@alis-build/common-es 1.0.3

package/google/iam/admin/v1/iam_pb.d.ts

@@ -0,0 +1,2699 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// @generated by protoc-gen-es v2.11.0 with parameter "target=js+dts"
+// @generated from file google/iam/admin/v1/iam.proto (package google.iam.admin.v1, syntax proto3)
+/* eslint-disable */
+
+import type { GenEnum, GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv2";
+import type { Message } from "@bufbuild/protobuf";
+import type { FieldMask } from "../../../protobuf/field_mask_pb";
+import type { Timestamp } from "../../../protobuf/timestamp_pb";
+import type { Expr } from "../../../type/expr_pb";
+import type { EmptySchema } from "../../../protobuf/empty_pb";
+import type { GetIamPolicyRequestSchema, SetIamPolicyRequestSchema, TestIamPermissionsRequestSchema, TestIamPermissionsResponseSchema } from "../../v1/iam_policy_pb";
+import type { PolicySchema } from "../../v1/policy_pb";
+
+/**
+ * Describes the file google/iam/admin/v1/iam.proto.
+ */
+export declare const file_google_iam_admin_v1_iam: GenFile;
+
+/**
+ * An IAM service account.
+ *
+ * A service account is an account for an application or a virtual machine (VM)
+ * instance, not a person. You can use a service account to call Google APIs. To
+ * learn more, read the [overview of service
+ * accounts](https://cloud.google.com/iam/help/service-accounts/overview).
+ *
+ * When you create a service account, you specify the project ID that owns the
+ * service account, as well as a name that must be unique within the project.
+ * IAM uses these values to create an email address that identifies the service
+ * account.
+ *
+ * @generated from message google.iam.admin.v1.ServiceAccount
+ */
+export declare type ServiceAccount = Message<"google.iam.admin.v1.ServiceAccount"> & {
+  /**
+   * The resource name of the service account.
+   *
+   * Use one of the following formats:
+   *
+   * * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+   * * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+   *
+   * As an alternative, you can use the `-` wildcard character instead of the
+   * project ID:
+   *
+   * * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+   * * `projects/-/serviceAccounts/{UNIQUE_ID}`
+   *
+   * When possible, avoid using the `-` wildcard character, because it can cause
+   * response messages to contain misleading error codes. For example, if you
+   * try to get the service account
+   * `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+   * response contains an HTTP `403 Forbidden` error instead of a `404 Not
+   * Found` error.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Output only. The ID of the project that owns the service account.
+   *
+   * @generated from field: string project_id = 2;
+   */
+  projectId: string;
+
+  /**
+   * Output only. The unique, stable numeric ID for the service account.
+   *
+   * Each service account retains its unique ID even if you delete the service
+   * account. For example, if you delete a service account, then create a new
+   * service account with the same name, the new service account has a different
+   * unique ID than the deleted service account.
+   *
+   * @generated from field: string unique_id = 4;
+   */
+  uniqueId: string;
+
+  /**
+   * Output only. The email address of the service account.
+   *
+   * @generated from field: string email = 5;
+   */
+  email: string;
+
+  /**
+   * Optional. A user-specified, human-readable name for the service account. The maximum
+   * length is 100 UTF-8 bytes.
+   *
+   * @generated from field: string display_name = 6;
+   */
+  displayName: string;
+
+  /**
+   * Deprecated. Do not use.
+   *
+   * @generated from field: bytes etag = 7 [deprecated = true];
+   * @deprecated
+   */
+  etag: Uint8Array;
+
+  /**
+   * Optional. A user-specified, human-readable description of the service account. The
+   * maximum length is 256 UTF-8 bytes.
+   *
+   * @generated from field: string description = 8;
+   */
+  description: string;
+
+  /**
+   * Output only. The OAuth 2.0 client ID for the service account.
+   *
+   * @generated from field: string oauth2_client_id = 9;
+   */
+  oauth2ClientId: string;
+
+  /**
+   * Output only. Whether the service account is disabled.
+   *
+   * @generated from field: bool disabled = 11;
+   */
+  disabled: boolean;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ServiceAccount.
+ * Use `create(ServiceAccountSchema)` to create a new message.
+ */
+export declare const ServiceAccountSchema: GenMessage<ServiceAccount>;
+
+/**
+ * The service account create request.
+ *
+ * @generated from message google.iam.admin.v1.CreateServiceAccountRequest
+ */
+export declare type CreateServiceAccountRequest = Message<"google.iam.admin.v1.CreateServiceAccountRequest"> & {
+  /**
+   * Required. The resource name of the project associated with the service
+   * accounts, such as `projects/my-project-123`.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Required. The account id that is used to generate the service account
+   * email address and a stable unique id. It is unique within a project,
+   * must be 6-30 characters long, and match the regular expression
+   * `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
+   *
+   * @generated from field: string account_id = 2;
+   */
+  accountId: string;
+
+  /**
+   * The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
+   * create. Currently, only the following values are user assignable:
+   * `display_name` and `description`.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccount service_account = 3;
+   */
+  serviceAccount?: ServiceAccount;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.CreateServiceAccountRequest.
+ * Use `create(CreateServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const CreateServiceAccountRequestSchema: GenMessage<CreateServiceAccountRequest>;
+
+/**
+ * The service account list request.
+ *
+ * @generated from message google.iam.admin.v1.ListServiceAccountsRequest
+ */
+export declare type ListServiceAccountsRequest = Message<"google.iam.admin.v1.ListServiceAccountsRequest"> & {
+  /**
+   * Required. The resource name of the project associated with the service
+   * accounts, such as `projects/my-project-123`.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Optional limit on the number of service accounts to include in the
+   * response. Further accounts can subsequently be obtained by including the
+   * [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
+   * in a subsequent request.
+   *
+   * The default is 20, and the maximum is 100.
+   *
+   * @generated from field: int32 page_size = 2;
+   */
+  pageSize: number;
+
+  /**
+   * Optional pagination token returned in an earlier
+   * [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
+   *
+   * @generated from field: string page_token = 3;
+   */
+  pageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ListServiceAccountsRequest.
+ * Use `create(ListServiceAccountsRequestSchema)` to create a new message.
+ */
+export declare const ListServiceAccountsRequestSchema: GenMessage<ListServiceAccountsRequest>;
+
+/**
+ * The service account list response.
+ *
+ * @generated from message google.iam.admin.v1.ListServiceAccountsResponse
+ */
+export declare type ListServiceAccountsResponse = Message<"google.iam.admin.v1.ListServiceAccountsResponse"> & {
+  /**
+   * The list of matching service accounts.
+   *
+   * @generated from field: repeated google.iam.admin.v1.ServiceAccount accounts = 1;
+   */
+  accounts: ServiceAccount[];
+
+  /**
+   * To retrieve the next page of results, set
+   * [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
+   * to this value.
+   *
+   * @generated from field: string next_page_token = 2;
+   */
+  nextPageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ListServiceAccountsResponse.
+ * Use `create(ListServiceAccountsResponseSchema)` to create a new message.
+ */
+export declare const ListServiceAccountsResponseSchema: GenMessage<ListServiceAccountsResponse>;
+
+/**
+ * The service account get request.
+ *
+ * @generated from message google.iam.admin.v1.GetServiceAccountRequest
+ */
+export declare type GetServiceAccountRequest = Message<"google.iam.admin.v1.GetServiceAccountRequest"> & {
+  /**
+   * Required. The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.GetServiceAccountRequest.
+ * Use `create(GetServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const GetServiceAccountRequestSchema: GenMessage<GetServiceAccountRequest>;
+
+/**
+ * The service account delete request.
+ *
+ * @generated from message google.iam.admin.v1.DeleteServiceAccountRequest
+ */
+export declare type DeleteServiceAccountRequest = Message<"google.iam.admin.v1.DeleteServiceAccountRequest"> & {
+  /**
+   * Required. The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.DeleteServiceAccountRequest.
+ * Use `create(DeleteServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const DeleteServiceAccountRequestSchema: GenMessage<DeleteServiceAccountRequest>;
+
+/**
+ * The service account patch request.
+ *
+ * You can patch only the `display_name` and `description` fields. You must use
+ * the `update_mask` field to specify which of these fields you want to patch.
+ *
+ * Only the fields specified in the request are guaranteed to be returned in
+ * the response. Other fields may be empty in the response.
+ *
+ * @generated from message google.iam.admin.v1.PatchServiceAccountRequest
+ */
+export declare type PatchServiceAccountRequest = Message<"google.iam.admin.v1.PatchServiceAccountRequest"> & {
+  /**
+   * @generated from field: google.iam.admin.v1.ServiceAccount service_account = 1;
+   */
+  serviceAccount?: ServiceAccount;
+
+  /**
+   * @generated from field: google.protobuf.FieldMask update_mask = 2;
+   */
+  updateMask?: FieldMask;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.PatchServiceAccountRequest.
+ * Use `create(PatchServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const PatchServiceAccountRequestSchema: GenMessage<PatchServiceAccountRequest>;
+
+/**
+ * The service account undelete request.
+ *
+ * @generated from message google.iam.admin.v1.UndeleteServiceAccountRequest
+ */
+export declare type UndeleteServiceAccountRequest = Message<"google.iam.admin.v1.UndeleteServiceAccountRequest"> & {
+  /**
+   * The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.UndeleteServiceAccountRequest.
+ * Use `create(UndeleteServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const UndeleteServiceAccountRequestSchema: GenMessage<UndeleteServiceAccountRequest>;
+
+/**
+ * @generated from message google.iam.admin.v1.UndeleteServiceAccountResponse
+ */
+export declare type UndeleteServiceAccountResponse = Message<"google.iam.admin.v1.UndeleteServiceAccountResponse"> & {
+  /**
+   * Metadata for the restored service account.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccount restored_account = 1;
+   */
+  restoredAccount?: ServiceAccount;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.UndeleteServiceAccountResponse.
+ * Use `create(UndeleteServiceAccountResponseSchema)` to create a new message.
+ */
+export declare const UndeleteServiceAccountResponseSchema: GenMessage<UndeleteServiceAccountResponse>;
+
+/**
+ * The service account enable request.
+ *
+ * @generated from message google.iam.admin.v1.EnableServiceAccountRequest
+ */
+export declare type EnableServiceAccountRequest = Message<"google.iam.admin.v1.EnableServiceAccountRequest"> & {
+  /**
+   * The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.EnableServiceAccountRequest.
+ * Use `create(EnableServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const EnableServiceAccountRequestSchema: GenMessage<EnableServiceAccountRequest>;
+
+/**
+ * The service account disable request.
+ *
+ * @generated from message google.iam.admin.v1.DisableServiceAccountRequest
+ */
+export declare type DisableServiceAccountRequest = Message<"google.iam.admin.v1.DisableServiceAccountRequest"> & {
+  /**
+   * The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.DisableServiceAccountRequest.
+ * Use `create(DisableServiceAccountRequestSchema)` to create a new message.
+ */
+export declare const DisableServiceAccountRequestSchema: GenMessage<DisableServiceAccountRequest>;
+
+/**
+ * The service account keys list request.
+ *
+ * @generated from message google.iam.admin.v1.ListServiceAccountKeysRequest
+ */
+export declare type ListServiceAccountKeysRequest = Message<"google.iam.admin.v1.ListServiceAccountKeysRequest"> & {
+  /**
+   * Required. The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   *
+   * Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Filters the types of keys the user wants to include in the list
+   * response. Duplicate key types are not allowed. If no key type
+   * is provided, all keys are returned.
+   *
+   * @generated from field: repeated google.iam.admin.v1.ListServiceAccountKeysRequest.KeyType key_types = 2;
+   */
+  keyTypes: ListServiceAccountKeysRequest_KeyType[];
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ListServiceAccountKeysRequest.
+ * Use `create(ListServiceAccountKeysRequestSchema)` to create a new message.
+ */
+export declare const ListServiceAccountKeysRequestSchema: GenMessage<ListServiceAccountKeysRequest>;
+
+/**
+ * `KeyType` filters to selectively retrieve certain varieties
+ * of keys.
+ *
+ * @generated from enum google.iam.admin.v1.ListServiceAccountKeysRequest.KeyType
+ */
+export enum ListServiceAccountKeysRequest_KeyType {
+  /**
+   * Unspecified key type. The presence of this in the
+   * message will immediately result in an error.
+   *
+   * @generated from enum value: KEY_TYPE_UNSPECIFIED = 0;
+   */
+  KEY_TYPE_UNSPECIFIED = 0,
+
+  /**
+   * User-managed keys (managed and rotated by the user).
+   *
+   * @generated from enum value: USER_MANAGED = 1;
+   */
+  USER_MANAGED = 1,
+
+  /**
+   * System-managed keys (managed and rotated by Google).
+   *
+   * @generated from enum value: SYSTEM_MANAGED = 2;
+   */
+  SYSTEM_MANAGED = 2,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.ListServiceAccountKeysRequest.KeyType.
+ */
+export declare const ListServiceAccountKeysRequest_KeyTypeSchema: GenEnum<ListServiceAccountKeysRequest_KeyType>;
+
+/**
+ * The service account keys list response.
+ *
+ * @generated from message google.iam.admin.v1.ListServiceAccountKeysResponse
+ */
+export declare type ListServiceAccountKeysResponse = Message<"google.iam.admin.v1.ListServiceAccountKeysResponse"> & {
+  /**
+   * The public keys for the service account.
+   *
+   * @generated from field: repeated google.iam.admin.v1.ServiceAccountKey keys = 1;
+   */
+  keys: ServiceAccountKey[];
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ListServiceAccountKeysResponse.
+ * Use `create(ListServiceAccountKeysResponseSchema)` to create a new message.
+ */
+export declare const ListServiceAccountKeysResponseSchema: GenMessage<ListServiceAccountKeysResponse>;
+
+/**
+ * The service account key get by id request.
+ *
+ * @generated from message google.iam.admin.v1.GetServiceAccountKeyRequest
+ */
+export declare type GetServiceAccountKeyRequest = Message<"google.iam.admin.v1.GetServiceAccountKeyRequest"> & {
+  /**
+   * Required. The resource name of the service account key in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+   *
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Optional. The output format of the public key. The default is `TYPE_NONE`, which
+   * means that the public key is not returned.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccountPublicKeyType public_key_type = 2;
+   */
+  publicKeyType: ServiceAccountPublicKeyType;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.GetServiceAccountKeyRequest.
+ * Use `create(GetServiceAccountKeyRequestSchema)` to create a new message.
+ */
+export declare const GetServiceAccountKeyRequestSchema: GenMessage<GetServiceAccountKeyRequest>;
+
+/**
+ * Represents a service account key.
+ *
+ * A service account has two sets of key-pairs: user-managed, and
+ * system-managed.
+ *
+ * User-managed key-pairs can be created and deleted by users.  Users are
+ * responsible for rotating these keys periodically to ensure security of
+ * their service accounts.  Users retain the private key of these key-pairs,
+ * and Google retains ONLY the public key.
+ *
+ * System-managed keys are automatically rotated by Google, and are used for
+ * signing for a maximum of two weeks. The rotation process is probabilistic,
+ * and usage of the new key will gradually ramp up and down over the key's
+ * lifetime.
+ *
+ * If you cache the public key set for a service account, we recommend that you
+ * update the cache every 15 minutes. User-managed keys can be added and removed
+ * at any time, so it is important to update the cache frequently. For
+ * Google-managed keys, Google will publish a key at least 6 hours before it is
+ * first used for signing and will keep publishing it for at least 6 hours after
+ * it was last used for signing.
+ *
+ * Public keys for all service accounts are also published at the OAuth2
+ * Service Account API.
+ *
+ * @generated from message google.iam.admin.v1.ServiceAccountKey
+ */
+export declare type ServiceAccountKey = Message<"google.iam.admin.v1.ServiceAccountKey"> & {
+  /**
+   * The resource name of the service account key in the following format
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * The output format for the private key.
+   * Only provided in `CreateServiceAccountKey` responses, not
+   * in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
+   *
+   * Google never exposes system-managed private keys, and never retains
+   * user-managed private keys.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccountPrivateKeyType private_key_type = 2;
+   */
+  privateKeyType: ServiceAccountPrivateKeyType;
+
+  /**
+   * Specifies the algorithm (and possibly key size) for the key.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccountKeyAlgorithm key_algorithm = 8;
+   */
+  keyAlgorithm: ServiceAccountKeyAlgorithm;
+
+  /**
+   * The private key data. Only provided in `CreateServiceAccountKey`
+   * responses. Make sure to keep the private key data secure because it
+   * allows for the assertion of the service account identity.
+   * When base64 decoded, the private key data can be used to authenticate with
+   * Google API client libraries and with
+   * <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud
+   * auth activate-service-account</a>.
+   *
+   * @generated from field: bytes private_key_data = 3;
+   */
+  privateKeyData: Uint8Array;
+
+  /**
+   * The public key data. Only provided in `GetServiceAccountKey` responses.
+   *
+   * @generated from field: bytes public_key_data = 7;
+   */
+  publicKeyData: Uint8Array;
+
+  /**
+   * The key can be used after this timestamp.
+   *
+   * @generated from field: google.protobuf.Timestamp valid_after_time = 4;
+   */
+  validAfterTime?: Timestamp;
+
+  /**
+   * The key can be used before this timestamp.
+   * For system-managed key pairs, this timestamp is the end time for the
+   * private key signing operation. The public key could still be used
+   * for verification for a few hours after this time.
+   *
+   * @generated from field: google.protobuf.Timestamp valid_before_time = 5;
+   */
+  validBeforeTime?: Timestamp;
+
+  /**
+   * The key origin.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccountKeyOrigin key_origin = 9;
+   */
+  keyOrigin: ServiceAccountKeyOrigin;
+
+  /**
+   * The key type.
+   *
+   * @generated from field: google.iam.admin.v1.ListServiceAccountKeysRequest.KeyType key_type = 10;
+   */
+  keyType: ListServiceAccountKeysRequest_KeyType;
+
+  /**
+   * The key status.
+   *
+   * @generated from field: bool disabled = 11;
+   */
+  disabled: boolean;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ServiceAccountKey.
+ * Use `create(ServiceAccountKeySchema)` to create a new message.
+ */
+export declare const ServiceAccountKeySchema: GenMessage<ServiceAccountKey>;
+
+/**
+ * The service account key create request.
+ *
+ * @generated from message google.iam.admin.v1.CreateServiceAccountKeyRequest
+ */
+export declare type CreateServiceAccountKeyRequest = Message<"google.iam.admin.v1.CreateServiceAccountKeyRequest"> & {
+  /**
+   * Required. The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * The output format of the private key. The default value is
+   * `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
+   * format.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccountPrivateKeyType private_key_type = 2;
+   */
+  privateKeyType: ServiceAccountPrivateKeyType;
+
+  /**
+   * Which type of key and algorithm to use for the key.
+   * The default is currently a 2K RSA key.  However this may change in the
+   * future.
+   *
+   * @generated from field: google.iam.admin.v1.ServiceAccountKeyAlgorithm key_algorithm = 3;
+   */
+  keyAlgorithm: ServiceAccountKeyAlgorithm;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.CreateServiceAccountKeyRequest.
+ * Use `create(CreateServiceAccountKeyRequestSchema)` to create a new message.
+ */
+export declare const CreateServiceAccountKeyRequestSchema: GenMessage<CreateServiceAccountKeyRequest>;
+
+/**
+ * The service account key upload request.
+ *
+ * @generated from message google.iam.admin.v1.UploadServiceAccountKeyRequest
+ */
+export declare type UploadServiceAccountKeyRequest = Message<"google.iam.admin.v1.UploadServiceAccountKeyRequest"> & {
+  /**
+   * The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * The public key to associate with the service account. Must be an RSA public
+   * key that is wrapped in an X.509 v3 certificate. Include the first line,
+   * `-----BEGIN CERTIFICATE-----`, and the last line,
+   * `-----END CERTIFICATE-----`.
+   *
+   * @generated from field: bytes public_key_data = 2;
+   */
+  publicKeyData: Uint8Array;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.UploadServiceAccountKeyRequest.
+ * Use `create(UploadServiceAccountKeyRequestSchema)` to create a new message.
+ */
+export declare const UploadServiceAccountKeyRequestSchema: GenMessage<UploadServiceAccountKeyRequest>;
+
+/**
+ * The service account key delete request.
+ *
+ * @generated from message google.iam.admin.v1.DeleteServiceAccountKeyRequest
+ */
+export declare type DeleteServiceAccountKeyRequest = Message<"google.iam.admin.v1.DeleteServiceAccountKeyRequest"> & {
+  /**
+   * Required. The resource name of the service account key in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.DeleteServiceAccountKeyRequest.
+ * Use `create(DeleteServiceAccountKeyRequestSchema)` to create a new message.
+ */
+export declare const DeleteServiceAccountKeyRequestSchema: GenMessage<DeleteServiceAccountKeyRequest>;
+
+/**
+ * The service account key disable request.
+ *
+ * @generated from message google.iam.admin.v1.DisableServiceAccountKeyRequest
+ */
+export declare type DisableServiceAccountKeyRequest = Message<"google.iam.admin.v1.DisableServiceAccountKeyRequest"> & {
+  /**
+   * Required. The resource name of the service account key in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+   *
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.DisableServiceAccountKeyRequest.
+ * Use `create(DisableServiceAccountKeyRequestSchema)` to create a new message.
+ */
+export declare const DisableServiceAccountKeyRequestSchema: GenMessage<DisableServiceAccountKeyRequest>;
+
+/**
+ * The service account key enable request.
+ *
+ * @generated from message google.iam.admin.v1.EnableServiceAccountKeyRequest
+ */
+export declare type EnableServiceAccountKeyRequest = Message<"google.iam.admin.v1.EnableServiceAccountKeyRequest"> & {
+  /**
+   * Required. The resource name of the service account key in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+   *
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.EnableServiceAccountKeyRequest.
+ * Use `create(EnableServiceAccountKeyRequestSchema)` to create a new message.
+ */
+export declare const EnableServiceAccountKeyRequestSchema: GenMessage<EnableServiceAccountKeyRequest>;
+
+/**
+ * Deprecated. [Migrate to Service Account Credentials
+ * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ *
+ * The service account sign blob request.
+ *
+ * @generated from message google.iam.admin.v1.SignBlobRequest
+ */
+export declare type SignBlobRequest = Message<"google.iam.admin.v1.SignBlobRequest"> & {
+  /**
+   * Required. Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1 [deprecated = true];
+   * @deprecated
+   */
+  name: string;
+
+  /**
+   * Required. Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The bytes to sign.
+   *
+   * @generated from field: bytes bytes_to_sign = 2 [deprecated = true];
+   * @deprecated
+   */
+  bytesToSign: Uint8Array;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.SignBlobRequest.
+ * Use `create(SignBlobRequestSchema)` to create a new message.
+ */
+export declare const SignBlobRequestSchema: GenMessage<SignBlobRequest>;
+
+/**
+ * Deprecated. [Migrate to Service Account Credentials
+ * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ *
+ * The service account sign blob response.
+ *
+ * @generated from message google.iam.admin.v1.SignBlobResponse
+ */
+export declare type SignBlobResponse = Message<"google.iam.admin.v1.SignBlobResponse"> & {
+  /**
+   * Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The id of the key used to sign the blob.
+   *
+   * @generated from field: string key_id = 1 [deprecated = true];
+   * @deprecated
+   */
+  keyId: string;
+
+  /**
+   * Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The signed blob.
+   *
+   * @generated from field: bytes signature = 2 [deprecated = true];
+   * @deprecated
+   */
+  signature: Uint8Array;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.SignBlobResponse.
+ * Use `create(SignBlobResponseSchema)` to create a new message.
+ */
+export declare const SignBlobResponseSchema: GenMessage<SignBlobResponse>;
+
+/**
+ * Deprecated. [Migrate to Service Account Credentials
+ * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ *
+ * The service account sign JWT request.
+ *
+ * @generated from message google.iam.admin.v1.SignJwtRequest
+ */
+export declare type SignJwtRequest = Message<"google.iam.admin.v1.SignJwtRequest"> & {
+  /**
+   * Required. Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The resource name of the service account in the following format:
+   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+   * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+   * the account. The `ACCOUNT` value can be the `email` address or the
+   * `unique_id` of the service account.
+   *
+   * @generated from field: string name = 1 [deprecated = true];
+   * @deprecated
+   */
+  name: string;
+
+  /**
+   * Required. Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The JWT payload to sign. Must be a serialized JSON object that contains a
+   * JWT Claims Set. For example: `{"sub": "user@example.com", "iat": 313435}`
+   *
+   * If the JWT Claims Set contains an expiration time (`exp`) claim, it must be
+   * an integer timestamp that is not in the past and no more than 12 hours in
+   * the future.
+   *
+   * If the JWT Claims Set does not contain an expiration time (`exp`) claim,
+   * this claim is added automatically, with a timestamp that is 1 hour in the
+   * future.
+   *
+   * @generated from field: string payload = 2 [deprecated = true];
+   * @deprecated
+   */
+  payload: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.SignJwtRequest.
+ * Use `create(SignJwtRequestSchema)` to create a new message.
+ */
+export declare const SignJwtRequestSchema: GenMessage<SignJwtRequest>;
+
+/**
+ * Deprecated. [Migrate to Service Account Credentials
+ * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ *
+ * The service account sign JWT response.
+ *
+ * @generated from message google.iam.admin.v1.SignJwtResponse
+ */
+export declare type SignJwtResponse = Message<"google.iam.admin.v1.SignJwtResponse"> & {
+  /**
+   * Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The id of the key used to sign the JWT.
+   *
+   * @generated from field: string key_id = 1 [deprecated = true];
+   * @deprecated
+   */
+  keyId: string;
+
+  /**
+   * Deprecated. [Migrate to Service Account Credentials
+   * API](https://cloud.google.com/iam/help/credentials/migrate-api).
+   *
+   * The signed JWT.
+   *
+   * @generated from field: string signed_jwt = 2 [deprecated = true];
+   * @deprecated
+   */
+  signedJwt: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.SignJwtResponse.
+ * Use `create(SignJwtResponseSchema)` to create a new message.
+ */
+export declare const SignJwtResponseSchema: GenMessage<SignJwtResponse>;
+
+/**
+ * A role in the Identity and Access Management API.
+ *
+ * @generated from message google.iam.admin.v1.Role
+ */
+export declare type Role = Message<"google.iam.admin.v1.Role"> & {
+  /**
+   * The name of the role.
+   *
+   * When Role is used in CreateRole, the role name must not be set.
+   *
+   * When Role is used in output and other input such as UpdateRole, the role
+   * name is the complete path, e.g., roles/logging.viewer for predefined roles
+   * and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Optional. A human-readable title for the role.  Typically this
+   * is limited to 100 UTF-8 bytes.
+   *
+   * @generated from field: string title = 2;
+   */
+  title: string;
+
+  /**
+   * Optional. A human-readable description for the role.
+   *
+   * @generated from field: string description = 3;
+   */
+  description: string;
+
+  /**
+   * The names of the permissions this role grants when bound in an IAM policy.
+   *
+   * @generated from field: repeated string included_permissions = 7;
+   */
+  includedPermissions: string[];
+
+  /**
+   * The current launch stage of the role. If the `ALPHA` launch stage has been
+   * selected for a role, the `stage` field will not be included in the
+   * returned definition for the role.
+   *
+   * @generated from field: google.iam.admin.v1.Role.RoleLaunchStage stage = 8;
+   */
+  stage: Role_RoleLaunchStage;
+
+  /**
+   * Used to perform a consistent read-modify-write.
+   *
+   * @generated from field: bytes etag = 9;
+   */
+  etag: Uint8Array;
+
+  /**
+   * The current deleted state of the role. This field is read only.
+   * It will be ignored in calls to CreateRole and UpdateRole.
+   *
+   * @generated from field: bool deleted = 11;
+   */
+  deleted: boolean;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.Role.
+ * Use `create(RoleSchema)` to create a new message.
+ */
+export declare const RoleSchema: GenMessage<Role>;
+
+/**
+ * A stage representing a role's lifecycle phase.
+ *
+ * @generated from enum google.iam.admin.v1.Role.RoleLaunchStage
+ */
+export enum Role_RoleLaunchStage {
+  /**
+   * The user has indicated this role is currently in an Alpha phase. If this
+   * launch stage is selected, the `stage` field will not be included when
+   * requesting the definition for a given role.
+   *
+   * @generated from enum value: ALPHA = 0;
+   */
+  ALPHA = 0,
+
+  /**
+   * The user has indicated this role is currently in a Beta phase.
+   *
+   * @generated from enum value: BETA = 1;
+   */
+  BETA = 1,
+
+  /**
+   * The user has indicated this role is generally available.
+   *
+   * @generated from enum value: GA = 2;
+   */
+  GA = 2,
+
+  /**
+   * The user has indicated this role is being deprecated.
+   *
+   * @generated from enum value: DEPRECATED = 4;
+   */
+  DEPRECATED = 4,
+
+  /**
+   * This role is disabled and will not contribute permissions to any
+   * principals it is granted to in policies.
+   *
+   * @generated from enum value: DISABLED = 5;
+   */
+  DISABLED = 5,
+
+  /**
+   * The user has indicated this role is currently in an EAP phase.
+   *
+   * @generated from enum value: EAP = 6;
+   */
+  EAP = 6,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.Role.RoleLaunchStage.
+ */
+export declare const Role_RoleLaunchStageSchema: GenEnum<Role_RoleLaunchStage>;
+
+/**
+ * The grantable role query request.
+ *
+ * @generated from message google.iam.admin.v1.QueryGrantableRolesRequest
+ */
+export declare type QueryGrantableRolesRequest = Message<"google.iam.admin.v1.QueryGrantableRolesRequest"> & {
+  /**
+   * Required. The full resource name to query from the list of grantable roles.
+   *
+   * The name follows the Google Cloud Platform resource format.
+   * For example, a Cloud Platform project with id `my-project` will be named
+   * `//cloudresourcemanager.googleapis.com/projects/my-project`.
+   *
+   * @generated from field: string full_resource_name = 1;
+   */
+  fullResourceName: string;
+
+  /**
+   * @generated from field: google.iam.admin.v1.RoleView view = 2;
+   */
+  view: RoleView;
+
+  /**
+   * Optional limit on the number of roles to include in the response.
+   *
+   * The default is 300, and the maximum is 1,000.
+   *
+   * @generated from field: int32 page_size = 3;
+   */
+  pageSize: number;
+
+  /**
+   * Optional pagination token returned in an earlier
+   * QueryGrantableRolesResponse.
+   *
+   * @generated from field: string page_token = 4;
+   */
+  pageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryGrantableRolesRequest.
+ * Use `create(QueryGrantableRolesRequestSchema)` to create a new message.
+ */
+export declare const QueryGrantableRolesRequestSchema: GenMessage<QueryGrantableRolesRequest>;
+
+/**
+ * The grantable role query response.
+ *
+ * @generated from message google.iam.admin.v1.QueryGrantableRolesResponse
+ */
+export declare type QueryGrantableRolesResponse = Message<"google.iam.admin.v1.QueryGrantableRolesResponse"> & {
+  /**
+   * The list of matching roles.
+   *
+   * @generated from field: repeated google.iam.admin.v1.Role roles = 1;
+   */
+  roles: Role[];
+
+  /**
+   * To retrieve the next page of results, set
+   * `QueryGrantableRolesRequest.page_token` to this value.
+   *
+   * @generated from field: string next_page_token = 2;
+   */
+  nextPageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryGrantableRolesResponse.
+ * Use `create(QueryGrantableRolesResponseSchema)` to create a new message.
+ */
+export declare const QueryGrantableRolesResponseSchema: GenMessage<QueryGrantableRolesResponse>;
+
+/**
+ * The request to get all roles defined under a resource.
+ *
+ * @generated from message google.iam.admin.v1.ListRolesRequest
+ */
+export declare type ListRolesRequest = Message<"google.iam.admin.v1.ListRolesRequest"> & {
+  /**
+   * The `parent` parameter's value depends on the target resource for the
+   * request, namely
+   * [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles),
+   * [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles),
+   * or
+   * [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles).
+   * Each resource type's `parent` value format is described below:
+   *
+   * * [`roles.list()`](https://cloud.google.com/iam/reference/rest/v1/roles/list): An empty string.
+   *   This method doesn't require a resource; it simply returns all
+   *   [predefined
+   *   roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles)
+   *   in Cloud IAM. Example request URL: `https://iam.googleapis.com/v1/roles`
+   *
+   * * [`projects.roles.list()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/list):
+   *   `projects/{PROJECT_ID}`. This method lists all project-level
+   *   [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+   *   Example request URL:
+   *   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
+   *
+   * * [`organizations.roles.list()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/list):
+   *   `organizations/{ORGANIZATION_ID}`. This method lists all
+   *   organization-level [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+   *   Example request URL:
+   *   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
+   *
+   * Note: Wildcard (*) values are invalid; you must specify a complete project
+   * ID or organization ID.
+   *
+   * @generated from field: string parent = 1;
+   */
+  parent: string;
+
+  /**
+   * Optional limit on the number of roles to include in the response.
+   *
+   * The default is 300, and the maximum is 1,000.
+   *
+   * @generated from field: int32 page_size = 2;
+   */
+  pageSize: number;
+
+  /**
+   * Optional pagination token returned in an earlier ListRolesResponse.
+   *
+   * @generated from field: string page_token = 3;
+   */
+  pageToken: string;
+
+  /**
+   * Optional view for the returned Role objects. When `FULL` is specified,
+   * the `includedPermissions` field is returned, which includes a list of all
+   * permissions in the role. The default value is `BASIC`, which does not
+   * return the `includedPermissions` field.
+   *
+   * @generated from field: google.iam.admin.v1.RoleView view = 4;
+   */
+  view: RoleView;
+
+  /**
+   * Include Roles that have been deleted.
+   *
+   * @generated from field: bool show_deleted = 6;
+   */
+  showDeleted: boolean;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ListRolesRequest.
+ * Use `create(ListRolesRequestSchema)` to create a new message.
+ */
+export declare const ListRolesRequestSchema: GenMessage<ListRolesRequest>;
+
+/**
+ * The response containing the roles defined under a resource.
+ *
+ * @generated from message google.iam.admin.v1.ListRolesResponse
+ */
+export declare type ListRolesResponse = Message<"google.iam.admin.v1.ListRolesResponse"> & {
+  /**
+   * The Roles defined on this resource.
+   *
+   * @generated from field: repeated google.iam.admin.v1.Role roles = 1;
+   */
+  roles: Role[];
+
+  /**
+   * To retrieve the next page of results, set
+   * `ListRolesRequest.page_token` to this value.
+   *
+   * @generated from field: string next_page_token = 2;
+   */
+  nextPageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.ListRolesResponse.
+ * Use `create(ListRolesResponseSchema)` to create a new message.
+ */
+export declare const ListRolesResponseSchema: GenMessage<ListRolesResponse>;
+
+/**
+ * The request to get the definition of an existing role.
+ *
+ * @generated from message google.iam.admin.v1.GetRoleRequest
+ */
+export declare type GetRoleRequest = Message<"google.iam.admin.v1.GetRoleRequest"> & {
+  /**
+   * The `name` parameter's value depends on the target resource for the
+   * request, namely
+   * [`roles`](https://cloud.google.com/iam/reference/rest/v1/roles),
+   * [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles),
+   * or
+   * [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles).
+   * Each resource type's `name` value format is described below:
+   *
+   * * [`roles.get()`](https://cloud.google.com/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`.
+   *   This method returns results from all
+   *   [predefined
+   *   roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles)
+   *   in Cloud IAM. Example request URL:
+   *   `https://iam.googleapis.com/v1/roles/{ROLE_NAME}`
+   *
+   * * [`projects.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/get):
+   *   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only
+   *   [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the project level. Example request URL:
+   *   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * * [`organizations.roles.get()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/get):
+   *   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+   *   returns only [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the organization level. Example request URL:
+   *   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * Note: Wildcard (*) values are invalid; you must specify a complete project
+   * ID or organization ID.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.GetRoleRequest.
+ * Use `create(GetRoleRequestSchema)` to create a new message.
+ */
+export declare const GetRoleRequestSchema: GenMessage<GetRoleRequest>;
+
+/**
+ * The request to create a new role.
+ *
+ * @generated from message google.iam.admin.v1.CreateRoleRequest
+ */
+export declare type CreateRoleRequest = Message<"google.iam.admin.v1.CreateRoleRequest"> & {
+  /**
+   * The `parent` parameter's value depends on the target resource for the
+   * request, namely
+   * [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles)
+   * or
+   * [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles).
+   * Each resource type's `parent` value format is described below:
+   *
+   * * [`projects.roles.create()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/create):
+   *   `projects/{PROJECT_ID}`. This method creates project-level
+   *   [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+   *   Example request URL:
+   *   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
+   *
+   * * [`organizations.roles.create()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/create):
+   *   `organizations/{ORGANIZATION_ID}`. This method creates organization-level
+   *   [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
+   *   Example request URL:
+   *   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
+   *
+   * Note: Wildcard (*) values are invalid; you must specify a complete project
+   * ID or organization ID.
+   *
+   * @generated from field: string parent = 1;
+   */
+  parent: string;
+
+  /**
+   * The role ID to use for this role.
+   *
+   * A role ID may contain alphanumeric characters, underscores (`_`), and
+   * periods (`.`). It must contain a minimum of 3 characters and a maximum of
+   * 64 characters.
+   *
+   * @generated from field: string role_id = 2;
+   */
+  roleId: string;
+
+  /**
+   * The Role resource to create.
+   *
+   * @generated from field: google.iam.admin.v1.Role role = 3;
+   */
+  role?: Role;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.CreateRoleRequest.
+ * Use `create(CreateRoleRequestSchema)` to create a new message.
+ */
+export declare const CreateRoleRequestSchema: GenMessage<CreateRoleRequest>;
+
+/**
+ * The request to update a role.
+ *
+ * @generated from message google.iam.admin.v1.UpdateRoleRequest
+ */
+export declare type UpdateRoleRequest = Message<"google.iam.admin.v1.UpdateRoleRequest"> & {
+  /**
+   * The `name` parameter's value depends on the target resource for the
+   * request, namely
+   * [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles)
+   * or
+   * [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles).
+   * Each resource type's `name` value format is described below:
+   *
+   * * [`projects.roles.patch()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/patch):
+   *   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
+   *   [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the project level. Example request URL:
+   *   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * * [`organizations.roles.patch()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/patch):
+   *   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+   *   updates only [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the organization level. Example request URL:
+   *   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * Note: Wildcard (*) values are invalid; you must specify a complete project
+   * ID or organization ID.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * The updated role.
+   *
+   * @generated from field: google.iam.admin.v1.Role role = 2;
+   */
+  role?: Role;
+
+  /**
+   * A mask describing which fields in the Role have changed.
+   *
+   * @generated from field: google.protobuf.FieldMask update_mask = 3;
+   */
+  updateMask?: FieldMask;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.UpdateRoleRequest.
+ * Use `create(UpdateRoleRequestSchema)` to create a new message.
+ */
+export declare const UpdateRoleRequestSchema: GenMessage<UpdateRoleRequest>;
+
+/**
+ * The request to delete an existing role.
+ *
+ * @generated from message google.iam.admin.v1.DeleteRoleRequest
+ */
+export declare type DeleteRoleRequest = Message<"google.iam.admin.v1.DeleteRoleRequest"> & {
+  /**
+   * The `name` parameter's value depends on the target resource for the
+   * request, namely
+   * [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles)
+   * or
+   * [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles).
+   * Each resource type's `name` value format is described below:
+   *
+   * * [`projects.roles.delete()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/delete):
+   *   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
+   *   [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the project level. Example request URL:
+   *   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * * [`organizations.roles.delete()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/delete):
+   *   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+   *   deletes only [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the organization level. Example request URL:
+   *   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * Note: Wildcard (*) values are invalid; you must specify a complete project
+   * ID or organization ID.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Used to perform a consistent read-modify-write.
+   *
+   * @generated from field: bytes etag = 2;
+   */
+  etag: Uint8Array;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.DeleteRoleRequest.
+ * Use `create(DeleteRoleRequestSchema)` to create a new message.
+ */
+export declare const DeleteRoleRequestSchema: GenMessage<DeleteRoleRequest>;
+
+/**
+ * The request to undelete an existing role.
+ *
+ * @generated from message google.iam.admin.v1.UndeleteRoleRequest
+ */
+export declare type UndeleteRoleRequest = Message<"google.iam.admin.v1.UndeleteRoleRequest"> & {
+  /**
+   * The `name` parameter's value depends on the target resource for the
+   * request, namely
+   * [`projects`](https://cloud.google.com/iam/reference/rest/v1/projects.roles)
+   * or
+   * [`organizations`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles).
+   * Each resource type's `name` value format is described below:
+   *
+   * * [`projects.roles.undelete()`](https://cloud.google.com/iam/reference/rest/v1/projects.roles/undelete):
+   *   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
+   *   only [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the project level. Example request URL:
+   *   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * * [`organizations.roles.undelete()`](https://cloud.google.com/iam/reference/rest/v1/organizations.roles/undelete):
+   *   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+   *   undeletes only [custom
+   *   roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that
+   *   have been created at the organization level. Example request URL:
+   *   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+   *
+   * Note: Wildcard (*) values are invalid; you must specify a complete project
+   * ID or organization ID.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * Used to perform a consistent read-modify-write.
+   *
+   * @generated from field: bytes etag = 2;
+   */
+  etag: Uint8Array;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.UndeleteRoleRequest.
+ * Use `create(UndeleteRoleRequestSchema)` to create a new message.
+ */
+export declare const UndeleteRoleRequestSchema: GenMessage<UndeleteRoleRequest>;
+
+/**
+ * A permission which can be included by a role.
+ *
+ * @generated from message google.iam.admin.v1.Permission
+ */
+export declare type Permission = Message<"google.iam.admin.v1.Permission"> & {
+  /**
+   * The name of this Permission.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+
+  /**
+   * The title of this Permission.
+   *
+   * @generated from field: string title = 2;
+   */
+  title: string;
+
+  /**
+   * A brief description of what this Permission is used for.
+   * This permission can ONLY be used in predefined roles.
+   *
+   * @generated from field: string description = 3;
+   */
+  description: string;
+
+  /**
+   * @generated from field: bool only_in_predefined_roles = 4 [deprecated = true];
+   * @deprecated
+   */
+  onlyInPredefinedRoles: boolean;
+
+  /**
+   * The current launch stage of the permission.
+   *
+   * @generated from field: google.iam.admin.v1.Permission.PermissionLaunchStage stage = 5;
+   */
+  stage: Permission_PermissionLaunchStage;
+
+  /**
+   * The current custom role support level.
+   *
+   * @generated from field: google.iam.admin.v1.Permission.CustomRolesSupportLevel custom_roles_support_level = 6;
+   */
+  customRolesSupportLevel: Permission_CustomRolesSupportLevel;
+
+  /**
+   * The service API associated with the permission is not enabled.
+   *
+   * @generated from field: bool api_disabled = 7;
+   */
+  apiDisabled: boolean;
+
+  /**
+   * The preferred name for this permission. If present, then this permission is
+   * an alias of, and equivalent to, the listed primary_permission.
+   *
+   * @generated from field: string primary_permission = 8;
+   */
+  primaryPermission: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.Permission.
+ * Use `create(PermissionSchema)` to create a new message.
+ */
+export declare const PermissionSchema: GenMessage<Permission>;
+
+/**
+ * A stage representing a permission's lifecycle phase.
+ *
+ * @generated from enum google.iam.admin.v1.Permission.PermissionLaunchStage
+ */
+export enum Permission_PermissionLaunchStage {
+  /**
+   * The permission is currently in an alpha phase.
+   *
+   * @generated from enum value: ALPHA = 0;
+   */
+  ALPHA = 0,
+
+  /**
+   * The permission is currently in a beta phase.
+   *
+   * @generated from enum value: BETA = 1;
+   */
+  BETA = 1,
+
+  /**
+   * The permission is generally available.
+   *
+   * @generated from enum value: GA = 2;
+   */
+  GA = 2,
+
+  /**
+   * The permission is being deprecated.
+   *
+   * @generated from enum value: DEPRECATED = 3;
+   */
+  DEPRECATED = 3,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.Permission.PermissionLaunchStage.
+ */
+export declare const Permission_PermissionLaunchStageSchema: GenEnum<Permission_PermissionLaunchStage>;
+
+/**
+ * The state of the permission with regards to custom roles.
+ *
+ * @generated from enum google.iam.admin.v1.Permission.CustomRolesSupportLevel
+ */
+export enum Permission_CustomRolesSupportLevel {
+  /**
+   * Default state. Permission is fully supported for custom role use.
+   *
+   * @generated from enum value: SUPPORTED = 0;
+   */
+  SUPPORTED = 0,
+
+  /**
+   * Permission is being tested to check custom role compatibility.
+   *
+   * @generated from enum value: TESTING = 1;
+   */
+  TESTING = 1,
+
+  /**
+   * Permission is not supported for custom role use.
+   *
+   * @generated from enum value: NOT_SUPPORTED = 2;
+   */
+  NOT_SUPPORTED = 2,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.Permission.CustomRolesSupportLevel.
+ */
+export declare const Permission_CustomRolesSupportLevelSchema: GenEnum<Permission_CustomRolesSupportLevel>;
+
+/**
+ * A request to get permissions which can be tested on a resource.
+ *
+ * @generated from message google.iam.admin.v1.QueryTestablePermissionsRequest
+ */
+export declare type QueryTestablePermissionsRequest = Message<"google.iam.admin.v1.QueryTestablePermissionsRequest"> & {
+  /**
+   * Required. The full resource name to query from the list of testable
+   * permissions.
+   *
+   * The name follows the Google Cloud Platform resource format.
+   * For example, a Cloud Platform project with id `my-project` will be named
+   * `//cloudresourcemanager.googleapis.com/projects/my-project`.
+   *
+   * @generated from field: string full_resource_name = 1;
+   */
+  fullResourceName: string;
+
+  /**
+   * Optional limit on the number of permissions to include in the response.
+   *
+   * The default is 100, and the maximum is 1,000.
+   *
+   * @generated from field: int32 page_size = 2;
+   */
+  pageSize: number;
+
+  /**
+   * Optional pagination token returned in an earlier
+   * QueryTestablePermissionsRequest.
+   *
+   * @generated from field: string page_token = 3;
+   */
+  pageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryTestablePermissionsRequest.
+ * Use `create(QueryTestablePermissionsRequestSchema)` to create a new message.
+ */
+export declare const QueryTestablePermissionsRequestSchema: GenMessage<QueryTestablePermissionsRequest>;
+
+/**
+ * The response containing permissions which can be tested on a resource.
+ *
+ * @generated from message google.iam.admin.v1.QueryTestablePermissionsResponse
+ */
+export declare type QueryTestablePermissionsResponse = Message<"google.iam.admin.v1.QueryTestablePermissionsResponse"> & {
+  /**
+   * The Permissions testable on the requested resource.
+   *
+   * @generated from field: repeated google.iam.admin.v1.Permission permissions = 1;
+   */
+  permissions: Permission[];
+
+  /**
+   * To retrieve the next page of results, set
+   * `QueryTestableRolesRequest.page_token` to this value.
+   *
+   * @generated from field: string next_page_token = 2;
+   */
+  nextPageToken: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryTestablePermissionsResponse.
+ * Use `create(QueryTestablePermissionsResponseSchema)` to create a new message.
+ */
+export declare const QueryTestablePermissionsResponseSchema: GenMessage<QueryTestablePermissionsResponse>;
+
+/**
+ * A request to get the list of auditable services for a resource.
+ *
+ * @generated from message google.iam.admin.v1.QueryAuditableServicesRequest
+ */
+export declare type QueryAuditableServicesRequest = Message<"google.iam.admin.v1.QueryAuditableServicesRequest"> & {
+  /**
+   * Required. The full resource name to query from the list of auditable
+   * services.
+   *
+   * The name follows the Google Cloud Platform resource format.
+   * For example, a Cloud Platform project with id `my-project` will be named
+   * `//cloudresourcemanager.googleapis.com/projects/my-project`.
+   *
+   * @generated from field: string full_resource_name = 1;
+   */
+  fullResourceName: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryAuditableServicesRequest.
+ * Use `create(QueryAuditableServicesRequestSchema)` to create a new message.
+ */
+export declare const QueryAuditableServicesRequestSchema: GenMessage<QueryAuditableServicesRequest>;
+
+/**
+ * A response containing a list of auditable services for a resource.
+ *
+ * @generated from message google.iam.admin.v1.QueryAuditableServicesResponse
+ */
+export declare type QueryAuditableServicesResponse = Message<"google.iam.admin.v1.QueryAuditableServicesResponse"> & {
+  /**
+   * The auditable services for a resource.
+   *
+   * @generated from field: repeated google.iam.admin.v1.QueryAuditableServicesResponse.AuditableService services = 1;
+   */
+  services: QueryAuditableServicesResponse_AuditableService[];
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryAuditableServicesResponse.
+ * Use `create(QueryAuditableServicesResponseSchema)` to create a new message.
+ */
+export declare const QueryAuditableServicesResponseSchema: GenMessage<QueryAuditableServicesResponse>;
+
+/**
+ * Contains information about an auditable service.
+ *
+ * @generated from message google.iam.admin.v1.QueryAuditableServicesResponse.AuditableService
+ */
+export declare type QueryAuditableServicesResponse_AuditableService = Message<"google.iam.admin.v1.QueryAuditableServicesResponse.AuditableService"> & {
+  /**
+   * Public name of the service.
+   * For example, the service name for Cloud IAM is 'iam.googleapis.com'.
+   *
+   * @generated from field: string name = 1;
+   */
+  name: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.QueryAuditableServicesResponse.AuditableService.
+ * Use `create(QueryAuditableServicesResponse_AuditableServiceSchema)` to create a new message.
+ */
+export declare const QueryAuditableServicesResponse_AuditableServiceSchema: GenMessage<QueryAuditableServicesResponse_AuditableService>;
+
+/**
+ * The request to lint a Cloud IAM policy object.
+ *
+ * @generated from message google.iam.admin.v1.LintPolicyRequest
+ */
+export declare type LintPolicyRequest = Message<"google.iam.admin.v1.LintPolicyRequest"> & {
+  /**
+   * The full resource name of the policy this lint request is about.
+   *
+   * The name follows the Google Cloud Platform (GCP) resource format.
+   * For example, a GCP project with ID `my-project` will be named
+   * `//cloudresourcemanager.googleapis.com/projects/my-project`.
+   *
+   * The resource name is not used to read the policy instance from the Cloud
+   * IAM database. The candidate policy for lint has to be provided in the same
+   * request object.
+   *
+   * @generated from field: string full_resource_name = 1;
+   */
+  fullResourceName: string;
+
+  /**
+   * Required. The Cloud IAM object to be linted.
+   *
+   * @generated from oneof google.iam.admin.v1.LintPolicyRequest.lint_object
+   */
+  lintObject: {
+    /**
+     * [google.iam.v1.Binding.condition] [google.iam.v1.Binding.condition] object to be linted.
+     *
+     * @generated from field: google.type.Expr condition = 5;
+     */
+    value: Expr;
+    case: "condition";
+  } | { case: undefined; value?: undefined };
+};
+
+/**
+ * Describes the message google.iam.admin.v1.LintPolicyRequest.
+ * Use `create(LintPolicyRequestSchema)` to create a new message.
+ */
+export declare const LintPolicyRequestSchema: GenMessage<LintPolicyRequest>;
+
+/**
+ * Structured response of a single validation unit.
+ *
+ * @generated from message google.iam.admin.v1.LintResult
+ */
+export declare type LintResult = Message<"google.iam.admin.v1.LintResult"> & {
+  /**
+   * The validation unit level.
+   *
+   * @generated from field: google.iam.admin.v1.LintResult.Level level = 1;
+   */
+  level: LintResult_Level;
+
+  /**
+   * The validation unit name, for instance
+   * "lintValidationUnits/ConditionComplexityCheck".
+   *
+   * @generated from field: string validation_unit_name = 2;
+   */
+  validationUnitName: string;
+
+  /**
+   * The validation unit severity.
+   *
+   * @generated from field: google.iam.admin.v1.LintResult.Severity severity = 3;
+   */
+  severity: LintResult_Severity;
+
+  /**
+   * The name of the field for which this lint result is about.
+   *
+   * For nested messages `field_name` consists of names of the embedded fields
+   * separated by period character. The top-level qualifier is the input object
+   * to lint in the request. For example, the `field_name` value
+   * `condition.expression` identifies a lint result for the `expression` field
+   * of the provided condition.
+   *
+   * @generated from field: string field_name = 5;
+   */
+  fieldName: string;
+
+  /**
+   * 0-based character position of problematic construct within the object
+   * identified by `field_name`. Currently, this is populated only for condition
+   * expression.
+   *
+   * @generated from field: int32 location_offset = 6;
+   */
+  locationOffset: number;
+
+  /**
+   * Human readable debug message associated with the issue.
+   *
+   * @generated from field: string debug_message = 7;
+   */
+  debugMessage: string;
+};
+
+/**
+ * Describes the message google.iam.admin.v1.LintResult.
+ * Use `create(LintResultSchema)` to create a new message.
+ */
+export declare const LintResultSchema: GenMessage<LintResult>;
+
+/**
+ * Possible Level values of a validation unit corresponding to its domain
+ * of discourse.
+ *
+ * @generated from enum google.iam.admin.v1.LintResult.Level
+ */
+export enum LintResult_Level {
+  /**
+   * Level is unspecified.
+   *
+   * @generated from enum value: LEVEL_UNSPECIFIED = 0;
+   */
+  LEVEL_UNSPECIFIED = 0,
+
+  /**
+   * A validation unit which operates on an individual condition within a
+   * binding.
+   *
+   * @generated from enum value: CONDITION = 3;
+   */
+  CONDITION = 3,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.LintResult.Level.
+ */
+export declare const LintResult_LevelSchema: GenEnum<LintResult_Level>;
+
+/**
+ * Possible Severity values of an issued result.
+ *
+ * @generated from enum google.iam.admin.v1.LintResult.Severity
+ */
+export enum LintResult_Severity {
+  /**
+   * Severity is unspecified.
+   *
+   * @generated from enum value: SEVERITY_UNSPECIFIED = 0;
+   */
+  SEVERITY_UNSPECIFIED = 0,
+
+  /**
+   * A validation unit returns an error only for critical issues. If an
+   * attempt is made to set the problematic policy without rectifying the
+   * critical issue, it causes the `setPolicy` operation to fail.
+   *
+   * @generated from enum value: ERROR = 1;
+   */
+  ERROR = 1,
+
+  /**
+   * Any issue which is severe enough but does not cause an error.
+   * For example, suspicious constructs in the input object will not
+   * necessarily fail `setPolicy`, but there is a high likelihood that they
+   * won't behave as expected during policy evaluation in `checkPolicy`.
+   * This includes the following common scenarios:
+   *
+   * - Unsatisfiable condition: Expired timestamp in date/time condition.
+   * - Ineffective condition: Condition on a <principal, role> pair which is
+   *   granted unconditionally in another binding of the same policy.
+   *
+   * @generated from enum value: WARNING = 2;
+   */
+  WARNING = 2,
+
+  /**
+   * Reserved for the issues that are not severe as `ERROR`/`WARNING`, but
+   * need special handling. For instance, messages about skipped validation
+   * units are issued as `NOTICE`.
+   *
+   * @generated from enum value: NOTICE = 3;
+   */
+  NOTICE = 3,
+
+  /**
+   * Any informative statement which is not severe enough to raise
+   * `ERROR`/`WARNING`/`NOTICE`, like auto-correction recommendations on the
+   * input content. Note that current version of the linter does not utilize
+   * `INFO`.
+   *
+   * @generated from enum value: INFO = 4;
+   */
+  INFO = 4,
+
+  /**
+   * Deprecated severity level.
+   *
+   * @generated from enum value: DEPRECATED = 5;
+   */
+  DEPRECATED = 5,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.LintResult.Severity.
+ */
+export declare const LintResult_SeveritySchema: GenEnum<LintResult_Severity>;
+
+/**
+ * The response of a lint operation. An empty response indicates
+ * the operation was able to fully execute and no lint issue was found.
+ *
+ * @generated from message google.iam.admin.v1.LintPolicyResponse
+ */
+export declare type LintPolicyResponse = Message<"google.iam.admin.v1.LintPolicyResponse"> & {
+  /**
+   * List of lint results sorted by `severity` in descending order.
+   *
+   * @generated from field: repeated google.iam.admin.v1.LintResult lint_results = 1;
+   */
+  lintResults: LintResult[];
+};
+
+/**
+ * Describes the message google.iam.admin.v1.LintPolicyResponse.
+ * Use `create(LintPolicyResponseSchema)` to create a new message.
+ */
+export declare const LintPolicyResponseSchema: GenMessage<LintPolicyResponse>;
+
+/**
+ * Supported key algorithms.
+ *
+ * @generated from enum google.iam.admin.v1.ServiceAccountKeyAlgorithm
+ */
+export enum ServiceAccountKeyAlgorithm {
+  /**
+   * An unspecified key algorithm.
+   *
+   * @generated from enum value: KEY_ALG_UNSPECIFIED = 0;
+   */
+  KEY_ALG_UNSPECIFIED = 0,
+
+  /**
+   * 1k RSA Key.
+   *
+   * @generated from enum value: KEY_ALG_RSA_1024 = 1;
+   */
+  KEY_ALG_RSA_1024 = 1,
+
+  /**
+   * 2k RSA Key.
+   *
+   * @generated from enum value: KEY_ALG_RSA_2048 = 2;
+   */
+  KEY_ALG_RSA_2048 = 2,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.ServiceAccountKeyAlgorithm.
+ */
+export declare const ServiceAccountKeyAlgorithmSchema: GenEnum<ServiceAccountKeyAlgorithm>;
+
+/**
+ * Supported private key output formats.
+ *
+ * @generated from enum google.iam.admin.v1.ServiceAccountPrivateKeyType
+ */
+export enum ServiceAccountPrivateKeyType {
+  /**
+   * Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
+   *
+   * @generated from enum value: TYPE_UNSPECIFIED = 0;
+   */
+  TYPE_UNSPECIFIED = 0,
+
+  /**
+   * PKCS12 format.
+   * The password for the PKCS12 file is `notasecret`.
+   * For more information, see https://tools.ietf.org/html/rfc7292.
+   *
+   * @generated from enum value: TYPE_PKCS12_FILE = 1;
+   */
+  TYPE_PKCS12_FILE = 1,
+
+  /**
+   * Google Credentials File format.
+   *
+   * @generated from enum value: TYPE_GOOGLE_CREDENTIALS_FILE = 2;
+   */
+  TYPE_GOOGLE_CREDENTIALS_FILE = 2,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.ServiceAccountPrivateKeyType.
+ */
+export declare const ServiceAccountPrivateKeyTypeSchema: GenEnum<ServiceAccountPrivateKeyType>;
+
+/**
+ * Supported public key output formats.
+ *
+ * @generated from enum google.iam.admin.v1.ServiceAccountPublicKeyType
+ */
+export enum ServiceAccountPublicKeyType {
+  /**
+   * Do not return the public key.
+   *
+   * @generated from enum value: TYPE_NONE = 0;
+   */
+  TYPE_NONE = 0,
+
+  /**
+   * X509 PEM format.
+   *
+   * @generated from enum value: TYPE_X509_PEM_FILE = 1;
+   */
+  TYPE_X509_PEM_FILE = 1,
+
+  /**
+   * Raw public key.
+   *
+   * @generated from enum value: TYPE_RAW_PUBLIC_KEY = 2;
+   */
+  TYPE_RAW_PUBLIC_KEY = 2,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.ServiceAccountPublicKeyType.
+ */
+export declare const ServiceAccountPublicKeyTypeSchema: GenEnum<ServiceAccountPublicKeyType>;
+
+/**
+ * Service Account Key Origin.
+ *
+ * @generated from enum google.iam.admin.v1.ServiceAccountKeyOrigin
+ */
+export enum ServiceAccountKeyOrigin {
+  /**
+   * Unspecified key origin.
+   *
+   * @generated from enum value: ORIGIN_UNSPECIFIED = 0;
+   */
+  ORIGIN_UNSPECIFIED = 0,
+
+  /**
+   * Key is provided by user.
+   *
+   * @generated from enum value: USER_PROVIDED = 1;
+   */
+  USER_PROVIDED = 1,
+
+  /**
+   * Key is provided by Google.
+   *
+   * @generated from enum value: GOOGLE_PROVIDED = 2;
+   */
+  GOOGLE_PROVIDED = 2,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.ServiceAccountKeyOrigin.
+ */
+export declare const ServiceAccountKeyOriginSchema: GenEnum<ServiceAccountKeyOrigin>;
+
+/**
+ * A view for Role objects.
+ *
+ * @generated from enum google.iam.admin.v1.RoleView
+ */
+export enum RoleView {
+  /**
+   * Omits the `included_permissions` field.
+   * This is the default value.
+   *
+   * @generated from enum value: BASIC = 0;
+   */
+  BASIC = 0,
+
+  /**
+   * Returns all fields.
+   *
+   * @generated from enum value: FULL = 1;
+   */
+  FULL = 1,
+}
+
+/**
+ * Describes the enum google.iam.admin.v1.RoleView.
+ */
+export declare const RoleViewSchema: GenEnum<RoleView>;
+
+/**
+ * Creates and manages Identity and Access Management (IAM) resources.
+ *
+ * You can use this service to work with all of the following resources:
+ *
+ * * **Service accounts**, which identify an application or a virtual machine
+ *   (VM) instance rather than a person
+ * * **Service account keys**, which service accounts use to authenticate with
+ *   Google APIs
+ * * **IAM policies for service accounts**, which specify the roles that a
+ *   principal has for the service account
+ * * **IAM custom roles**, which help you limit the number of permissions that
+ *   you grant to principals
+ *
+ * In addition, you can use this service to complete the following tasks, among
+ * others:
+ *
+ * * Test whether a service account can use specific permissions
+ * * Check which roles you can grant for a specific resource
+ * * Lint, or validate, condition expressions in an IAM policy
+ *
+ * When you read data from the IAM API, each read is eventually consistent. In
+ * other words, if you write data with the IAM API, then immediately read that
+ * data, the read operation might return an older version of the data. To deal
+ * with this behavior, your application can retry the request with truncated
+ * exponential backoff.
+ *
+ * In contrast, writing data to the IAM API is sequentially consistent. In other
+ * words, write operations are always processed in the order in which they were
+ * received.
+ *
+ * @generated from service google.iam.admin.v1.IAM
+ */
+export declare const IAM: GenService<{
+  /**
+   * Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.ListServiceAccounts
+   */
+  listServiceAccounts: {
+    methodKind: "unary";
+    input: typeof ListServiceAccountsRequestSchema;
+    output: typeof ListServiceAccountsResponseSchema;
+  },
+  /**
+   * Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.GetServiceAccount
+   */
+  getServiceAccount: {
+    methodKind: "unary";
+    input: typeof GetServiceAccountRequestSchema;
+    output: typeof ServiceAccountSchema;
+  },
+  /**
+   * Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.CreateServiceAccount
+   */
+  createServiceAccount: {
+    methodKind: "unary";
+    input: typeof CreateServiceAccountRequestSchema;
+    output: typeof ServiceAccountSchema;
+  },
+  /**
+   * **Note:** We are in the process of deprecating this method. Use
+   * [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead.
+   *
+   * Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * You can update only the `display_name` field.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.UpdateServiceAccount
+   */
+  updateServiceAccount: {
+    methodKind: "unary";
+    input: typeof ServiceAccountSchema;
+    output: typeof ServiceAccountSchema;
+  },
+  /**
+   * Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.PatchServiceAccount
+   */
+  patchServiceAccount: {
+    methodKind: "unary";
+    input: typeof PatchServiceAccountRequestSchema;
+    output: typeof ServiceAccountSchema;
+  },
+  /**
+   * Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * **Warning:** After you delete a service account, you might not be able to
+   * undelete it. If you know that you need to re-enable the service account in
+   * the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.
+   *
+   * If you delete a service account, IAM permanently removes the service
+   * account 30 days later. Google Cloud cannot recover the service account
+   * after it is permanently removed, even if you file a support request.
+   *
+   * To help avoid unplanned outages, we recommend that you disable the service
+   * account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the
+   * service account, then wait at least 24 hours and watch for unintended
+   * consequences. If there are no unintended consequences, you can delete the
+   * service account.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.DeleteServiceAccount
+   */
+  deleteServiceAccount: {
+    methodKind: "unary";
+    input: typeof DeleteServiceAccountRequestSchema;
+    output: typeof EmptySchema;
+  },
+  /**
+   * Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * **Important:** It is not always possible to restore a deleted service
+   * account. Use this method only as a last resort.
+   *
+   * After you delete a service account, IAM permanently removes the service
+   * account 30 days later. There is no way to restore a deleted service account
+   * that has been permanently removed.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.UndeleteServiceAccount
+   */
+  undeleteServiceAccount: {
+    methodKind: "unary";
+    input: typeof UndeleteServiceAccountRequestSchema;
+    output: typeof UndeleteServiceAccountResponseSchema;
+  },
+  /**
+   * Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by
+   * [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].
+   *
+   * If the service account is already enabled, then this method has no effect.
+   *
+   * If the service account was disabled by other means—for example, if Google
+   * disabled the service account because it was compromised—you cannot use this
+   * method to enable the service account.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.EnableServiceAccount
+   */
+  enableServiceAccount: {
+    methodKind: "unary";
+    input: typeof EnableServiceAccountRequestSchema;
+    output: typeof EmptySchema;
+  },
+  /**
+   * Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.
+   *
+   * If an application uses the service account to authenticate, that
+   * application can no longer call Google APIs or access Google Cloud
+   * resources. Existing access tokens for the service account are rejected, and
+   * requests for new access tokens will fail.
+   *
+   * To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you
+   * re-enable the service account, its existing access tokens will be accepted,
+   * and you can request new access tokens.
+   *
+   * To help avoid unplanned outages, we recommend that you disable the service
+   * account before you delete it. Use this method to disable the service
+   * account, then wait at least 24 hours and watch for unintended consequences.
+   * If there are no unintended consequences, you can delete the service account
+   * with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.DisableServiceAccount
+   */
+  disableServiceAccount: {
+    methodKind: "unary";
+    input: typeof DisableServiceAccountRequestSchema;
+    output: typeof EmptySchema;
+  },
+  /**
+   * Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.ListServiceAccountKeys
+   */
+  listServiceAccountKeys: {
+    methodKind: "unary";
+    input: typeof ListServiceAccountKeysRequestSchema;
+    output: typeof ListServiceAccountKeysResponseSchema;
+  },
+  /**
+   * Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.GetServiceAccountKey
+   */
+  getServiceAccountKey: {
+    methodKind: "unary";
+    input: typeof GetServiceAccountKeyRequestSchema;
+    output: typeof ServiceAccountKeySchema;
+  },
+  /**
+   * Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.CreateServiceAccountKey
+   */
+  createServiceAccountKey: {
+    methodKind: "unary";
+    input: typeof CreateServiceAccountKeyRequestSchema;
+    output: typeof ServiceAccountKeySchema;
+  },
+  /**
+   * Uploads the public key portion of a key pair that you manage, and
+   * associates the public key with a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * After you upload the public key, you can use the private key from the key
+   * pair as a service account key.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.UploadServiceAccountKey
+   */
+  uploadServiceAccountKey: {
+    methodKind: "unary";
+    input: typeof UploadServiceAccountKeyRequestSchema;
+    output: typeof ServiceAccountKeySchema;
+  },
+  /**
+   * Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not
+   * revoke short-lived credentials that have been issued based on the service
+   * account key.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.DeleteServiceAccountKey
+   */
+  deleteServiceAccountKey: {
+    methodKind: "unary";
+    input: typeof DeleteServiceAccountKeyRequestSchema;
+    output: typeof EmptySchema;
+  },
+  /**
+   * Disable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. A disabled service account key can be
+   * re-enabled with [EnableServiceAccountKey][google.iam.admin.v1.IAM.EnableServiceAccountKey].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.DisableServiceAccountKey
+   */
+  disableServiceAccountKey: {
+    methodKind: "unary";
+    input: typeof DisableServiceAccountKeyRequestSchema;
+    output: typeof EmptySchema;
+  },
+  /**
+   * Enable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.EnableServiceAccountKey
+   */
+  enableServiceAccountKey: {
+    methodKind: "unary";
+    input: typeof EnableServiceAccountKeyRequestSchema;
+    output: typeof EmptySchema;
+  },
+  /**
+   * **Note:** This method is deprecated. Use the
+   * [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob)
+   * method in the IAM Service Account Credentials API instead. If you currently
+   * use this method, see the [migration
+   * guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
+   * instructions.
+   *
+   * Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.SignBlob
+   * @deprecated
+   */
+  signBlob: {
+    methodKind: "unary";
+    input: typeof SignBlobRequestSchema;
+    output: typeof SignBlobResponseSchema;
+  },
+  /**
+   * **Note:** This method is deprecated. Use the
+   * [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt)
+   * method in the IAM Service Account Credentials API instead. If you currently
+   * use this method, see the [migration
+   * guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
+   * instructions.
+   *
+   * Signs a JSON Web Token (JWT) using the system-managed private key for a
+   * [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.SignJwt
+   * @deprecated
+   */
+  signJwt: {
+    methodKind: "unary";
+    input: typeof SignJwtRequestSchema;
+    output: typeof SignJwtResponseSchema;
+  },
+  /**
+   * Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM
+   * policy specifies which principals have access to the service account.
+   *
+   * This method does not tell you whether the service account has been granted
+   * any roles on other resources. To check whether a service account has role
+   * grants on a resource, use the `getIamPolicy` method for that resource. For
+   * example, to view the role grants for a project, call the Resource Manager
+   * API's
+   * [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
+   * method.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.GetIamPolicy
+   */
+  getIamPolicy: {
+    methodKind: "unary";
+    input: typeof GetIamPolicyRequestSchema;
+    output: typeof PolicySchema;
+  },
+  /**
+   * Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * Use this method to grant or revoke access to the service account. For
+   * example, you could grant a principal the ability to impersonate the service
+   * account.
+   *
+   * This method does not enable the service account to access other resources.
+   * To grant roles to a service account on a resource, follow these steps:
+   *
+   * 1. Call the resource's `getIamPolicy` method to get its current IAM policy.
+   * 2. Edit the policy so that it binds the service account to an IAM role for
+   * the resource.
+   * 3. Call the resource's `setIamPolicy` method to update its IAM policy.
+   *
+   * For detailed instructions, see
+   * [Manage access to project, folders, and
+   * organizations](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts)
+   * or [Manage access to other
+   * resources](https://cloud.google.com/iam/help/access/manage-other-resources).
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.SetIamPolicy
+   */
+  setIamPolicy: {
+    methodKind: "unary";
+    input: typeof SetIamPolicyRequestSchema;
+    output: typeof PolicySchema;
+  },
+  /**
+   * Tests whether the caller has the specified permissions on a
+   * [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.TestIamPermissions
+   */
+  testIamPermissions: {
+    methodKind: "unary";
+    input: typeof TestIamPermissionsRequestSchema;
+    output: typeof TestIamPermissionsResponseSchema;
+  },
+  /**
+   * Lists roles that can be granted on a Google Cloud resource. A role is
+   * grantable if the IAM policy for the resource can contain bindings to the
+   * role.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.QueryGrantableRoles
+   */
+  queryGrantableRoles: {
+    methodKind: "unary";
+    input: typeof QueryGrantableRolesRequestSchema;
+    output: typeof QueryGrantableRolesResponseSchema;
+  },
+  /**
+   * Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role
+   * that is defined for an organization or project.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.ListRoles
+   */
+  listRoles: {
+    methodKind: "unary";
+    input: typeof ListRolesRequestSchema;
+    output: typeof ListRolesResponseSchema;
+  },
+  /**
+   * Gets the definition of a [Role][google.iam.admin.v1.Role].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.GetRole
+   */
+  getRole: {
+    methodKind: "unary";
+    input: typeof GetRoleRequestSchema;
+    output: typeof RoleSchema;
+  },
+  /**
+   * Creates a new custom [Role][google.iam.admin.v1.Role].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.CreateRole
+   */
+  createRole: {
+    methodKind: "unary";
+    input: typeof CreateRoleRequestSchema;
+    output: typeof RoleSchema;
+  },
+  /**
+   * Updates the definition of a custom [Role][google.iam.admin.v1.Role].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.UpdateRole
+   */
+  updateRole: {
+    methodKind: "unary";
+    input: typeof UpdateRoleRequestSchema;
+    output: typeof RoleSchema;
+  },
+  /**
+   * Deletes a custom [Role][google.iam.admin.v1.Role].
+   *
+   * When you delete a custom role, the following changes occur immediately:
+   *
+   * * You cannot bind a principal to the custom role in an IAM
+   * [Policy][google.iam.v1.Policy].
+   * * Existing bindings to the custom role are not changed, but they have no
+   * effect.
+   * * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom
+   * role.
+   *
+   * You have 7 days to undelete the custom role. After 7 days, the following
+   * changes occur:
+   *
+   * * The custom role is permanently deleted and cannot be recovered.
+   * * If an IAM policy contains a binding to the custom role, the binding is
+   * permanently removed.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.DeleteRole
+   */
+  deleteRole: {
+    methodKind: "unary";
+    input: typeof DeleteRoleRequestSchema;
+    output: typeof RoleSchema;
+  },
+  /**
+   * Undeletes a custom [Role][google.iam.admin.v1.Role].
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.UndeleteRole
+   */
+  undeleteRole: {
+    methodKind: "unary";
+    input: typeof UndeleteRoleRequestSchema;
+    output: typeof RoleSchema;
+  },
+  /**
+   * Lists every permission that you can test on a resource. A permission is
+   * testable if you can check whether a principal has that permission on the
+   * resource.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.QueryTestablePermissions
+   */
+  queryTestablePermissions: {
+    methodKind: "unary";
+    input: typeof QueryTestablePermissionsRequestSchema;
+    output: typeof QueryTestablePermissionsResponseSchema;
+  },
+  /**
+   * Returns a list of services that allow you to opt into audit logs that are
+   * not generated by default.
+   *
+   * To learn more about audit logs, see the [Logging
+   * documentation](https://cloud.google.com/logging/docs/audit).
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.QueryAuditableServices
+   */
+  queryAuditableServices: {
+    methodKind: "unary";
+    input: typeof QueryAuditableServicesRequestSchema;
+    output: typeof QueryAuditableServicesResponseSchema;
+  },
+  /**
+   * Lints, or validates, an IAM policy. Currently checks the
+   * [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition
+   * expression for a role binding.
+   *
+   * Successful calls to this method always return an HTTP `200 OK` status code,
+   * even if the linter detects an issue in the IAM policy.
+   *
+   * @generated from rpc google.iam.admin.v1.IAM.LintPolicy
+   */
+  lintPolicy: {
+    methodKind: "unary";
+    input: typeof LintPolicyRequestSchema;
+    output: typeof LintPolicyResponseSchema;
+  },
+}>;