+
// The output format of the public key requested.
|
511
|
+
// X509_PEM is the default output format.
|
512
|
+
ServiceAccountPublicKeyType public_key_type = 2;
|
513
|
+
}
|
514
|
+
|
515
|
+
// Represents a service account key.
|
516
|
+
//
|
517
|
+
// A service account has two sets of key-pairs: user-managed, and
|
518
|
+
// system-managed.
|
519
|
+
//
|
520
|
+
// User-managed key-pairs can be created and deleted by users. Users are
|
521
|
+
// responsible for rotating these keys periodically to ensure security of
|
522
|
+
// their service accounts. Users retain the private key of these key-pairs,
|
523
|
+
// and Google retains ONLY the public key.
|
524
|
+
//
|
525
|
+
// System-managed keys are automatically rotated by Google, and are used for
|
526
|
+
// signing for a maximum of two weeks. The rotation process is probabilistic,
|
527
|
+
// and usage of the new key will gradually ramp up and down over the key's
|
528
|
+
// lifetime. We recommend caching the public key set for a service account for
|
529
|
+
// no more than 24 hours to ensure you have access to the latest keys.
|
530
|
+
//
|
531
|
+
// Public keys for all service accounts are also published at the OAuth2
|
532
|
+
// Service Account API.
|
533
|
+
message ServiceAccountKey {
|
534
|
+
option (google.api.resource) = {
|
535
|
+
type: "iam.googleapis.com/Key"
|
536
|
+
pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}"
|
537
|
+
};
|
538
|
+
|
539
|
+
// The resource name of the service account key in the following format
|
540
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
|
541
|
+
string name = 1;
|
542
|
+
|
543
|
+
// The output format for the private key.
|
544
|
+
// Only provided in `CreateServiceAccountKey` responses, not
|
545
|
+
// in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
|
546
|
+
//
|
547
|
+
// Google never exposes system-managed private keys, and never retains
|
548
|
+
// user-managed private keys.
|
549
|
+
ServiceAccountPrivateKeyType private_key_type = 2;
|
550
|
+
|
551
|
+
// Specifies the algorithm (and possibly key size) for the key.
|
552
|
+
ServiceAccountKeyAlgorithm key_algorithm = 8;
|
553
|
+
|
554
|
+
// The private key data. Only provided in `CreateServiceAccountKey`
|
555
|
+
// responses. Make sure to keep the private key data secure because it
|
556
|
+
// allows for the assertion of the service account identity.
|
557
|
+
// When base64 decoded, the private key data can be used to authenticate with
|
558
|
+
// Google API client libraries and with
|
559
|
+
// <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud
|
560
|
+
// auth activate-service-account</a>.
|
561
|
+
bytes private_key_data = 3;
|
562
|
+
|
563
|
+
// The public key data. Only provided in `GetServiceAccountKey` responses.
|
564
|
+
bytes public_key_data = 7;
|
565
|
+
|
566
|
+
// The key can be used after this timestamp.
|
567
|
+
google.protobuf.Timestamp valid_after_time = 4;
|
568
|
+
|
569
|
+
// The key can be used before this timestamp.
|
570
|
+
// For system-managed key pairs, this timestamp is the end time for the
|
571
|
+
// private key signing operation. The public key could still be used
|
572
|
+
// for verification for a few hours after this time.
|
573
|
+
google.protobuf.Timestamp valid_before_time = 5;
|
574
|
+
}
|
575
|
+
|
576
|
+
// The service account key create request.
|
577
|
+
message CreateServiceAccountKeyRequest {
|
578
|
+
// Required. The resource name of the service account in the following format:
|
579
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
580
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
581
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
582
|
+
// `unique_id` of the service account.
|
583
|
+
string name = 1 [
|
584
|
+
(google.api.field_behavior) = REQUIRED,
|
585
|
+
(google.api.resource_reference) = {
|
586
|
+
type: "iam.googleapis.com/ServiceAccount"
|
587
|
+
}
|
588
|
+
];
|
589
|
+
|
590
|
+
// The output format of the private key. The default value is
|
591
|
+
// `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
|
592
|
+
// format.
|
593
|
+
ServiceAccountPrivateKeyType private_key_type = 2;
|
594
|
+
|
595
|
+
// Which type of key and algorithm to use for the key.
|
596
|
+
// The default is currently a 2K RSA key. However this may change in the
|
597
|
+
// future.
|
598
|
+
ServiceAccountKeyAlgorithm key_algorithm = 3;
|
599
|
+
}
|
600
|
+
|
601
|
+
// The service account key delete request.
|
602
|
+
message DeleteServiceAccountKeyRequest {
|
603
|
+
// Required. The resource name of the service account key in the following format:
|
604
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
|
605
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
606
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
607
|
+
// `unique_id` of the service account.
|
608
|
+
string name = 1 [
|
609
|
+
(google.api.field_behavior) = REQUIRED,
|
610
|
+
(google.api.resource_reference) = {
|
611
|
+
type: "iam.googleapis.com/Key"
|
612
|
+
}
|
613
|
+
];
|
614
|
+
}
|
615
|
+
|
616
|
+
// The service account sign blob request.
|
617
|
+
message SignBlobRequest {
|
618
|
+
// Required. The resource name of the service account in the following format:
|
619
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
620
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
621
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
622
|
+
// `unique_id` of the service account.
|
623
|
+
string name = 1 [
|
624
|
+
(google.api.field_behavior) = REQUIRED,
|
625
|
+
(google.api.resource_reference) = {
|
626
|
+
type: "iam.googleapis.com/ServiceAccount"
|
627
|
+
}
|
628
|
+
];
|
629
|
+
|
630
|
+
// Required. The bytes to sign.
|
631
|
+
bytes bytes_to_sign = 2 [(google.api.field_behavior) = REQUIRED];
|
632
|
+
}
|
633
|
+
|
634
|
+
// The service account sign blob response.
|
635
|
+
message SignBlobResponse {
|
636
|
+
// The id of the key used to sign the blob.
|
637
|
+
string key_id = 1;
|
638
|
+
|
639
|
+
// The signed blob.
|
640
|
+
bytes signature = 2;
|
641
|
+
}
|
642
|
+
|
643
|
+
// The service account sign JWT request.
|
644
|
+
message SignJwtRequest {
|
645
|
+
// Required. The resource name of the service account in the following format:
|
646
|
+
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
|
647
|
+
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
|
648
|
+
// the account. The `ACCOUNT` value can be the `email` address or the
|
649
|
+
// `unique_id` of the service account.
|
650
|
+
string name = 1 [
|
651
|
+
(google.api.field_behavior) = REQUIRED,
|
652
|
+
(google.api.resource_reference) = {
|
653
|
+
type: "iam.googleapis.com/ServiceAccount"
|
654
|
+
}
|
655
|
+
];
|
656
|
+
|
657
|
+
// Required. The JWT payload to sign, a JSON JWT Claim set.
|
658
|
+
string payload = 2 [(google.api.field_behavior) = REQUIRED];
|
659
|
+
}
|
660
|
+
|
661
|
+
// The service account sign JWT response.
|
662
|
+
message SignJwtResponse {
|
663
|
+
// The id of the key used to sign the JWT.
|
664
|
+
string key_id = 1;
|
665
|
+
|
666
|
+
// The signed JWT.
|
667
|
+
string signed_jwt = 2;
|
668
|
+
}
|
669
|
+
|
670
|
+
// A role in the Identity and Access Management API.
|
671
|
+
message Role {
|
672
|
+
// A stage representing a role's lifecycle phase.
|
673
|
+
enum RoleLaunchStage {
|
674
|
+
// The user has indicated this role is currently in an Alpha phase. If this
|
675
|
+
// launch stage is selected, the `stage` field will not be included when
|
676
|
+
// requesting the definition for a given role.
|
677
|
+
ALPHA = 0;
|
678
|
+
|
679
|
+
// The user has indicated this role is currently in a Beta phase.
|
680
|
+
BETA = 1;
|
681
|
+
|
682
|
+
// The user has indicated this role is generally available.
|
683
|
+
GA = 2;
|
684
|
+
|
685
|
+
// The user has indicated this role is being deprecated.
|
686
|
+
DEPRECATED = 4;
|
687
|
+
|
688
|
+
// This role is disabled and will not contribute permissions to any members
|
689
|
+
// it is granted to in policies.
|
690
|
+
DISABLED = 5;
|
691
|
+
|
692
|
+
// The user has indicated this role is currently in an EAP phase.
|
693
|
+
EAP = 6;
|
694
|
+
}
|
695
|
+
|
696
|
+
// The name of the role.
|
697
|
+
//
|
698
|
+
// When Role is used in CreateRole, the role name must not be set.
|
699
|
+
//
|
700
|
+
// When Role is used in output and other input such as UpdateRole, the role
|
701
|
+
// name is the complete path, e.g., roles/logging.viewer for predefined roles
|
702
|
+
// and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
|
703
|
+
string name = 1;
|
704
|
+
|
705
|
+
// Optional. A human-readable title for the role. Typically this
|
706
|
+
// is limited to 100 UTF-8 bytes.
|
707
|
+
string title = 2;
|
708
|
+
|
709
|
+
// Optional. A human-readable description for the role.
|
710
|
+
string description = 3;
|
711
|
+
|
712
|
+
// The names of the permissions this role grants when bound in an IAM policy.
|
713
|
+
repeated string included_permissions = 7;
|
714
|
+
|
715
|
+
// The current launch stage of the role. If the `ALPHA` launch stage has been
|
716
|
+
// selected for a role, the `stage` field will not be included in the
|
717
|
+
// returned definition for the role.
|
718
|
+
RoleLaunchStage stage = 8;
|
719
|
+
|
720
|
+
// Used to perform a consistent read-modify-write.
|
721
|
+
bytes etag = 9;
|
722
|
+
|
723
|
+
// The current deleted state of the role. This field is read only.
|
724
|
+
// It will be ignored in calls to CreateRole and UpdateRole.
|
725
|
+
bool deleted = 11;
|
726
|
+
}
|
727
|
+
|
728
|
+
// The grantable role query request.
|
729
|
+
message QueryGrantableRolesRequest {
|
730
|
+
// Required. The full resource name to query from the list of grantable roles.
|
731
|
+
//
|
732
|
+
// The name follows the Google Cloud Platform resource format.
|
733
|
+
// For example, a Cloud Platform project with id `my-project` will be named
|
734
|
+
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
|
735
|
+
string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
|
736
|
+
|
737
|
+
RoleView view = 2;
|
738
|
+
|
739
|
+
// Optional limit on the number of roles to include in the response.
|
740
|
+
int32 page_size = 3;
|
741
|
+
|
742
|
+
// Optional pagination token returned in an earlier
|
743
|
+
// QueryGrantableRolesResponse.
|
744
|
+
string page_token = 4;
|
745
|
+
}
|
746
|
+
|
747
|
+
// The grantable role query response.
|
748
|
+
message QueryGrantableRolesResponse {
|
749
|
+
// The list of matching roles.
|
750
|
+
repeated Role roles = 1;
|
751
|
+
|
752
|
+
// To retrieve the next page of results, set
|
753
|
+
// `QueryGrantableRolesRequest.page_token` to this value.
|
754
|
+
string next_page_token = 2;
|
755
|
+
}
|
756
|
+
|
757
|
+
// The request to get all roles defined under a resource.
|
758
|
+
message ListRolesRequest {
|
759
|
+
// The `parent` parameter's value depends on the target resource for the
|
760
|
+
// request, namely
|
761
|
+
// [`roles`](/iam/reference/rest/v1/roles),
|
762
|
+
// [`projects`](/iam/reference/rest/v1/projects.roles), or
|
763
|
+
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
764
|
+
// resource type's `parent` value format is described below:
|
765
|
+
//
|
766
|
+
// * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string.
|
767
|
+
// This method doesn't require a resource; it simply returns all
|
768
|
+
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
|
769
|
+
// Cloud IAM. Example request URL:
|
770
|
+
// `https://iam.googleapis.com/v1/roles`
|
771
|
+
//
|
772
|
+
// * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list):
|
773
|
+
// `projects/{PROJECT_ID}`. This method lists all project-level
|
774
|
+
// [custom roles](/iam/docs/understanding-custom-roles).
|
775
|
+
// Example request URL:
|
776
|
+
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
|
777
|
+
//
|
778
|
+
// * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list):
|
779
|
+
// `organizations/{ORGANIZATION_ID}`. This method lists all
|
780
|
+
// organization-level [custom roles](/iam/docs/understanding-custom-roles).
|
781
|
+
// Example request URL:
|
782
|
+
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
|
783
|
+
//
|
784
|
+
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
785
|
+
// ID or organization ID.
|
786
|
+
string parent = 1 [(google.api.resource_reference).type = "*"];
|
787
|
+
|
788
|
+
// Optional limit on the number of roles to include in the response.
|
789
|
+
int32 page_size = 2;
|
790
|
+
|
791
|
+
// Optional pagination token returned in an earlier ListRolesResponse.
|
792
|
+
string page_token = 3;
|
793
|
+
|
794
|
+
// Optional view for the returned Role objects. When `FULL` is specified,
|
795
|
+
// the `includedPermissions` field is returned, which includes a list of all
|
796
|
+
// permissions in the role. The default value is `BASIC`, which does not
|
797
|
+
// return the `includedPermissions` field.
|
798
|
+
RoleView view = 4;
|
799
|
+
|
800
|
+
// Include Roles that have been deleted.
|
801
|
+
bool show_deleted = 6;
|
802
|
+
}
|
803
|
+
|
804
|
+
// The response containing the roles defined under a resource.
|
805
|
+
message ListRolesResponse {
|
806
|
+
// The Roles defined on this resource.
|
807
|
+
repeated Role roles = 1;
|
808
|
+
|
809
|
+
// To retrieve the next page of results, set
|
810
|
+
// `ListRolesRequest.page_token` to this value.
|
811
|
+
string next_page_token = 2;
|
812
|
+
}
|
813
|
+
|
814
|
+
// The request to get the definition of an existing role.
|
815
|
+
message GetRoleRequest {
|
816
|
+
// The `name` parameter's value depends on the target resource for the
|
817
|
+
// request, namely
|
818
|
+
// [`roles`](/iam/reference/rest/v1/roles),
|
819
|
+
// [`projects`](/iam/reference/rest/v1/projects.roles), or
|
820
|
+
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
821
|
+
// resource type's `name` value format is described below:
|
822
|
+
//
|
823
|
+
// * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`.
|
824
|
+
// This method returns results from all
|
825
|
+
// [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
|
826
|
+
// Cloud IAM. Example request URL:
|
827
|
+
// `https://iam.googleapis.com/v1/roles/{ROLE_NAME}`
|
828
|
+
//
|
829
|
+
// * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get):
|
830
|
+
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only
|
831
|
+
// [custom roles](/iam/docs/understanding-custom-roles) that have been
|
832
|
+
// created at the project level. Example request URL:
|
833
|
+
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
834
|
+
//
|
835
|
+
// * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get):
|
836
|
+
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
837
|
+
// returns only [custom roles](/iam/docs/understanding-custom-roles) that
|
838
|
+
// have been created at the organization level. Example request URL:
|
839
|
+
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
840
|
+
//
|
841
|
+
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
842
|
+
// ID or organization ID.
|
843
|
+
string name = 1 [(google.api.resource_reference).type = "*"];
|
844
|
+
}
|
845
|
+
|
846
|
+
// The request to create a new role.
|
847
|
+
message CreateRoleRequest {
|
848
|
+
// The `parent` parameter's value depends on the target resource for the
|
849
|
+
// request, namely
|
850
|
+
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
851
|
+
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
852
|
+
// resource type's `parent` value format is described below:
|
853
|
+
//
|
854
|
+
// * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create):
|
855
|
+
// `projects/{PROJECT_ID}`. This method creates project-level
|
856
|
+
// [custom roles](/iam/docs/understanding-custom-roles).
|
857
|
+
// Example request URL:
|
858
|
+
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
|
859
|
+
//
|
860
|
+
// * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create):
|
861
|
+
// `organizations/{ORGANIZATION_ID}`. This method creates organization-level
|
862
|
+
// [custom roles](/iam/docs/understanding-custom-roles). Example request
|
863
|
+
// URL:
|
864
|
+
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
|
865
|
+
//
|
866
|
+
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
867
|
+
// ID or organization ID.
|
868
|
+
string parent = 1 [(google.api.resource_reference).type = "*"];
|
869
|
+
|
870
|
+
// The role ID to use for this role.
|
871
|
+
string role_id = 2;
|
872
|
+
|
873
|
+
// The Role resource to create.
|
874
|
+
Role role = 3;
|
875
|
+
}
|
876
|
+
|
877
|
+
// The request to update a role.
|
878
|
+
message UpdateRoleRequest {
|
879
|
+
// The `name` parameter's value depends on the target resource for the
|
880
|
+
// request, namely
|
881
|
+
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
882
|
+
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
883
|
+
// resource type's `name` value format is described below:
|
884
|
+
//
|
885
|
+
// * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch):
|
886
|
+
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
|
887
|
+
// [custom roles](/iam/docs/understanding-custom-roles) that have been
|
888
|
+
// created at the project level. Example request URL:
|
889
|
+
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
890
|
+
//
|
891
|
+
// * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch):
|
892
|
+
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
893
|
+
// updates only [custom roles](/iam/docs/understanding-custom-roles) that
|
894
|
+
// have been created at the organization level. Example request URL:
|
895
|
+
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
896
|
+
//
|
897
|
+
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
898
|
+
// ID or organization ID.
|
899
|
+
string name = 1 [(google.api.resource_reference).type = "*"];
|
900
|
+
|
901
|
+
// The updated role.
|
902
|
+
Role role = 2;
|
903
|
+
|
904
|
+
// A mask describing which fields in the Role have changed.
|
905
|
+
google.protobuf.FieldMask update_mask = 3;
|
906
|
+
}
|
907
|
+
|
908
|
+
// The request to delete an existing role.
|
909
|
+
message DeleteRoleRequest {
|
910
|
+
// The `name` parameter's value depends on the target resource for the
|
911
|
+
// request, namely
|
912
|
+
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
913
|
+
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
914
|
+
// resource type's `name` value format is described below:
|
915
|
+
//
|
916
|
+
// * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete):
|
917
|
+
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
|
918
|
+
// [custom roles](/iam/docs/understanding-custom-roles) that have been
|
919
|
+
// created at the project level. Example request URL:
|
920
|
+
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
921
|
+
//
|
922
|
+
// * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete):
|
923
|
+
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
924
|
+
// deletes only [custom roles](/iam/docs/understanding-custom-roles) that
|
925
|
+
// have been created at the organization level. Example request URL:
|
926
|
+
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
927
|
+
//
|
928
|
+
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
929
|
+
// ID or organization ID.
|
930
|
+
string name = 1 [(google.api.resource_reference).type = "*"];
|
931
|
+
|
932
|
+
// Used to perform a consistent read-modify-write.
|
933
|
+
bytes etag = 2;
|
934
|
+
}
|
935
|
+
|
936
|
+
// The request to undelete an existing role.
|
937
|
+
message UndeleteRoleRequest {
|
938
|
+
// The `name` parameter's value depends on the target resource for the
|
939
|
+
// request, namely
|
940
|
+
// [`projects`](/iam/reference/rest/v1/projects.roles) or
|
941
|
+
// [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
|
942
|
+
// resource type's `name` value format is described below:
|
943
|
+
//
|
944
|
+
// * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete):
|
945
|
+
// `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
|
946
|
+
// only [custom roles](/iam/docs/understanding-custom-roles) that have been
|
947
|
+
// created at the project level. Example request URL:
|
948
|
+
// `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
|
949
|
+
//
|
950
|
+
// * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete):
|
951
|
+
// `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
|
952
|
+
// undeletes only [custom roles](/iam/docs/understanding-custom-roles) that
|
953
|
+
// have been created at the organization level. Example request URL:
|
954
|
+
// `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
|
955
|
+
//
|
956
|
+
// Note: Wildcard (*) values are invalid; you must specify a complete project
|
957
|
+
// ID or organization ID.
|
958
|
+
string name = 1 [(google.api.resource_reference).type = "*"];
|
959
|
+
|
960
|
+
// Used to perform a consistent read-modify-write.
|
961
|
+
bytes etag = 2;
|
962
|
+
}
|
963
|
+
|
964
|
+
// A permission which can be included by a role.
|
965
|
+
message Permission {
|
966
|
+
// A stage representing a permission's lifecycle phase.
|
967
|
+
enum PermissionLaunchStage {
|
968
|
+
// The permission is currently in an alpha phase.
|
969
|
+
ALPHA = 0;
|
970
|
+
|
971
|
+
// The permission is currently in a beta phase.
|
972
|
+
BETA = 1;
|
973
|
+
|
974
|
+
// The permission is generally available.
|
975
|
+
GA = 2;
|
976
|
+
|
977
|
+
// The permission is being deprecated.
|
978
|
+
DEPRECATED = 3;
|
979
|
+
}
|
980
|
+
|
981
|
+
// The state of the permission with regards to custom roles.
|
982
|
+
enum CustomRolesSupportLevel {
|
983
|
+
// Permission is fully supported for custom role use.
|
984
|
+
SUPPORTED = 0;
|
985
|
+
|
986
|
+
// Permission is being tested to check custom role compatibility.
|
987
|
+
TESTING = 1;
|
988
|
+
|
989
|
+
// Permission is not supported for custom role use.
|
990
|
+
NOT_SUPPORTED = 2;
|
991
|
+
}
|
992
|
+
|
993
|
+
// The name of this Permission.
|
994
|
+
string name = 1;
|
995
|
+
|
996
|
+
// The title of this Permission.
|
997
|
+
string title = 2;
|
998
|
+
|
999
|
+
// A brief description of what this Permission is used for.
|
1000
|
+
// This permission can ONLY be used in predefined roles.
|
1001
|
+
string description = 3;
|
1002
|
+
|
1003
|
+
// This permission can ONLY be used in predefined roles.
|
1004
|
+
bool only_in_predefined_roles = 4;
|
1005
|
+
|
1006
|
+
// The current launch stage of the permission.
|
1007
|
+
PermissionLaunchStage stage = 5;
|
1008
|
+
|
1009
|
+
// The current custom role support level.
|
1010
|
+
CustomRolesSupportLevel custom_roles_support_level = 6;
|
1011
|
+
}
|
1012
|
+
|
1013
|
+
// A request to get permissions which can be tested on a resource.
|
1014
|
+
message QueryTestablePermissionsRequest {
|
1015
|
+
// Required. The full resource name to query from the list of testable
|
1016
|
+
// permissions.
|
1017
|
+
//
|
1018
|
+
// The name follows the Google Cloud Platform resource format.
|
1019
|
+
// For example, a Cloud Platform project with id `my-project` will be named
|
1020
|
+
// `//cloudresourcemanager.googleapis.com/projects/my-project`.
|
1021
|
+
string full_resource_name = 1;
|
1022
|
+
|
1023
|
+
// Optional limit on the number of permissions to include in the response.
|
1024
|
+
int32 page_size = 2;
|
1025
|
+
|
1026
|
+
// Optional pagination token returned in an earlier
|
1027
|
+
// QueryTestablePermissionsRequest.
|
1028
|
+
string page_token = 3;
|
1029
|
+
}
|
1030
|
+
|
1031
|
+
// The response containing permissions which can be tested on a resource.
|
1032
|
+
message QueryTestablePermissionsResponse {
|
1033
|
+
// The Permissions testable on the requested resource.
|
1034
|
+
repeated Permission permissions = 1;
|
1035
|
+
|
1036
|
+
// To retrieve the next page of results, set
|
1037
|
+
// `QueryTestableRolesRequest.page_token` to this value.
|
1038
|
+
string next_page_token = 2;
|
1039
|
+
}
|
1040
|
+
|
1041
|
+
// Supported key algorithms.
|
1042
|
+
enum ServiceAccountKeyAlgorithm {
|
1043
|
+
// An unspecified key algorithm.
|
1044
|
+
KEY_ALG_UNSPECIFIED = 0;
|
1045
|
+
|
1046
|
+
// 1k RSA Key.
|
1047
|
+
KEY_ALG_RSA_1024 = 1;
|
1048
|
+
|
1049
|
+
// 2k RSA Key.
|
1050
|
+
KEY_ALG_RSA_2048 = 2;
|
1051
|
+
}
|
1052
|
+
|
1053
|
+
// Supported private key output formats.
|
1054
|
+
enum ServiceAccountPrivateKeyType {
|
1055
|
+
// Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
|
1056
|
+
TYPE_UNSPECIFIED = 0;
|
1057
|
+
|
1058
|
+
// PKCS12 format.
|
1059
|
+
// The password for the PKCS12 file is `notasecret`.
|
1060
|
+
// For more information, see https://tools.ietf.org/html/rfc7292.
|
1061
|
+
TYPE_PKCS12_FILE = 1;
|
1062
|
+
|
1063
|
+
// Google Credentials File format.
|
1064
|
+
TYPE_GOOGLE_CREDENTIALS_FILE = 2;
|
1065
|
+
}
|
1066
|
+
|
1067
|
+
// Supported public key output formats.
|
1068
|
+
enum ServiceAccountPublicKeyType {
|
1069
|
+
// Unspecified. Returns nothing here.
|
1070
|
+
TYPE_NONE = 0;
|
1071
|
+
|
1072
|
+
// X509 PEM format.
|
1073
|
+
TYPE_X509_PEM_FILE = 1;
|
1074
|
+
|
1075
|
+
// Raw public key.
|
1076
|
+
TYPE_RAW_PUBLIC_KEY = 2;
|
1077
|
+
}
|
1078
|
+
|
1079
|
+
// A view for Role objects.
|
1080
|
+
enum RoleView {
|
1081
|
+
// Omits the `included_permissions` field.
|
1082
|
+
// This is the default value.
|
1083
|
+
BASIC = 0;
|
1084
|
+
|
1085
|
+
// Returns all fields.
|
1086
|
+
FULL = 1;
|
1087
|
+
}
|