@databricks/sdk-uc-credentials 0.0.0-dev → 0.1.0-dev.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,2904 @@
1
+ // Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
2
+
3
+ import {z} from 'zod';
4
+
5
+ export enum IsolationMode {
6
+ ISOLATION_MODE_UNSPECIFIED = 'ISOLATION_MODE_UNSPECIFIED',
7
+ ISOLATION_MODE_OPEN = 'ISOLATION_MODE_OPEN',
8
+ ISOLATION_MODE_ISOLATED = 'ISOLATION_MODE_ISOLATED',
9
+ }
10
+
11
+ export enum PathOperation {
12
+ PATH_READ = 'PATH_READ',
13
+ PATH_READ_WRITE = 'PATH_READ_WRITE',
14
+ PATH_CREATE_TABLE = 'PATH_CREATE_TABLE',
15
+ }
16
+
17
+ export enum TableOperation {
18
+ READ = 'READ',
19
+ READ_WRITE = 'READ_WRITE',
20
+ }
21
+
22
+ export enum VolumeOperation {
23
+ READ_VOLUME = 'READ_VOLUME',
24
+ WRITE_VOLUME = 'WRITE_VOLUME',
25
+ }
26
+
27
+ /** A enum represents the result of the file operation */
28
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested enum name.
29
+ export enum ValidateCredentialRequest_Result {
30
+ PASS = 'PASS',
31
+ FAIL = 'FAIL',
32
+ SKIP = 'SKIP',
33
+ }
34
+
35
+ /**
36
+ * A enum represents the file operation performed on the external location
37
+ * with the storage credential
38
+ */
39
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested enum name.
40
+ export enum ValidateStorageCredentialRequest_FileOperation {
41
+ LIST = 'LIST',
42
+ READ = 'READ',
43
+ WRITE = 'WRITE',
44
+ DELETE = 'DELETE',
45
+ PATH_EXISTS = 'PATH_EXISTS',
46
+ }
47
+
48
+ /** A enum represents the result of the file operation */
49
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested enum name.
50
+ export enum ValidateStorageCredentialRequest_Result {
51
+ PASS = 'PASS',
52
+ FAIL = 'FAIL',
53
+ SKIP = 'SKIP',
54
+ }
55
+
56
+ export interface AccountsCreateStorageCredentialRequest {
57
+ /** <Databricks> account ID of any type. For non-E2 account types, get your account ID from the [Accounts Console](https://docs.databricks.com/administration-guide/account-settings/usage.html) */
58
+ accountId?: string | undefined;
59
+ /** Unity Catalog metastore ID */
60
+ metastoreId?: string | undefined;
61
+ credentialInfo?: CreateAccountsStorageCredential | undefined;
62
+ /**
63
+ * Optional, default false.
64
+ * Supplying true to this argument skips validation of the created set of credentials.
65
+ */
66
+ skipValidation?: boolean | undefined;
67
+ }
68
+
69
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
70
+ export interface AccountsCreateStorageCredentialRequest_Response {
71
+ credentialInfo?: StorageCredentialInfo | undefined;
72
+ }
73
+
74
+ /** Deletes a storage credential for an account */
75
+ export interface AccountsDeleteStorageCredentialRequest {
76
+ /** <Databricks> account ID of any type. For non-E2 account types, get your account ID from the [Accounts Console](https://docs.databricks.com/administration-guide/account-settings/usage.html) */
77
+ accountId?: string | undefined;
78
+ /** Unity Catalog metastore ID */
79
+ metastoreId?: string | undefined;
80
+ /** Name of the storage credential. */
81
+ nameArg?: string | undefined;
82
+ /** Force deletion even if the Storage Credential is not empty. Default is false. */
83
+ force?: boolean | undefined;
84
+ }
85
+
86
+ /** The storage credential was successfully deleted. */
87
+ // eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-empty-object-type -- Proto-style nested message name.
88
+ export interface AccountsDeleteStorageCredentialRequest_Response {}
89
+
90
+ /** Retrieves a single storage credential */
91
+ export interface AccountsGetStorageCredentialRequest {
92
+ /** <Databricks> account ID of any type. For non-E2 account types, get your account ID from the [Accounts Console](https://docs.databricks.com/administration-guide/account-settings/usage.html) */
93
+ accountId?: string | undefined;
94
+ /** Unity Catalog metastore ID */
95
+ metastoreId?: string | undefined;
96
+ /** Required. Name of the storage credential. */
97
+ nameArg?: string | undefined;
98
+ }
99
+
100
+ /** The storage credential was successfully retrieved. */
101
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
102
+ export interface AccountsGetStorageCredentialRequest_Response {
103
+ credentialInfo?: StorageCredentialInfo | undefined;
104
+ }
105
+
106
+ /** Lists all storage credentials for the given account and metastore */
107
+ export interface AccountsListStorageCredentialsRequest {
108
+ /** <Databricks> account ID of any type. For non-E2 account types, get your account ID from the [Accounts Console](https://docs.databricks.com/administration-guide/account-settings/usage.html) */
109
+ accountId?: string | undefined;
110
+ /** Unity Catalog metastore ID */
111
+ metastoreId?: string | undefined;
112
+ }
113
+
114
+ /** The metastore storage credentials were successfully returned. */
115
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
116
+ export interface AccountsListStorageCredentialsRequest_Response {
117
+ /** An array of metastore storage credentials. */
118
+ storageCredentials?: StorageCredentialInfo[] | undefined;
119
+ }
120
+
121
+ /** The storage credential to update. */
122
+ export interface AccountsUpdateStorageCredentialRequest {
123
+ /** <Databricks> account ID of any type. For non-E2 account types, get your account ID from the [Accounts Console](https://docs.databricks.com/administration-guide/account-settings/usage.html) */
124
+ accountId?: string | undefined;
125
+ /** Unity Catalog metastore ID */
126
+ metastoreId?: string | undefined;
127
+ /** Name of the storage credential. */
128
+ nameArg?: string | undefined;
129
+ credentialInfo?: UpdateAccountsStorageCredential | undefined;
130
+ /** Optional. Supplying true to this argument skips validation of the updated set of credentials. */
131
+ skipValidation?: boolean | undefined;
132
+ }
133
+
134
+ /** The storage credential was successfully updated. */
135
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
136
+ export interface AccountsUpdateStorageCredentialRequest_Response {
137
+ credentialInfo?: StorageCredentialInfo | undefined;
138
+ }
139
+
140
+ export interface AwsCredentials {
141
+ creds?: {$case: 'stsRole'; stsRole: AwsCredentials_StsRole} | undefined;
142
+ }
143
+
144
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
145
+ export interface AwsCredentials_StsRole {
146
+ /** The Amazon Resource Name (ARN) of the cross account IAM role. */
147
+ roleArn?: string | undefined;
148
+ }
149
+
150
+ /** The AWS IAM role configuration */
151
+ export interface AwsIamRole {
152
+ /** The Amazon Resource Name (ARN) of the AWS IAM role used to vend temporary credentials. */
153
+ roleArn?: string | undefined;
154
+ /**
155
+ * The Amazon Resource Name (ARN) of the AWS IAM user managed by <Databricks>.
156
+ * This is the identity that is going to assume the AWS IAM role.
157
+ */
158
+ unityCatalogIamArn?: string | undefined;
159
+ /** The external ID used in role assumption to prevent the confused deputy problem. */
160
+ externalId?: string | undefined;
161
+ }
162
+
163
+ /**
164
+ * Azure Active Directory token, essentially the Oauth token for Azure Service Principal or Managed
165
+ * Identity.
166
+ * Read more at https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token
167
+ */
168
+ export interface AzureActiveDirectoryToken {
169
+ /** Opaque token that contains claims that you can use in Azure Active Directory to access cloud services. */
170
+ aadToken?: string | undefined;
171
+ }
172
+
173
+ /** The Azure managed identity configuration. */
174
+ export interface AzureManagedIdentity {
175
+ /**
176
+ * The Azure resource ID of the Azure Databricks Access Connector. Use the format
177
+ * `/subscriptions/{guid}/resourceGroups/{rg-name}/providers/Microsoft.Databricks/accessConnectors/{connector-name}`.
178
+ */
179
+ accessConnectorId?: string | undefined;
180
+ /**
181
+ * The Azure resource ID of the managed identity. Use the format,
182
+ * `/subscriptions/{guid}/resourceGroups/{rg-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity-name}`
183
+ * This is only available for user-assgined identities. For system-assigned identities, the access_connector_id is used to identify the identity.
184
+ * If this field is not provided, then we assume the AzureManagedIdentity is using the system-assigned identity.
185
+ */
186
+ managedIdentityId?: string | undefined;
187
+ /** The <Databricks> internal ID that represents this managed identity. */
188
+ credentialId?: string | undefined;
189
+ }
190
+
191
+ /** The Azure service principal configuration. Only applicable when purpose is **STORAGE**. */
192
+ export interface AzureServicePrincipal {
193
+ /** The directory ID corresponding to the Azure Active Directory (AAD) tenant of the application. */
194
+ directoryId?: string | undefined;
195
+ /** The application ID of the application registration within the referenced AAD tenant. */
196
+ applicationId?: string | undefined;
197
+ /** The client secret generated for the above app ID in AAD. */
198
+ clientSecret?: string | undefined;
199
+ }
200
+
201
+ /**
202
+ * Azure temporary credentials for API authentication.
203
+ * Read more at https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
204
+ */
205
+ export interface AzureUserDelegationSas {
206
+ /** The signed URI (SAS Token) used to access blob services for a given path */
207
+ sasToken?: string | undefined;
208
+ }
209
+
210
+ /**
211
+ * The Cloudflare API token configuration.
212
+ * Read more at https://developers.cloudflare.com/r2/api/s3/tokens/
213
+ */
214
+ export interface CloudflareApiToken {
215
+ /** The access key ID associated with the API token. */
216
+ accessKeyId?: string | undefined;
217
+ /** The secret access token generated for the above access key ID. */
218
+ secretAccessKey?: string | undefined;
219
+ /** The ID of the account associated with the API token. */
220
+ accountId?: string | undefined;
221
+ }
222
+
223
+ export interface CreateAccountsStorageCredential {
224
+ /**
225
+ * The credential name. The name must be unique among storage and service
226
+ * credentials within the metastore.
227
+ */
228
+ name?: string | undefined;
229
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
230
+ credential?:
231
+ | {
232
+ $case: 'awsIamRole';
233
+ /** The AWS IAM role configuration. */
234
+ awsIamRole: AwsIamRole;
235
+ }
236
+ | {
237
+ $case: 'azureServicePrincipal';
238
+ /** The Azure service principal configuration. */
239
+ azureServicePrincipal: AzureServicePrincipal;
240
+ }
241
+ | {
242
+ $case: 'gcpServiceAccountKey';
243
+ gcpServiceAccountKey: GcpServiceAccountKey;
244
+ }
245
+ | {
246
+ $case: 'azureManagedIdentity';
247
+ /** The Azure managed identity configuration. */
248
+ azureManagedIdentity: AzureManagedIdentity;
249
+ }
250
+ | {
251
+ $case: 'databricksGcpServiceAccount';
252
+ /** The <Databricks> managed GCP service account configuration. */
253
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
254
+ }
255
+ | {
256
+ $case: 'cloudflareApiToken';
257
+ /** The Cloudflare API token configuration. */
258
+ cloudflareApiToken: CloudflareApiToken;
259
+ }
260
+ | undefined;
261
+ /** Comment associated with the credential. */
262
+ comment?: string | undefined;
263
+ /**
264
+ * Whether the credential is usable only for read operations. Only applicable
265
+ * when purpose is **STORAGE**.
266
+ */
267
+ readOnly?: boolean | undefined;
268
+ /** Username of current owner of credential. */
269
+ owner?: string | undefined;
270
+ /** The unique identifier of the credential. */
271
+ id?: string | undefined;
272
+ /** Unique identifier of the parent metastore. */
273
+ metastoreId?: string | undefined;
274
+ /** Time at which this credential was created, in epoch milliseconds. */
275
+ createdAt?: bigint | undefined;
276
+ /** Username of credential creator. */
277
+ createdBy?: string | undefined;
278
+ /** Time at which this credential was last modified, in epoch milliseconds. */
279
+ updatedAt?: bigint | undefined;
280
+ /** Username of user who last modified the credential. */
281
+ updatedBy?: string | undefined;
282
+ /**
283
+ * Whether this credential is the current metastore's root storage credential.
284
+ * Only applicable when purpose is **STORAGE**.
285
+ */
286
+ usedForManagedStorage?: boolean | undefined;
287
+ /** The full name of the credential. */
288
+ fullName?: string | undefined;
289
+ /**
290
+ * Whether the current securable is accessible from all workspaces or a
291
+ * specific set of workspaces.
292
+ */
293
+ isolationMode?: IsolationMode | undefined;
294
+ }
295
+
296
+ export interface CreateCredentialAwsCredentials {
297
+ creds?: {$case: 'stsRole'; stsRole: AwsCredentials_StsRole} | undefined;
298
+ }
299
+
300
+ export interface CreateCredentialRequest {
301
+ /**
302
+ * Optional. Supplying true to this argument skips validation of the created
303
+ * set of credentials.
304
+ */
305
+ skipValidation?: boolean | undefined;
306
+ /**
307
+ * The credential name. The name must be unique among storage and service
308
+ * credentials within the metastore.
309
+ */
310
+ name?: string | undefined;
311
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
312
+ credential?:
313
+ | {
314
+ $case: 'awsIamRole';
315
+ /** The AWS IAM role configuration. */
316
+ awsIamRole: AwsIamRole;
317
+ }
318
+ | {
319
+ $case: 'azureServicePrincipal';
320
+ /** The Azure service principal configuration. */
321
+ azureServicePrincipal: AzureServicePrincipal;
322
+ }
323
+ | {
324
+ $case: 'gcpServiceAccountKey';
325
+ gcpServiceAccountKey: GcpServiceAccountKey;
326
+ }
327
+ | {
328
+ $case: 'azureManagedIdentity';
329
+ /** The Azure managed identity configuration. */
330
+ azureManagedIdentity: AzureManagedIdentity;
331
+ }
332
+ | {
333
+ $case: 'databricksGcpServiceAccount';
334
+ /** The <Databricks> managed GCP service account configuration. */
335
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
336
+ }
337
+ | {
338
+ $case: 'cloudflareApiToken';
339
+ /** The Cloudflare API token configuration. */
340
+ cloudflareApiToken: CloudflareApiToken;
341
+ }
342
+ | undefined;
343
+ /** Comment associated with the credential. */
344
+ comment?: string | undefined;
345
+ /**
346
+ * Whether the credential is usable only for read operations. Only applicable
347
+ * when purpose is **STORAGE**.
348
+ */
349
+ readOnly?: boolean | undefined;
350
+ /** Username of current owner of credential. */
351
+ owner?: string | undefined;
352
+ /** The unique identifier of the credential. */
353
+ id?: string | undefined;
354
+ /** Unique identifier of the parent metastore. */
355
+ metastoreId?: string | undefined;
356
+ /** Time at which this credential was created, in epoch milliseconds. */
357
+ createdAt?: bigint | undefined;
358
+ /** Username of credential creator. */
359
+ createdBy?: string | undefined;
360
+ /** Time at which this credential was last modified, in epoch milliseconds. */
361
+ updatedAt?: bigint | undefined;
362
+ /** Username of user who last modified the credential. */
363
+ updatedBy?: string | undefined;
364
+ /**
365
+ * Whether this credential is the current metastore's root storage credential.
366
+ * Only applicable when purpose is **STORAGE**.
367
+ */
368
+ usedForManagedStorage?: boolean | undefined;
369
+ /** The full name of the credential. */
370
+ fullName?: string | undefined;
371
+ /**
372
+ * Whether the current securable is accessible from all workspaces or a
373
+ * specific set of workspaces.
374
+ */
375
+ isolationMode?: IsolationMode | undefined;
376
+ }
377
+
378
+ export interface CreateCredentialsRequest {
379
+ accountId?: string | undefined;
380
+ /** The human-readable name of the credential configuration object. */
381
+ credentialsName?: string | undefined;
382
+ /** (-- NOTE(austin) This oneof is a future-looking definition when we add other clouds --) */
383
+ cloudCredentials?:
384
+ | {$case: 'awsCredentials'; awsCredentials: CreateCredentialAwsCredentials}
385
+ | undefined;
386
+ }
387
+
388
+ export interface CreateStorageCredentialRequest {
389
+ /** Supplying true to this argument skips validation of the created credential. */
390
+ skipValidation?: boolean | undefined;
391
+ /**
392
+ * The credential name. The name must be unique among storage and service
393
+ * credentials within the metastore.
394
+ */
395
+ name?: string | undefined;
396
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
397
+ credential?:
398
+ | {
399
+ $case: 'awsIamRole';
400
+ /** The AWS IAM role configuration. */
401
+ awsIamRole: AwsIamRole;
402
+ }
403
+ | {
404
+ $case: 'azureServicePrincipal';
405
+ /** The Azure service principal configuration. */
406
+ azureServicePrincipal: AzureServicePrincipal;
407
+ }
408
+ | {
409
+ $case: 'gcpServiceAccountKey';
410
+ gcpServiceAccountKey: GcpServiceAccountKey;
411
+ }
412
+ | {
413
+ $case: 'azureManagedIdentity';
414
+ /** The Azure managed identity configuration. */
415
+ azureManagedIdentity: AzureManagedIdentity;
416
+ }
417
+ | {
418
+ $case: 'databricksGcpServiceAccount';
419
+ /** The <Databricks> managed GCP service account configuration. */
420
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
421
+ }
422
+ | {
423
+ $case: 'cloudflareApiToken';
424
+ /** The Cloudflare API token configuration. */
425
+ cloudflareApiToken: CloudflareApiToken;
426
+ }
427
+ | undefined;
428
+ /** Comment associated with the credential. */
429
+ comment?: string | undefined;
430
+ /**
431
+ * Whether the credential is usable only for read operations. Only applicable
432
+ * when purpose is **STORAGE**.
433
+ */
434
+ readOnly?: boolean | undefined;
435
+ /** Username of current owner of credential. */
436
+ owner?: string | undefined;
437
+ /** The unique identifier of the credential. */
438
+ id?: string | undefined;
439
+ /** Unique identifier of the parent metastore. */
440
+ metastoreId?: string | undefined;
441
+ /** Time at which this credential was created, in epoch milliseconds. */
442
+ createdAt?: bigint | undefined;
443
+ /** Username of credential creator. */
444
+ createdBy?: string | undefined;
445
+ /** Time at which this credential was last modified, in epoch milliseconds. */
446
+ updatedAt?: bigint | undefined;
447
+ /** Username of user who last modified the credential. */
448
+ updatedBy?: string | undefined;
449
+ /**
450
+ * Whether this credential is the current metastore's root storage credential.
451
+ * Only applicable when purpose is **STORAGE**.
452
+ */
453
+ usedForManagedStorage?: boolean | undefined;
454
+ /** The full name of the credential. */
455
+ fullName?: string | undefined;
456
+ /**
457
+ * Whether the current securable is accessible from all workspaces or a
458
+ * specific set of workspaces.
459
+ */
460
+ isolationMode?: IsolationMode | undefined;
461
+ }
462
+
463
+ export interface CredentialInfo {
464
+ /**
465
+ * The credential name. The name must be unique among storage and service
466
+ * credentials within the metastore.
467
+ */
468
+ name?: string | undefined;
469
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
470
+ credential?:
471
+ | {
472
+ $case: 'awsIamRole';
473
+ /** The AWS IAM role configuration. */
474
+ awsIamRole: AwsIamRole;
475
+ }
476
+ | {
477
+ $case: 'azureServicePrincipal';
478
+ /** The Azure service principal configuration. */
479
+ azureServicePrincipal: AzureServicePrincipal;
480
+ }
481
+ | {
482
+ $case: 'gcpServiceAccountKey';
483
+ gcpServiceAccountKey: GcpServiceAccountKey;
484
+ }
485
+ | {
486
+ $case: 'azureManagedIdentity';
487
+ /** The Azure managed identity configuration. */
488
+ azureManagedIdentity: AzureManagedIdentity;
489
+ }
490
+ | {
491
+ $case: 'databricksGcpServiceAccount';
492
+ /** The <Databricks> managed GCP service account configuration. */
493
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
494
+ }
495
+ | {
496
+ $case: 'cloudflareApiToken';
497
+ /** The Cloudflare API token configuration. */
498
+ cloudflareApiToken: CloudflareApiToken;
499
+ }
500
+ | undefined;
501
+ /** Comment associated with the credential. */
502
+ comment?: string | undefined;
503
+ /**
504
+ * Whether the credential is usable only for read operations. Only applicable
505
+ * when purpose is **STORAGE**.
506
+ */
507
+ readOnly?: boolean | undefined;
508
+ /** Username of current owner of credential. */
509
+ owner?: string | undefined;
510
+ /** The unique identifier of the credential. */
511
+ id?: string | undefined;
512
+ /** Unique identifier of the parent metastore. */
513
+ metastoreId?: string | undefined;
514
+ /** Time at which this credential was created, in epoch milliseconds. */
515
+ createdAt?: bigint | undefined;
516
+ /** Username of credential creator. */
517
+ createdBy?: string | undefined;
518
+ /** Time at which this credential was last modified, in epoch milliseconds. */
519
+ updatedAt?: bigint | undefined;
520
+ /** Username of user who last modified the credential. */
521
+ updatedBy?: string | undefined;
522
+ /**
523
+ * Whether this credential is the current metastore's root storage credential.
524
+ * Only applicable when purpose is **STORAGE**.
525
+ */
526
+ usedForManagedStorage?: boolean | undefined;
527
+ /** The full name of the credential. */
528
+ fullName?: string | undefined;
529
+ /**
530
+ * Whether the current securable is accessible from all workspaces or a
531
+ * specific set of workspaces.
532
+ */
533
+ isolationMode?: IsolationMode | undefined;
534
+ }
535
+
536
+ export interface Credentials {
537
+ /** <Databricks> credential configuration ID. */
538
+ credentialsId?: string | undefined;
539
+ /** The <Databricks> account ID that hosts the credential. */
540
+ accountId?: string | undefined;
541
+ /** (-- NOTE(austin) This oneof is a future-looking definition when we add other clouds --) */
542
+ cloudCredentials?:
543
+ | {$case: 'awsCredentials'; awsCredentials: AwsCredentials}
544
+ | undefined;
545
+ /** The human-readable name of the credential configuration object. */
546
+ credentialsName?: string | undefined;
547
+ /** Time in epoch milliseconds when the credential was created. */
548
+ creationTime?: bigint | undefined;
549
+ }
550
+
551
+ /**
552
+ * GCP long-lived credential.
553
+ * <Databricks>-created Google Cloud Storage service account.
554
+ */
555
+ export interface DatabricksGcpServiceAccount {
556
+ /** The email of the service account. */
557
+ email?: string | undefined;
558
+ /** The ID that represents the private key for this Service Account */
559
+ privateKeyId?: string | undefined;
560
+ /** The <Databricks> internal ID that represents this managed identity. */
561
+ credentialId?: string | undefined;
562
+ }
563
+
564
+ export interface DeleteCredentialRequest {
565
+ /** Name of the credential. */
566
+ nameArg?: string | undefined;
567
+ /**
568
+ * Force an update even if there are dependent services (when purpose is
569
+ * **SERVICE**) or dependent external locations and external tables (when
570
+ * purpose is **STORAGE**).
571
+ */
572
+ force?: boolean | undefined;
573
+ }
574
+
575
+ // eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-empty-object-type -- Proto-style nested message name.
576
+ export interface DeleteCredentialRequest_Response {}
577
+
578
+ export interface DeleteCredentialsRequest {
579
+ /** Databricks Account API credential configuration ID */
580
+ credentialsId?: string | undefined;
581
+ accountId?: string | undefined;
582
+ }
583
+
584
+ export interface DeleteStorageCredentialRequest {
585
+ /** Name of the storage credential. */
586
+ nameArg?: string | undefined;
587
+ /**
588
+ * Force an update even if there are dependent external locations or external
589
+ * tables (when purpose is **STORAGE**) or dependent services (when purpose is
590
+ * **SERVICE**).
591
+ */
592
+ force?: boolean | undefined;
593
+ }
594
+
595
+ // eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-empty-object-type -- Proto-style nested message name.
596
+ export interface DeleteStorageCredentialRequest_Response {}
597
+
598
+ /**
599
+ * GCP temporary credentials for API authentication.
600
+ * Read more at https://developers.google.com/identity/protocols/oauth2/service-account
601
+ */
602
+ export interface GcpOauthToken {
603
+ oauthToken?: string | undefined;
604
+ }
605
+
606
+ /**
607
+ * GCP long-lived credential.
608
+ * GCP Service Account.
609
+ */
610
+ export interface GcpServiceAccountKey {
611
+ /** The email of the service account. */
612
+ email?: string | undefined;
613
+ /** The ID of the service account's private key. */
614
+ privateKeyId?: string | undefined;
615
+ /** The service account's RSA private key. */
616
+ privateKey?: string | undefined;
617
+ }
618
+
619
+ export interface GenerateTemporaryPathCredentialRequest {
620
+ /** URL for path-based access. */
621
+ url?: string | undefined;
622
+ /** The operation being performed on the path. */
623
+ operation?: PathOperation | undefined;
624
+ /**
625
+ * Optional. When set to true, the service will not validate that the generated
626
+ * credentials can perform write operations, therefore no new paths will be created
627
+ * and the response will not contain valid credentials. Defaults to false.
628
+ */
629
+ dryRun?: boolean | undefined;
630
+ }
631
+
632
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
633
+ export interface GenerateTemporaryPathCredentialRequest_Response {
634
+ /** The temporary credential. */
635
+ credentials?:
636
+ | {$case: 'awsTempCredentials'; awsTempCredentials: TemporaryAwsCredentials}
637
+ | {
638
+ $case: 'azureUserDelegationSas';
639
+ azureUserDelegationSas: AzureUserDelegationSas;
640
+ }
641
+ | {$case: 'gcpOauthToken'; gcpOauthToken: GcpOauthToken}
642
+ | {$case: 'azureAad'; azureAad: AzureActiveDirectoryToken}
643
+ | {$case: 'r2TempCredentials'; r2TempCredentials: R2Credentials}
644
+ | undefined;
645
+ /**
646
+ * Server time when the credential will expire, in epoch milliseconds.
647
+ * The API client is advised to cache the credential given this expiration time.
648
+ */
649
+ expirationTime?: bigint | undefined;
650
+ /** The URL of the storage path accessible by the temporary credential. */
651
+ url?: string | undefined;
652
+ }
653
+
654
+ export interface GenerateTemporaryServiceCredentialRequest {
655
+ /** The name of the service credential used to generate a temporary credential */
656
+ credentialName?: string | undefined;
657
+ options?:
658
+ | {
659
+ $case: 'azureOptions';
660
+ azureOptions: GenerateTemporaryServiceCredentialRequest_AzureOptions;
661
+ }
662
+ | {
663
+ $case: 'gcpOptions';
664
+ gcpOptions: GenerateTemporaryServiceCredentialRequest_GcpOptions;
665
+ }
666
+ | undefined;
667
+ }
668
+
669
+ /** The Azure cloud options to customize the requested temporary credential */
670
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
671
+ export interface GenerateTemporaryServiceCredentialRequest_AzureOptions {
672
+ /**
673
+ * The resources to which the temporary Azure credential should apply. These resources
674
+ * are the scopes that are passed to the token provider (see https://learn.microsoft.com/python/api/azure-core/azure.core.credentials.tokencredential?view=azure-python)
675
+ */
676
+ resources?: string[] | undefined;
677
+ }
678
+
679
+ /** The GCP cloud options to customize the requested temporary credential */
680
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
681
+ export interface GenerateTemporaryServiceCredentialRequest_GcpOptions {
682
+ /**
683
+ * The scopes to which the temporary GCP credential should apply. These resources
684
+ * are the scopes that are passed to the token provider (see
685
+ * https://google-auth.readthedocs.io/en/latest/reference/google.auth.html#google.auth.credentials.Credentials)
686
+ */
687
+ scopes?: string[] | undefined;
688
+ }
689
+
690
+ export interface GenerateTemporaryTableCredentialRequest {
691
+ /** UUID of the table to read or write. */
692
+ tableId?: string | undefined;
693
+ /**
694
+ * The operation performed against the table data, either READ or READ_WRITE. If READ_WRITE is specified,
695
+ * the credentials returned will have write permissions, otherwise, it will be read only.
696
+ */
697
+ operation?: TableOperation | undefined;
698
+ }
699
+
700
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
701
+ export interface GenerateTemporaryTableCredentialRequest_Response {
702
+ /** The temporary credential. */
703
+ credentials?:
704
+ | {$case: 'awsTempCredentials'; awsTempCredentials: TemporaryAwsCredentials}
705
+ | {
706
+ $case: 'azureUserDelegationSas';
707
+ azureUserDelegationSas: AzureUserDelegationSas;
708
+ }
709
+ | {$case: 'gcpOauthToken'; gcpOauthToken: GcpOauthToken}
710
+ | {$case: 'azureAad'; azureAad: AzureActiveDirectoryToken}
711
+ | {$case: 'r2TempCredentials'; r2TempCredentials: R2Credentials}
712
+ | undefined;
713
+ /**
714
+ * Server time when the credential will expire, in epoch milliseconds.
715
+ * The API client is advised to cache the credential given this expiration time.
716
+ */
717
+ expirationTime?: bigint | undefined;
718
+ /** The URL of the storage path accessible by the temporary credential. */
719
+ url?: string | undefined;
720
+ }
721
+
722
+ /** Generate volume credentials RPC */
723
+ export interface GenerateTemporaryVolumeCredentialRequest {
724
+ /** Id of the volume to read or write. */
725
+ volumeId?: string | undefined;
726
+ /**
727
+ * The operation performed against the volume data, either READ_VOLUME or WRITE_VOLUME. If WRITE_VOLUME is specified,
728
+ * the credentials returned will have write permissions, otherwise, it will be read only.
729
+ */
730
+ operation?: VolumeOperation | undefined;
731
+ }
732
+
733
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
734
+ export interface GenerateTemporaryVolumeCredentialRequest_Response {
735
+ /** The temporary credential. */
736
+ credentials?:
737
+ | {$case: 'awsTempCredentials'; awsTempCredentials: TemporaryAwsCredentials}
738
+ | {
739
+ $case: 'azureUserDelegationSas';
740
+ azureUserDelegationSas: AzureUserDelegationSas;
741
+ }
742
+ | {$case: 'gcpOauthToken'; gcpOauthToken: GcpOauthToken}
743
+ | {$case: 'azureAad'; azureAad: AzureActiveDirectoryToken}
744
+ | {$case: 'r2TempCredentials'; r2TempCredentials: R2Credentials}
745
+ | undefined;
746
+ /**
747
+ * Server time when the credential will expire, in epoch milliseconds.
748
+ * The API client is advised to cache the credential given this expiration time.
749
+ */
750
+ expirationTime?: bigint | undefined;
751
+ /** The URL of the storage path accessible by the temporary credential. */
752
+ url?: string | undefined;
753
+ }
754
+
755
+ export interface GetCredentialRequest {
756
+ /** Name of the credential. */
757
+ nameArg?: string | undefined;
758
+ }
759
+
760
+ export interface GetCredentialsRequest {
761
+ /** Credential configuration ID */
762
+ credentialsId?: string | undefined;
763
+ accountId?: string | undefined;
764
+ }
765
+
766
+ /**
767
+ * TODO(UC-1710): The legacy /storage-credentials API is being deprecated.
768
+ * Please use the new consolidated /credentials API instead.
769
+ * See https://github.com/databricks-eng/universe/pull/857047#discussion_r1924779791 for an example of a case when that wasn't possible.
770
+ */
771
+ export interface GetStorageCredentialRequest {
772
+ /** Name of the storage credential. */
773
+ nameArg?: string | undefined;
774
+ }
775
+
776
+ export interface ListCredentialsPublicRequest {
777
+ accountId?: string | undefined;
778
+ }
779
+
780
+ /**
781
+ * ListCredentialsRequest is used to list credentials in the metastore.
782
+ * Returns an array of credentials (as CredentialInfo objects). The array is
783
+ * limited to the credentials that the caller has permission to access. If the
784
+ * caller is a metastore admin, retrieval of credentials is unrestricted.
785
+ *
786
+ * There is no guarantee of a specific ordering of the elements in the array.
787
+ */
788
+ export interface ListCredentialsRequest {
789
+ /**
790
+ * Whether to include credentials not bound to the workspace.
791
+ * Effective only if the user has permission to update the credential–workspace binding.
792
+ */
793
+ includeUnbound?: boolean | undefined;
794
+ /**
795
+ * Maximum number of credentials to return.
796
+ * - If not set, the default max page size is used.
797
+ * - When set to a value greater than 0, the page length is the minimum of
798
+ * this value and a server-configured value.
799
+ * - When set to 0, the page length is set to a server-configured value
800
+ * (recommended).
801
+ * - When set to a value less than 0, an invalid parameter error is
802
+ * returned.
803
+ */
804
+ maxResults?: number | undefined;
805
+ /** Opaque token to retrieve the next page of results. */
806
+ pageToken?: string | undefined;
807
+ }
808
+
809
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
810
+ export interface ListCredentialsRequest_Response {
811
+ credentials?: CredentialInfo[] | undefined;
812
+ /**
813
+ * Opaque token to retrieve the next page of results. Absent if there are no
814
+ * more pages.
815
+ * __page_token__ should be set to this value for the next request (for the
816
+ * next page of results).
817
+ */
818
+ nextPageToken?: string | undefined;
819
+ }
820
+
821
+ export interface ListCredentialsResponse {
822
+ credentials?: Credentials[] | undefined;
823
+ }
824
+
825
+ export interface ListStorageCredentialsRequest {
826
+ /**
827
+ * Whether to include credentials not bound to the workspace.
828
+ * Effective only if the user has permission to update the credential–workspace binding.
829
+ */
830
+ includeUnbound?: boolean | undefined;
831
+ /**
832
+ * Maximum number of storage credentials to return.
833
+ * If not set, all the storage credentials are returned (not recommended).
834
+ * - when set to a value greater than 0, the page length is the minimum of
835
+ * this value and a server configured value;
836
+ * - when set to 0, the page length is set to a server configured value
837
+ * (recommended);
838
+ * - when set to a value less than 0, an invalid parameter error is returned;
839
+ */
840
+ maxResults?: number | undefined;
841
+ /** Opaque pagination token to go to next page based on previous query. */
842
+ pageToken?: string | undefined;
843
+ }
844
+
845
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
846
+ export interface ListStorageCredentialsRequest_Response {
847
+ storageCredentials?: StorageCredentialInfo[] | undefined;
848
+ /**
849
+ * Opaque token to retrieve the next page of results. Absent if there are no
850
+ * more pages.
851
+ * __page_token__ should be set to this value for the next request (for the
852
+ * next page of results).
853
+ */
854
+ nextPageToken?: string | undefined;
855
+ }
856
+
857
+ /**
858
+ * R2 temporary credentials for API authentication.
859
+ * Read more at https://developers.cloudflare.com/r2/api/s3/tokens/.
860
+ */
861
+ export interface R2Credentials {
862
+ /** The access key ID that identifies the temporary credentials. */
863
+ accessKeyId?: string | undefined;
864
+ /** The secret access key associated with the access key. */
865
+ secretAccessKey?: string | undefined;
866
+ /** The generated JWT that users must pass to use the temporary credentials. */
867
+ sessionToken?: string | undefined;
868
+ }
869
+
870
+ export interface StorageCredentialInfo {
871
+ /**
872
+ * The credential name. The name must be unique among storage and service
873
+ * credentials within the metastore.
874
+ */
875
+ name?: string | undefined;
876
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
877
+ credential?:
878
+ | {
879
+ $case: 'awsIamRole';
880
+ /** The AWS IAM role configuration. */
881
+ awsIamRole: AwsIamRole;
882
+ }
883
+ | {
884
+ $case: 'azureServicePrincipal';
885
+ /** The Azure service principal configuration. */
886
+ azureServicePrincipal: AzureServicePrincipal;
887
+ }
888
+ | {
889
+ $case: 'gcpServiceAccountKey';
890
+ gcpServiceAccountKey: GcpServiceAccountKey;
891
+ }
892
+ | {
893
+ $case: 'azureManagedIdentity';
894
+ /** The Azure managed identity configuration. */
895
+ azureManagedIdentity: AzureManagedIdentity;
896
+ }
897
+ | {
898
+ $case: 'databricksGcpServiceAccount';
899
+ /** The <Databricks> managed GCP service account configuration. */
900
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
901
+ }
902
+ | {
903
+ $case: 'cloudflareApiToken';
904
+ /** The Cloudflare API token configuration. */
905
+ cloudflareApiToken: CloudflareApiToken;
906
+ }
907
+ | undefined;
908
+ /** Comment associated with the credential. */
909
+ comment?: string | undefined;
910
+ /**
911
+ * Whether the credential is usable only for read operations. Only applicable
912
+ * when purpose is **STORAGE**.
913
+ */
914
+ readOnly?: boolean | undefined;
915
+ /** Username of current owner of credential. */
916
+ owner?: string | undefined;
917
+ /** The unique identifier of the credential. */
918
+ id?: string | undefined;
919
+ /** Unique identifier of the parent metastore. */
920
+ metastoreId?: string | undefined;
921
+ /** Time at which this credential was created, in epoch milliseconds. */
922
+ createdAt?: bigint | undefined;
923
+ /** Username of credential creator. */
924
+ createdBy?: string | undefined;
925
+ /** Time at which this credential was last modified, in epoch milliseconds. */
926
+ updatedAt?: bigint | undefined;
927
+ /** Username of user who last modified the credential. */
928
+ updatedBy?: string | undefined;
929
+ /**
930
+ * Whether this credential is the current metastore's root storage credential.
931
+ * Only applicable when purpose is **STORAGE**.
932
+ */
933
+ usedForManagedStorage?: boolean | undefined;
934
+ /** The full name of the credential. */
935
+ fullName?: string | undefined;
936
+ /**
937
+ * Whether the current securable is accessible from all workspaces or a
938
+ * specific set of workspaces.
939
+ */
940
+ isolationMode?: IsolationMode | undefined;
941
+ }
942
+
943
+ /**
944
+ * AWS temporary credentials for API authentication.
945
+ * Read more at https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html.
946
+ */
947
+ export interface TemporaryAwsCredentials {
948
+ /** The access key ID that identifies the temporary credentials. */
949
+ accessKeyId?: string | undefined;
950
+ /** The secret access key that can be used to sign AWS API requests. */
951
+ secretAccessKey?: string | undefined;
952
+ /** The token that users must pass to AWS API to use the temporary credentials. */
953
+ sessionToken?: string | undefined;
954
+ /**
955
+ * The Amazon Resource Name (ARN) of the S3 access point for
956
+ * temporary credentials related the external location.
957
+ */
958
+ accessPoint?: string | undefined;
959
+ }
960
+
961
+ export interface TemporaryCredentials {
962
+ /** The temporary credential. */
963
+ credentials?:
964
+ | {$case: 'awsTempCredentials'; awsTempCredentials: TemporaryAwsCredentials}
965
+ | {
966
+ $case: 'azureUserDelegationSas';
967
+ azureUserDelegationSas: AzureUserDelegationSas;
968
+ }
969
+ | {$case: 'gcpOauthToken'; gcpOauthToken: GcpOauthToken}
970
+ | {$case: 'azureAad'; azureAad: AzureActiveDirectoryToken}
971
+ | {$case: 'r2TempCredentials'; r2TempCredentials: R2Credentials}
972
+ | undefined;
973
+ /**
974
+ * Server time when the credential will expire, in epoch milliseconds.
975
+ * The API client is advised to cache the credential given this expiration time.
976
+ */
977
+ expirationTime?: bigint | undefined;
978
+ /** The URL of the storage path accessible by the temporary credential. */
979
+ url?: string | undefined;
980
+ }
981
+
982
+ export interface UpdateAccountsStorageCredential {
983
+ /**
984
+ * The credential name. The name must be unique among storage and service
985
+ * credentials within the metastore.
986
+ */
987
+ name?: string | undefined;
988
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
989
+ credential?:
990
+ | {
991
+ $case: 'awsIamRole';
992
+ /** The AWS IAM role configuration. */
993
+ awsIamRole: AwsIamRole;
994
+ }
995
+ | {
996
+ $case: 'azureServicePrincipal';
997
+ /** The Azure service principal configuration. */
998
+ azureServicePrincipal: AzureServicePrincipal;
999
+ }
1000
+ | {
1001
+ $case: 'gcpServiceAccountKey';
1002
+ gcpServiceAccountKey: GcpServiceAccountKey;
1003
+ }
1004
+ | {
1005
+ $case: 'azureManagedIdentity';
1006
+ /** The Azure managed identity configuration. */
1007
+ azureManagedIdentity: AzureManagedIdentity;
1008
+ }
1009
+ | {
1010
+ $case: 'databricksGcpServiceAccount';
1011
+ /** The <Databricks> managed GCP service account configuration. */
1012
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
1013
+ }
1014
+ | {
1015
+ $case: 'cloudflareApiToken';
1016
+ /** The Cloudflare API token configuration. */
1017
+ cloudflareApiToken: CloudflareApiToken;
1018
+ }
1019
+ | undefined;
1020
+ /** Comment associated with the credential. */
1021
+ comment?: string | undefined;
1022
+ /**
1023
+ * Whether the credential is usable only for read operations. Only applicable
1024
+ * when purpose is **STORAGE**.
1025
+ */
1026
+ readOnly?: boolean | undefined;
1027
+ /** Username of current owner of credential. */
1028
+ owner?: string | undefined;
1029
+ /** The unique identifier of the credential. */
1030
+ id?: string | undefined;
1031
+ /** Unique identifier of the parent metastore. */
1032
+ metastoreId?: string | undefined;
1033
+ /** Time at which this credential was created, in epoch milliseconds. */
1034
+ createdAt?: bigint | undefined;
1035
+ /** Username of credential creator. */
1036
+ createdBy?: string | undefined;
1037
+ /** Time at which this credential was last modified, in epoch milliseconds. */
1038
+ updatedAt?: bigint | undefined;
1039
+ /** Username of user who last modified the credential. */
1040
+ updatedBy?: string | undefined;
1041
+ /**
1042
+ * Whether this credential is the current metastore's root storage credential.
1043
+ * Only applicable when purpose is **STORAGE**.
1044
+ */
1045
+ usedForManagedStorage?: boolean | undefined;
1046
+ /** The full name of the credential. */
1047
+ fullName?: string | undefined;
1048
+ /**
1049
+ * Whether the current securable is accessible from all workspaces or a
1050
+ * specific set of workspaces.
1051
+ */
1052
+ isolationMode?: IsolationMode | undefined;
1053
+ }
1054
+
1055
+ export interface UpdateCredentialRequest {
1056
+ /** Name of the credential. */
1057
+ nameArg?: string | undefined;
1058
+ /** New name of credential. */
1059
+ newName?: string | undefined;
1060
+ /** Supply true to this argument to skip validation of the updated credential. */
1061
+ skipValidation?: boolean | undefined;
1062
+ /**
1063
+ * Force an update even if there are dependent services (when purpose is
1064
+ * **SERVICE**) or dependent external locations and external tables (when
1065
+ * purpose is **STORAGE**).
1066
+ */
1067
+ force?: boolean | undefined;
1068
+ /**
1069
+ * The credential name. The name must be unique among storage and service
1070
+ * credentials within the metastore.
1071
+ */
1072
+ name?: string | undefined;
1073
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
1074
+ credential?:
1075
+ | {
1076
+ $case: 'awsIamRole';
1077
+ /** The AWS IAM role configuration. */
1078
+ awsIamRole: AwsIamRole;
1079
+ }
1080
+ | {
1081
+ $case: 'azureServicePrincipal';
1082
+ /** The Azure service principal configuration. */
1083
+ azureServicePrincipal: AzureServicePrincipal;
1084
+ }
1085
+ | {
1086
+ $case: 'gcpServiceAccountKey';
1087
+ gcpServiceAccountKey: GcpServiceAccountKey;
1088
+ }
1089
+ | {
1090
+ $case: 'azureManagedIdentity';
1091
+ /** The Azure managed identity configuration. */
1092
+ azureManagedIdentity: AzureManagedIdentity;
1093
+ }
1094
+ | {
1095
+ $case: 'databricksGcpServiceAccount';
1096
+ /** The <Databricks> managed GCP service account configuration. */
1097
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
1098
+ }
1099
+ | {
1100
+ $case: 'cloudflareApiToken';
1101
+ /** The Cloudflare API token configuration. */
1102
+ cloudflareApiToken: CloudflareApiToken;
1103
+ }
1104
+ | undefined;
1105
+ /** Comment associated with the credential. */
1106
+ comment?: string | undefined;
1107
+ /**
1108
+ * Whether the credential is usable only for read operations. Only applicable
1109
+ * when purpose is **STORAGE**.
1110
+ */
1111
+ readOnly?: boolean | undefined;
1112
+ /** Username of current owner of credential. */
1113
+ owner?: string | undefined;
1114
+ /** The unique identifier of the credential. */
1115
+ id?: string | undefined;
1116
+ /** Unique identifier of the parent metastore. */
1117
+ metastoreId?: string | undefined;
1118
+ /** Time at which this credential was created, in epoch milliseconds. */
1119
+ createdAt?: bigint | undefined;
1120
+ /** Username of credential creator. */
1121
+ createdBy?: string | undefined;
1122
+ /** Time at which this credential was last modified, in epoch milliseconds. */
1123
+ updatedAt?: bigint | undefined;
1124
+ /** Username of user who last modified the credential. */
1125
+ updatedBy?: string | undefined;
1126
+ /**
1127
+ * Whether this credential is the current metastore's root storage credential.
1128
+ * Only applicable when purpose is **STORAGE**.
1129
+ */
1130
+ usedForManagedStorage?: boolean | undefined;
1131
+ /** The full name of the credential. */
1132
+ fullName?: string | undefined;
1133
+ /**
1134
+ * Whether the current securable is accessible from all workspaces or a
1135
+ * specific set of workspaces.
1136
+ */
1137
+ isolationMode?: IsolationMode | undefined;
1138
+ }
1139
+
1140
+ export interface UpdateStorageCredentialRequest {
1141
+ /** Name of the storage credential. */
1142
+ nameArg?: string | undefined;
1143
+ /** New name for the storage credential. */
1144
+ newName?: string | undefined;
1145
+ /** Supplying true to this argument skips validation of the updated credential. */
1146
+ skipValidation?: boolean | undefined;
1147
+ /**
1148
+ * Force update even if there are dependent external locations or external
1149
+ * tables.
1150
+ */
1151
+ force?: boolean | undefined;
1152
+ /**
1153
+ * The credential name. The name must be unique among storage and service
1154
+ * credentials within the metastore.
1155
+ */
1156
+ name?: string | undefined;
1157
+ /** (--[Create:REQ, Update:OPT] The long-lived cloud credential.--) */
1158
+ credential?:
1159
+ | {
1160
+ $case: 'awsIamRole';
1161
+ /** The AWS IAM role configuration. */
1162
+ awsIamRole: AwsIamRole;
1163
+ }
1164
+ | {
1165
+ $case: 'azureServicePrincipal';
1166
+ /** The Azure service principal configuration. */
1167
+ azureServicePrincipal: AzureServicePrincipal;
1168
+ }
1169
+ | {
1170
+ $case: 'gcpServiceAccountKey';
1171
+ gcpServiceAccountKey: GcpServiceAccountKey;
1172
+ }
1173
+ | {
1174
+ $case: 'azureManagedIdentity';
1175
+ /** The Azure managed identity configuration. */
1176
+ azureManagedIdentity: AzureManagedIdentity;
1177
+ }
1178
+ | {
1179
+ $case: 'databricksGcpServiceAccount';
1180
+ /** The <Databricks> managed GCP service account configuration. */
1181
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
1182
+ }
1183
+ | {
1184
+ $case: 'cloudflareApiToken';
1185
+ /** The Cloudflare API token configuration. */
1186
+ cloudflareApiToken: CloudflareApiToken;
1187
+ }
1188
+ | undefined;
1189
+ /** Comment associated with the credential. */
1190
+ comment?: string | undefined;
1191
+ /**
1192
+ * Whether the credential is usable only for read operations. Only applicable
1193
+ * when purpose is **STORAGE**.
1194
+ */
1195
+ readOnly?: boolean | undefined;
1196
+ /** Username of current owner of credential. */
1197
+ owner?: string | undefined;
1198
+ /** The unique identifier of the credential. */
1199
+ id?: string | undefined;
1200
+ /** Unique identifier of the parent metastore. */
1201
+ metastoreId?: string | undefined;
1202
+ /** Time at which this credential was created, in epoch milliseconds. */
1203
+ createdAt?: bigint | undefined;
1204
+ /** Username of credential creator. */
1205
+ createdBy?: string | undefined;
1206
+ /** Time at which this credential was last modified, in epoch milliseconds. */
1207
+ updatedAt?: bigint | undefined;
1208
+ /** Username of user who last modified the credential. */
1209
+ updatedBy?: string | undefined;
1210
+ /**
1211
+ * Whether this credential is the current metastore's root storage credential.
1212
+ * Only applicable when purpose is **STORAGE**.
1213
+ */
1214
+ usedForManagedStorage?: boolean | undefined;
1215
+ /** The full name of the credential. */
1216
+ fullName?: string | undefined;
1217
+ /**
1218
+ * Whether the current securable is accessible from all workspaces or a
1219
+ * specific set of workspaces.
1220
+ */
1221
+ isolationMode?: IsolationMode | undefined;
1222
+ }
1223
+
1224
+ /** Next ID: 18 */
1225
+ export interface ValidateCredentialRequest {
1226
+ credential?:
1227
+ | {
1228
+ $case: 'credentialName';
1229
+ /**
1230
+ * Required. The name of an existing credential or long-lived cloud
1231
+ * credential to validate.
1232
+ */
1233
+ credentialName: string;
1234
+ }
1235
+ | {$case: 'awsIamRole'; awsIamRole: AwsIamRole}
1236
+ | {
1237
+ $case: 'azureManagedIdentity';
1238
+ azureManagedIdentity: AzureManagedIdentity;
1239
+ }
1240
+ | {
1241
+ $case: 'databricksGcpServiceAccount';
1242
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
1243
+ }
1244
+ | undefined;
1245
+ /**
1246
+ * The name of an existing external location to validate. Only applicable for
1247
+ * storage credentials (purpose is
1248
+ * **STORAGE**.)
1249
+ */
1250
+ externalLocationName?: string | undefined;
1251
+ /**
1252
+ * The external location url to validate. Only applicable when purpose is
1253
+ * **STORAGE**.
1254
+ */
1255
+ url?: string | undefined;
1256
+ /**
1257
+ * Whether the credential is only usable for read operations. Only applicable
1258
+ * for storage credentials (purpose is
1259
+ * **STORAGE**.)
1260
+ */
1261
+ readOnly?: boolean | undefined;
1262
+ }
1263
+
1264
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1265
+ export interface ValidateCredentialRequest_Response {
1266
+ /** The results of the validation check. */
1267
+ results?: ValidateCredentialRequest_ValidationResult[] | undefined;
1268
+ /**
1269
+ * Whether the tested location is a directory in cloud storage. Only
1270
+ * applicable for when purpose is **STORAGE**.
1271
+ */
1272
+ isDir?: boolean | undefined;
1273
+ }
1274
+
1275
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1276
+ export interface ValidateCredentialRequest_ValidationResult {
1277
+ /** The results of the tested operation. */
1278
+ result?: ValidateCredentialRequest_Result | undefined;
1279
+ /** Error message would exist when the result does not equal to **PASS**. */
1280
+ message?: string | undefined;
1281
+ }
1282
+
1283
+ export interface ValidateStorageCredentialRequest {
1284
+ credential?:
1285
+ | {
1286
+ $case: 'storageCredentialName';
1287
+ /**
1288
+ * Required. The name of an existing credential or long-lived cloud
1289
+ * credential to validate.
1290
+ */
1291
+ storageCredentialName: string;
1292
+ }
1293
+ | {
1294
+ $case: 'awsIamRole';
1295
+ /** The AWS IAM role configuration. */
1296
+ awsIamRole: AwsIamRole;
1297
+ }
1298
+ | {
1299
+ $case: 'azureServicePrincipal';
1300
+ /** The Azure service principal configuration. */
1301
+ azureServicePrincipal: AzureServicePrincipal;
1302
+ }
1303
+ | {
1304
+ $case: 'azureManagedIdentity';
1305
+ /** The Azure managed identity configuration. */
1306
+ azureManagedIdentity: AzureManagedIdentity;
1307
+ }
1308
+ | {
1309
+ $case: 'databricksGcpServiceAccount';
1310
+ /** The <Databricks> created GCP service account configuration. */
1311
+ databricksGcpServiceAccount: DatabricksGcpServiceAccount;
1312
+ }
1313
+ | {
1314
+ $case: 'cloudflareApiToken';
1315
+ /** The Cloudflare API token configuration. */
1316
+ cloudflareApiToken: CloudflareApiToken;
1317
+ }
1318
+ | undefined;
1319
+ /** The name of an existing external location to validate. */
1320
+ externalLocationName?: string | undefined;
1321
+ /** The external location url to validate. */
1322
+ url?: string | undefined;
1323
+ /** Whether the storage credential is only usable for read operations. */
1324
+ readOnly?: boolean | undefined;
1325
+ }
1326
+
1327
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1328
+ export interface ValidateStorageCredentialRequest_Response {
1329
+ /** Whether the tested location is a directory in cloud storage. */
1330
+ isDir?: boolean | undefined;
1331
+ /** The results of the validation check. */
1332
+ results?: ValidateStorageCredentialRequest_ValidationResult[] | undefined;
1333
+ }
1334
+
1335
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1336
+ export interface ValidateStorageCredentialRequest_ValidationResult {
1337
+ /** The operation tested. */
1338
+ operation?: ValidateStorageCredentialRequest_FileOperation | undefined;
1339
+ /** The results of the tested operation. */
1340
+ result?: ValidateStorageCredentialRequest_Result | undefined;
1341
+ /** Error message would exist when the result does not equal to **PASS**. */
1342
+ message?: string | undefined;
1343
+ }
1344
+
1345
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1346
+ export const unmarshalAccountsCreateStorageCredentialRequest_ResponseSchema: z.ZodType<AccountsCreateStorageCredentialRequest_Response> =
1347
+ z
1348
+ .object({
1349
+ credential_info: z
1350
+ .lazy(() => unmarshalStorageCredentialInfoSchema)
1351
+ .optional(),
1352
+ })
1353
+ .transform(d => ({
1354
+ credentialInfo: d.credential_info,
1355
+ }));
1356
+
1357
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1358
+ export const unmarshalAccountsDeleteStorageCredentialRequest_ResponseSchema: z.ZodType<AccountsDeleteStorageCredentialRequest_Response> =
1359
+ z.object({});
1360
+
1361
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1362
+ export const unmarshalAccountsGetStorageCredentialRequest_ResponseSchema: z.ZodType<AccountsGetStorageCredentialRequest_Response> =
1363
+ z
1364
+ .object({
1365
+ credential_info: z
1366
+ .lazy(() => unmarshalStorageCredentialInfoSchema)
1367
+ .optional(),
1368
+ })
1369
+ .transform(d => ({
1370
+ credentialInfo: d.credential_info,
1371
+ }));
1372
+
1373
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1374
+ export const unmarshalAccountsListStorageCredentialsRequest_ResponseSchema: z.ZodType<AccountsListStorageCredentialsRequest_Response> =
1375
+ z
1376
+ .object({
1377
+ storage_credentials: z
1378
+ .array(z.lazy(() => unmarshalStorageCredentialInfoSchema))
1379
+ .optional(),
1380
+ })
1381
+ .transform(d => ({
1382
+ storageCredentials: d.storage_credentials,
1383
+ }));
1384
+
1385
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1386
+ export const unmarshalAccountsUpdateStorageCredentialRequest_ResponseSchema: z.ZodType<AccountsUpdateStorageCredentialRequest_Response> =
1387
+ z
1388
+ .object({
1389
+ credential_info: z
1390
+ .lazy(() => unmarshalStorageCredentialInfoSchema)
1391
+ .optional(),
1392
+ })
1393
+ .transform(d => ({
1394
+ credentialInfo: d.credential_info,
1395
+ }));
1396
+
1397
+ export const unmarshalAwsCredentialsSchema: z.ZodType<AwsCredentials> = z
1398
+ .object({
1399
+ sts_role: z.lazy(() => unmarshalAwsCredentials_StsRoleSchema).optional(),
1400
+ })
1401
+ .transform(d => ({
1402
+ creds:
1403
+ d.sts_role !== undefined
1404
+ ? {$case: 'stsRole' as const, stsRole: d.sts_role}
1405
+ : undefined,
1406
+ }));
1407
+
1408
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1409
+ export const unmarshalAwsCredentials_StsRoleSchema: z.ZodType<AwsCredentials_StsRole> =
1410
+ z
1411
+ .object({
1412
+ role_arn: z.string().optional(),
1413
+ })
1414
+ .transform(d => ({
1415
+ roleArn: d.role_arn,
1416
+ }));
1417
+
1418
+ export const unmarshalAwsIamRoleSchema: z.ZodType<AwsIamRole> = z
1419
+ .object({
1420
+ role_arn: z.string().optional(),
1421
+ unity_catalog_iam_arn: z.string().optional(),
1422
+ external_id: z.string().optional(),
1423
+ })
1424
+ .transform(d => ({
1425
+ roleArn: d.role_arn,
1426
+ unityCatalogIamArn: d.unity_catalog_iam_arn,
1427
+ externalId: d.external_id,
1428
+ }));
1429
+
1430
+ export const unmarshalAzureActiveDirectoryTokenSchema: z.ZodType<AzureActiveDirectoryToken> =
1431
+ z
1432
+ .object({
1433
+ aad_token: z.string().optional(),
1434
+ })
1435
+ .transform(d => ({
1436
+ aadToken: d.aad_token,
1437
+ }));
1438
+
1439
+ export const unmarshalAzureManagedIdentitySchema: z.ZodType<AzureManagedIdentity> =
1440
+ z
1441
+ .object({
1442
+ access_connector_id: z.string().optional(),
1443
+ managed_identity_id: z.string().optional(),
1444
+ credential_id: z.string().optional(),
1445
+ })
1446
+ .transform(d => ({
1447
+ accessConnectorId: d.access_connector_id,
1448
+ managedIdentityId: d.managed_identity_id,
1449
+ credentialId: d.credential_id,
1450
+ }));
1451
+
1452
+ export const unmarshalAzureServicePrincipalSchema: z.ZodType<AzureServicePrincipal> =
1453
+ z
1454
+ .object({
1455
+ directory_id: z.string().optional(),
1456
+ application_id: z.string().optional(),
1457
+ client_secret: z.string().optional(),
1458
+ })
1459
+ .transform(d => ({
1460
+ directoryId: d.directory_id,
1461
+ applicationId: d.application_id,
1462
+ clientSecret: d.client_secret,
1463
+ }));
1464
+
1465
+ export const unmarshalAzureUserDelegationSasSchema: z.ZodType<AzureUserDelegationSas> =
1466
+ z
1467
+ .object({
1468
+ sas_token: z.string().optional(),
1469
+ })
1470
+ .transform(d => ({
1471
+ sasToken: d.sas_token,
1472
+ }));
1473
+
1474
+ export const unmarshalCloudflareApiTokenSchema: z.ZodType<CloudflareApiToken> =
1475
+ z
1476
+ .object({
1477
+ access_key_id: z.string().optional(),
1478
+ secret_access_key: z.string().optional(),
1479
+ account_id: z.string().optional(),
1480
+ })
1481
+ .transform(d => ({
1482
+ accessKeyId: d.access_key_id,
1483
+ secretAccessKey: d.secret_access_key,
1484
+ accountId: d.account_id,
1485
+ }));
1486
+
1487
+ export const unmarshalCredentialInfoSchema: z.ZodType<CredentialInfo> = z
1488
+ .object({
1489
+ name: z.string().optional(),
1490
+ aws_iam_role: z.lazy(() => unmarshalAwsIamRoleSchema).optional(),
1491
+ azure_service_principal: z
1492
+ .lazy(() => unmarshalAzureServicePrincipalSchema)
1493
+ .optional(),
1494
+ gcp_service_account_key: z
1495
+ .lazy(() => unmarshalGcpServiceAccountKeySchema)
1496
+ .optional(),
1497
+ azure_managed_identity: z
1498
+ .lazy(() => unmarshalAzureManagedIdentitySchema)
1499
+ .optional(),
1500
+ databricks_gcp_service_account: z
1501
+ .lazy(() => unmarshalDatabricksGcpServiceAccountSchema)
1502
+ .optional(),
1503
+ cloudflare_api_token: z
1504
+ .lazy(() => unmarshalCloudflareApiTokenSchema)
1505
+ .optional(),
1506
+ comment: z.string().optional(),
1507
+ read_only: z.boolean().optional(),
1508
+ owner: z.string().optional(),
1509
+ id: z.string().optional(),
1510
+ metastore_id: z.string().optional(),
1511
+ created_at: z
1512
+ .union([z.number(), z.bigint()])
1513
+ .transform(v => BigInt(v))
1514
+ .optional(),
1515
+ created_by: z.string().optional(),
1516
+ updated_at: z
1517
+ .union([z.number(), z.bigint()])
1518
+ .transform(v => BigInt(v))
1519
+ .optional(),
1520
+ updated_by: z.string().optional(),
1521
+ used_for_managed_storage: z.boolean().optional(),
1522
+ full_name: z.string().optional(),
1523
+ isolation_mode: z.enum(IsolationMode).optional(),
1524
+ })
1525
+ .transform(d => ({
1526
+ name: d.name,
1527
+ credential:
1528
+ d.aws_iam_role !== undefined
1529
+ ? {$case: 'awsIamRole' as const, awsIamRole: d.aws_iam_role}
1530
+ : d.azure_service_principal !== undefined
1531
+ ? {
1532
+ $case: 'azureServicePrincipal' as const,
1533
+ azureServicePrincipal: d.azure_service_principal,
1534
+ }
1535
+ : d.gcp_service_account_key !== undefined
1536
+ ? {
1537
+ $case: 'gcpServiceAccountKey' as const,
1538
+ gcpServiceAccountKey: d.gcp_service_account_key,
1539
+ }
1540
+ : d.azure_managed_identity !== undefined
1541
+ ? {
1542
+ $case: 'azureManagedIdentity' as const,
1543
+ azureManagedIdentity: d.azure_managed_identity,
1544
+ }
1545
+ : d.databricks_gcp_service_account !== undefined
1546
+ ? {
1547
+ $case: 'databricksGcpServiceAccount' as const,
1548
+ databricksGcpServiceAccount:
1549
+ d.databricks_gcp_service_account,
1550
+ }
1551
+ : d.cloudflare_api_token !== undefined
1552
+ ? {
1553
+ $case: 'cloudflareApiToken' as const,
1554
+ cloudflareApiToken: d.cloudflare_api_token,
1555
+ }
1556
+ : undefined,
1557
+ comment: d.comment,
1558
+ readOnly: d.read_only,
1559
+ owner: d.owner,
1560
+ id: d.id,
1561
+ metastoreId: d.metastore_id,
1562
+ createdAt: d.created_at,
1563
+ createdBy: d.created_by,
1564
+ updatedAt: d.updated_at,
1565
+ updatedBy: d.updated_by,
1566
+ usedForManagedStorage: d.used_for_managed_storage,
1567
+ fullName: d.full_name,
1568
+ isolationMode: d.isolation_mode,
1569
+ }));
1570
+
1571
+ export const unmarshalCredentialsSchema: z.ZodType<Credentials> = z
1572
+ .object({
1573
+ credentials_id: z.string().optional(),
1574
+ account_id: z.string().optional(),
1575
+ aws_credentials: z.lazy(() => unmarshalAwsCredentialsSchema).optional(),
1576
+ credentials_name: z.string().optional(),
1577
+ creation_time: z
1578
+ .union([z.number(), z.bigint()])
1579
+ .transform(v => BigInt(v))
1580
+ .optional(),
1581
+ })
1582
+ .transform(d => ({
1583
+ credentialsId: d.credentials_id,
1584
+ accountId: d.account_id,
1585
+ cloudCredentials:
1586
+ d.aws_credentials !== undefined
1587
+ ? {$case: 'awsCredentials' as const, awsCredentials: d.aws_credentials}
1588
+ : undefined,
1589
+ credentialsName: d.credentials_name,
1590
+ creationTime: d.creation_time,
1591
+ }));
1592
+
1593
+ export const unmarshalDatabricksGcpServiceAccountSchema: z.ZodType<DatabricksGcpServiceAccount> =
1594
+ z
1595
+ .object({
1596
+ email: z.string().optional(),
1597
+ private_key_id: z.string().optional(),
1598
+ credential_id: z.string().optional(),
1599
+ })
1600
+ .transform(d => ({
1601
+ email: d.email,
1602
+ privateKeyId: d.private_key_id,
1603
+ credentialId: d.credential_id,
1604
+ }));
1605
+
1606
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1607
+ export const unmarshalDeleteCredentialRequest_ResponseSchema: z.ZodType<DeleteCredentialRequest_Response> =
1608
+ z.object({});
1609
+
1610
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1611
+ export const unmarshalDeleteStorageCredentialRequest_ResponseSchema: z.ZodType<DeleteStorageCredentialRequest_Response> =
1612
+ z.object({});
1613
+
1614
+ export const unmarshalGcpOauthTokenSchema: z.ZodType<GcpOauthToken> = z
1615
+ .object({
1616
+ oauth_token: z.string().optional(),
1617
+ })
1618
+ .transform(d => ({
1619
+ oauthToken: d.oauth_token,
1620
+ }));
1621
+
1622
+ export const unmarshalGcpServiceAccountKeySchema: z.ZodType<GcpServiceAccountKey> =
1623
+ z
1624
+ .object({
1625
+ email: z.string().optional(),
1626
+ private_key_id: z.string().optional(),
1627
+ private_key: z.string().optional(),
1628
+ })
1629
+ .transform(d => ({
1630
+ email: d.email,
1631
+ privateKeyId: d.private_key_id,
1632
+ privateKey: d.private_key,
1633
+ }));
1634
+
1635
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1636
+ export const unmarshalGenerateTemporaryPathCredentialRequest_ResponseSchema: z.ZodType<GenerateTemporaryPathCredentialRequest_Response> =
1637
+ z
1638
+ .object({
1639
+ aws_temp_credentials: z
1640
+ .lazy(() => unmarshalTemporaryAwsCredentialsSchema)
1641
+ .optional(),
1642
+ azure_user_delegation_sas: z
1643
+ .lazy(() => unmarshalAzureUserDelegationSasSchema)
1644
+ .optional(),
1645
+ gcp_oauth_token: z.lazy(() => unmarshalGcpOauthTokenSchema).optional(),
1646
+ azure_aad: z
1647
+ .lazy(() => unmarshalAzureActiveDirectoryTokenSchema)
1648
+ .optional(),
1649
+ r2_temp_credentials: z
1650
+ .lazy(() => unmarshalR2CredentialsSchema)
1651
+ .optional(),
1652
+ expiration_time: z
1653
+ .union([z.number(), z.bigint()])
1654
+ .transform(v => BigInt(v))
1655
+ .optional(),
1656
+ url: z.string().optional(),
1657
+ })
1658
+ .transform(d => ({
1659
+ credentials:
1660
+ d.aws_temp_credentials !== undefined
1661
+ ? {
1662
+ $case: 'awsTempCredentials' as const,
1663
+ awsTempCredentials: d.aws_temp_credentials,
1664
+ }
1665
+ : d.azure_user_delegation_sas !== undefined
1666
+ ? {
1667
+ $case: 'azureUserDelegationSas' as const,
1668
+ azureUserDelegationSas: d.azure_user_delegation_sas,
1669
+ }
1670
+ : d.gcp_oauth_token !== undefined
1671
+ ? {
1672
+ $case: 'gcpOauthToken' as const,
1673
+ gcpOauthToken: d.gcp_oauth_token,
1674
+ }
1675
+ : d.azure_aad !== undefined
1676
+ ? {$case: 'azureAad' as const, azureAad: d.azure_aad}
1677
+ : d.r2_temp_credentials !== undefined
1678
+ ? {
1679
+ $case: 'r2TempCredentials' as const,
1680
+ r2TempCredentials: d.r2_temp_credentials,
1681
+ }
1682
+ : undefined,
1683
+ expirationTime: d.expiration_time,
1684
+ url: d.url,
1685
+ }));
1686
+
1687
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1688
+ export const unmarshalGenerateTemporaryTableCredentialRequest_ResponseSchema: z.ZodType<GenerateTemporaryTableCredentialRequest_Response> =
1689
+ z
1690
+ .object({
1691
+ aws_temp_credentials: z
1692
+ .lazy(() => unmarshalTemporaryAwsCredentialsSchema)
1693
+ .optional(),
1694
+ azure_user_delegation_sas: z
1695
+ .lazy(() => unmarshalAzureUserDelegationSasSchema)
1696
+ .optional(),
1697
+ gcp_oauth_token: z.lazy(() => unmarshalGcpOauthTokenSchema).optional(),
1698
+ azure_aad: z
1699
+ .lazy(() => unmarshalAzureActiveDirectoryTokenSchema)
1700
+ .optional(),
1701
+ r2_temp_credentials: z
1702
+ .lazy(() => unmarshalR2CredentialsSchema)
1703
+ .optional(),
1704
+ expiration_time: z
1705
+ .union([z.number(), z.bigint()])
1706
+ .transform(v => BigInt(v))
1707
+ .optional(),
1708
+ url: z.string().optional(),
1709
+ })
1710
+ .transform(d => ({
1711
+ credentials:
1712
+ d.aws_temp_credentials !== undefined
1713
+ ? {
1714
+ $case: 'awsTempCredentials' as const,
1715
+ awsTempCredentials: d.aws_temp_credentials,
1716
+ }
1717
+ : d.azure_user_delegation_sas !== undefined
1718
+ ? {
1719
+ $case: 'azureUserDelegationSas' as const,
1720
+ azureUserDelegationSas: d.azure_user_delegation_sas,
1721
+ }
1722
+ : d.gcp_oauth_token !== undefined
1723
+ ? {
1724
+ $case: 'gcpOauthToken' as const,
1725
+ gcpOauthToken: d.gcp_oauth_token,
1726
+ }
1727
+ : d.azure_aad !== undefined
1728
+ ? {$case: 'azureAad' as const, azureAad: d.azure_aad}
1729
+ : d.r2_temp_credentials !== undefined
1730
+ ? {
1731
+ $case: 'r2TempCredentials' as const,
1732
+ r2TempCredentials: d.r2_temp_credentials,
1733
+ }
1734
+ : undefined,
1735
+ expirationTime: d.expiration_time,
1736
+ url: d.url,
1737
+ }));
1738
+
1739
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1740
+ export const unmarshalGenerateTemporaryVolumeCredentialRequest_ResponseSchema: z.ZodType<GenerateTemporaryVolumeCredentialRequest_Response> =
1741
+ z
1742
+ .object({
1743
+ aws_temp_credentials: z
1744
+ .lazy(() => unmarshalTemporaryAwsCredentialsSchema)
1745
+ .optional(),
1746
+ azure_user_delegation_sas: z
1747
+ .lazy(() => unmarshalAzureUserDelegationSasSchema)
1748
+ .optional(),
1749
+ gcp_oauth_token: z.lazy(() => unmarshalGcpOauthTokenSchema).optional(),
1750
+ azure_aad: z
1751
+ .lazy(() => unmarshalAzureActiveDirectoryTokenSchema)
1752
+ .optional(),
1753
+ r2_temp_credentials: z
1754
+ .lazy(() => unmarshalR2CredentialsSchema)
1755
+ .optional(),
1756
+ expiration_time: z
1757
+ .union([z.number(), z.bigint()])
1758
+ .transform(v => BigInt(v))
1759
+ .optional(),
1760
+ url: z.string().optional(),
1761
+ })
1762
+ .transform(d => ({
1763
+ credentials:
1764
+ d.aws_temp_credentials !== undefined
1765
+ ? {
1766
+ $case: 'awsTempCredentials' as const,
1767
+ awsTempCredentials: d.aws_temp_credentials,
1768
+ }
1769
+ : d.azure_user_delegation_sas !== undefined
1770
+ ? {
1771
+ $case: 'azureUserDelegationSas' as const,
1772
+ azureUserDelegationSas: d.azure_user_delegation_sas,
1773
+ }
1774
+ : d.gcp_oauth_token !== undefined
1775
+ ? {
1776
+ $case: 'gcpOauthToken' as const,
1777
+ gcpOauthToken: d.gcp_oauth_token,
1778
+ }
1779
+ : d.azure_aad !== undefined
1780
+ ? {$case: 'azureAad' as const, azureAad: d.azure_aad}
1781
+ : d.r2_temp_credentials !== undefined
1782
+ ? {
1783
+ $case: 'r2TempCredentials' as const,
1784
+ r2TempCredentials: d.r2_temp_credentials,
1785
+ }
1786
+ : undefined,
1787
+ expirationTime: d.expiration_time,
1788
+ url: d.url,
1789
+ }));
1790
+
1791
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1792
+ export const unmarshalListCredentialsRequest_ResponseSchema: z.ZodType<ListCredentialsRequest_Response> =
1793
+ z
1794
+ .object({
1795
+ credentials: z
1796
+ .array(z.lazy(() => unmarshalCredentialInfoSchema))
1797
+ .optional(),
1798
+ next_page_token: z.string().optional(),
1799
+ })
1800
+ .transform(d => ({
1801
+ credentials: d.credentials,
1802
+ nextPageToken: d.next_page_token,
1803
+ }));
1804
+
1805
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1806
+ export const unmarshalListStorageCredentialsRequest_ResponseSchema: z.ZodType<ListStorageCredentialsRequest_Response> =
1807
+ z
1808
+ .object({
1809
+ storage_credentials: z
1810
+ .array(z.lazy(() => unmarshalStorageCredentialInfoSchema))
1811
+ .optional(),
1812
+ next_page_token: z.string().optional(),
1813
+ })
1814
+ .transform(d => ({
1815
+ storageCredentials: d.storage_credentials,
1816
+ nextPageToken: d.next_page_token,
1817
+ }));
1818
+
1819
+ export const unmarshalR2CredentialsSchema: z.ZodType<R2Credentials> = z
1820
+ .object({
1821
+ access_key_id: z.string().optional(),
1822
+ secret_access_key: z.string().optional(),
1823
+ session_token: z.string().optional(),
1824
+ })
1825
+ .transform(d => ({
1826
+ accessKeyId: d.access_key_id,
1827
+ secretAccessKey: d.secret_access_key,
1828
+ sessionToken: d.session_token,
1829
+ }));
1830
+
1831
+ export const unmarshalStorageCredentialInfoSchema: z.ZodType<StorageCredentialInfo> =
1832
+ z
1833
+ .object({
1834
+ name: z.string().optional(),
1835
+ aws_iam_role: z.lazy(() => unmarshalAwsIamRoleSchema).optional(),
1836
+ azure_service_principal: z
1837
+ .lazy(() => unmarshalAzureServicePrincipalSchema)
1838
+ .optional(),
1839
+ gcp_service_account_key: z
1840
+ .lazy(() => unmarshalGcpServiceAccountKeySchema)
1841
+ .optional(),
1842
+ azure_managed_identity: z
1843
+ .lazy(() => unmarshalAzureManagedIdentitySchema)
1844
+ .optional(),
1845
+ databricks_gcp_service_account: z
1846
+ .lazy(() => unmarshalDatabricksGcpServiceAccountSchema)
1847
+ .optional(),
1848
+ cloudflare_api_token: z
1849
+ .lazy(() => unmarshalCloudflareApiTokenSchema)
1850
+ .optional(),
1851
+ comment: z.string().optional(),
1852
+ read_only: z.boolean().optional(),
1853
+ owner: z.string().optional(),
1854
+ id: z.string().optional(),
1855
+ metastore_id: z.string().optional(),
1856
+ created_at: z
1857
+ .union([z.number(), z.bigint()])
1858
+ .transform(v => BigInt(v))
1859
+ .optional(),
1860
+ created_by: z.string().optional(),
1861
+ updated_at: z
1862
+ .union([z.number(), z.bigint()])
1863
+ .transform(v => BigInt(v))
1864
+ .optional(),
1865
+ updated_by: z.string().optional(),
1866
+ used_for_managed_storage: z.boolean().optional(),
1867
+ full_name: z.string().optional(),
1868
+ isolation_mode: z.enum(IsolationMode).optional(),
1869
+ })
1870
+ .transform(d => ({
1871
+ name: d.name,
1872
+ credential:
1873
+ d.aws_iam_role !== undefined
1874
+ ? {$case: 'awsIamRole' as const, awsIamRole: d.aws_iam_role}
1875
+ : d.azure_service_principal !== undefined
1876
+ ? {
1877
+ $case: 'azureServicePrincipal' as const,
1878
+ azureServicePrincipal: d.azure_service_principal,
1879
+ }
1880
+ : d.gcp_service_account_key !== undefined
1881
+ ? {
1882
+ $case: 'gcpServiceAccountKey' as const,
1883
+ gcpServiceAccountKey: d.gcp_service_account_key,
1884
+ }
1885
+ : d.azure_managed_identity !== undefined
1886
+ ? {
1887
+ $case: 'azureManagedIdentity' as const,
1888
+ azureManagedIdentity: d.azure_managed_identity,
1889
+ }
1890
+ : d.databricks_gcp_service_account !== undefined
1891
+ ? {
1892
+ $case: 'databricksGcpServiceAccount' as const,
1893
+ databricksGcpServiceAccount:
1894
+ d.databricks_gcp_service_account,
1895
+ }
1896
+ : d.cloudflare_api_token !== undefined
1897
+ ? {
1898
+ $case: 'cloudflareApiToken' as const,
1899
+ cloudflareApiToken: d.cloudflare_api_token,
1900
+ }
1901
+ : undefined,
1902
+ comment: d.comment,
1903
+ readOnly: d.read_only,
1904
+ owner: d.owner,
1905
+ id: d.id,
1906
+ metastoreId: d.metastore_id,
1907
+ createdAt: d.created_at,
1908
+ createdBy: d.created_by,
1909
+ updatedAt: d.updated_at,
1910
+ updatedBy: d.updated_by,
1911
+ usedForManagedStorage: d.used_for_managed_storage,
1912
+ fullName: d.full_name,
1913
+ isolationMode: d.isolation_mode,
1914
+ }));
1915
+
1916
+ export const unmarshalTemporaryAwsCredentialsSchema: z.ZodType<TemporaryAwsCredentials> =
1917
+ z
1918
+ .object({
1919
+ access_key_id: z.string().optional(),
1920
+ secret_access_key: z.string().optional(),
1921
+ session_token: z.string().optional(),
1922
+ access_point: z.string().optional(),
1923
+ })
1924
+ .transform(d => ({
1925
+ accessKeyId: d.access_key_id,
1926
+ secretAccessKey: d.secret_access_key,
1927
+ sessionToken: d.session_token,
1928
+ accessPoint: d.access_point,
1929
+ }));
1930
+
1931
+ export const unmarshalTemporaryCredentialsSchema: z.ZodType<TemporaryCredentials> =
1932
+ z
1933
+ .object({
1934
+ aws_temp_credentials: z
1935
+ .lazy(() => unmarshalTemporaryAwsCredentialsSchema)
1936
+ .optional(),
1937
+ azure_user_delegation_sas: z
1938
+ .lazy(() => unmarshalAzureUserDelegationSasSchema)
1939
+ .optional(),
1940
+ gcp_oauth_token: z.lazy(() => unmarshalGcpOauthTokenSchema).optional(),
1941
+ azure_aad: z
1942
+ .lazy(() => unmarshalAzureActiveDirectoryTokenSchema)
1943
+ .optional(),
1944
+ r2_temp_credentials: z
1945
+ .lazy(() => unmarshalR2CredentialsSchema)
1946
+ .optional(),
1947
+ expiration_time: z
1948
+ .union([z.number(), z.bigint()])
1949
+ .transform(v => BigInt(v))
1950
+ .optional(),
1951
+ url: z.string().optional(),
1952
+ })
1953
+ .transform(d => ({
1954
+ credentials:
1955
+ d.aws_temp_credentials !== undefined
1956
+ ? {
1957
+ $case: 'awsTempCredentials' as const,
1958
+ awsTempCredentials: d.aws_temp_credentials,
1959
+ }
1960
+ : d.azure_user_delegation_sas !== undefined
1961
+ ? {
1962
+ $case: 'azureUserDelegationSas' as const,
1963
+ azureUserDelegationSas: d.azure_user_delegation_sas,
1964
+ }
1965
+ : d.gcp_oauth_token !== undefined
1966
+ ? {
1967
+ $case: 'gcpOauthToken' as const,
1968
+ gcpOauthToken: d.gcp_oauth_token,
1969
+ }
1970
+ : d.azure_aad !== undefined
1971
+ ? {$case: 'azureAad' as const, azureAad: d.azure_aad}
1972
+ : d.r2_temp_credentials !== undefined
1973
+ ? {
1974
+ $case: 'r2TempCredentials' as const,
1975
+ r2TempCredentials: d.r2_temp_credentials,
1976
+ }
1977
+ : undefined,
1978
+ expirationTime: d.expiration_time,
1979
+ url: d.url,
1980
+ }));
1981
+
1982
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
1983
+ export const unmarshalValidateCredentialRequest_ResponseSchema: z.ZodType<ValidateCredentialRequest_Response> =
1984
+ z
1985
+ .object({
1986
+ results: z
1987
+ .array(
1988
+ z.lazy(
1989
+ () => unmarshalValidateCredentialRequest_ValidationResultSchema
1990
+ )
1991
+ )
1992
+ .optional(),
1993
+ isDir: z.boolean().optional(),
1994
+ })
1995
+ .transform(d => ({
1996
+ results: d.results,
1997
+ isDir: d.isDir,
1998
+ }));
1999
+
2000
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
2001
+ export const unmarshalValidateCredentialRequest_ValidationResultSchema: z.ZodType<ValidateCredentialRequest_ValidationResult> =
2002
+ z
2003
+ .object({
2004
+ result: z.enum(ValidateCredentialRequest_Result).optional(),
2005
+ message: z.string().optional(),
2006
+ })
2007
+ .transform(d => ({
2008
+ result: d.result,
2009
+ message: d.message,
2010
+ }));
2011
+
2012
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
2013
+ export const unmarshalValidateStorageCredentialRequest_ResponseSchema: z.ZodType<ValidateStorageCredentialRequest_Response> =
2014
+ z
2015
+ .object({
2016
+ isDir: z.boolean().optional(),
2017
+ results: z
2018
+ .array(
2019
+ z.lazy(
2020
+ () =>
2021
+ unmarshalValidateStorageCredentialRequest_ValidationResultSchema
2022
+ )
2023
+ )
2024
+ .optional(),
2025
+ })
2026
+ .transform(d => ({
2027
+ isDir: d.isDir,
2028
+ results: d.results,
2029
+ }));
2030
+
2031
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
2032
+ export const unmarshalValidateStorageCredentialRequest_ValidationResultSchema: z.ZodType<ValidateStorageCredentialRequest_ValidationResult> =
2033
+ z
2034
+ .object({
2035
+ operation: z
2036
+ .enum(ValidateStorageCredentialRequest_FileOperation)
2037
+ .optional(),
2038
+ result: z.enum(ValidateStorageCredentialRequest_Result).optional(),
2039
+ message: z.string().optional(),
2040
+ })
2041
+ .transform(d => ({
2042
+ operation: d.operation,
2043
+ result: d.result,
2044
+ message: d.message,
2045
+ }));
2046
+
2047
+ export const marshalAccountsCreateStorageCredentialRequestSchema: z.ZodType = z
2048
+ .object({
2049
+ accountId: z.string().optional(),
2050
+ metastoreId: z.string().optional(),
2051
+ credentialInfo: z
2052
+ .lazy(() => marshalCreateAccountsStorageCredentialSchema)
2053
+ .optional(),
2054
+ skipValidation: z.boolean().optional(),
2055
+ })
2056
+ .transform(d => ({
2057
+ account_id: d.accountId,
2058
+ metastore_id: d.metastoreId,
2059
+ credential_info: d.credentialInfo,
2060
+ skip_validation: d.skipValidation,
2061
+ }));
2062
+
2063
+ export const marshalAccountsUpdateStorageCredentialRequestSchema: z.ZodType = z
2064
+ .object({
2065
+ accountId: z.string().optional(),
2066
+ metastoreId: z.string().optional(),
2067
+ nameArg: z.string().optional(),
2068
+ credentialInfo: z
2069
+ .lazy(() => marshalUpdateAccountsStorageCredentialSchema)
2070
+ .optional(),
2071
+ skipValidation: z.boolean().optional(),
2072
+ })
2073
+ .transform(d => ({
2074
+ account_id: d.accountId,
2075
+ metastore_id: d.metastoreId,
2076
+ name_arg: d.nameArg,
2077
+ credential_info: d.credentialInfo,
2078
+ skip_validation: d.skipValidation,
2079
+ }));
2080
+
2081
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
2082
+ export const marshalAwsCredentials_StsRoleSchema: z.ZodType = z
2083
+ .object({
2084
+ roleArn: z.string().optional(),
2085
+ })
2086
+ .transform(d => ({
2087
+ role_arn: d.roleArn,
2088
+ }));
2089
+
2090
+ export const marshalAwsIamRoleSchema: z.ZodType = z
2091
+ .object({
2092
+ roleArn: z.string().optional(),
2093
+ unityCatalogIamArn: z.string().optional(),
2094
+ externalId: z.string().optional(),
2095
+ })
2096
+ .transform(d => ({
2097
+ role_arn: d.roleArn,
2098
+ unity_catalog_iam_arn: d.unityCatalogIamArn,
2099
+ external_id: d.externalId,
2100
+ }));
2101
+
2102
+ export const marshalAzureManagedIdentitySchema: z.ZodType = z
2103
+ .object({
2104
+ accessConnectorId: z.string().optional(),
2105
+ managedIdentityId: z.string().optional(),
2106
+ credentialId: z.string().optional(),
2107
+ })
2108
+ .transform(d => ({
2109
+ access_connector_id: d.accessConnectorId,
2110
+ managed_identity_id: d.managedIdentityId,
2111
+ credential_id: d.credentialId,
2112
+ }));
2113
+
2114
+ export const marshalAzureServicePrincipalSchema: z.ZodType = z
2115
+ .object({
2116
+ directoryId: z.string().optional(),
2117
+ applicationId: z.string().optional(),
2118
+ clientSecret: z.string().optional(),
2119
+ })
2120
+ .transform(d => ({
2121
+ directory_id: d.directoryId,
2122
+ application_id: d.applicationId,
2123
+ client_secret: d.clientSecret,
2124
+ }));
2125
+
2126
+ export const marshalCloudflareApiTokenSchema: z.ZodType = z
2127
+ .object({
2128
+ accessKeyId: z.string().optional(),
2129
+ secretAccessKey: z.string().optional(),
2130
+ accountId: z.string().optional(),
2131
+ })
2132
+ .transform(d => ({
2133
+ access_key_id: d.accessKeyId,
2134
+ secret_access_key: d.secretAccessKey,
2135
+ account_id: d.accountId,
2136
+ }));
2137
+
2138
+ export const marshalCreateAccountsStorageCredentialSchema: z.ZodType = z
2139
+ .object({
2140
+ name: z.string().optional(),
2141
+ credential: z
2142
+ .discriminatedUnion('$case', [
2143
+ z.object({
2144
+ $case: z.literal('awsIamRole'),
2145
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2146
+ }),
2147
+ z.object({
2148
+ $case: z.literal('azureServicePrincipal'),
2149
+ azureServicePrincipal: z.lazy(
2150
+ () => marshalAzureServicePrincipalSchema
2151
+ ),
2152
+ }),
2153
+ z.object({
2154
+ $case: z.literal('gcpServiceAccountKey'),
2155
+ gcpServiceAccountKey: z.lazy(() => marshalGcpServiceAccountKeySchema),
2156
+ }),
2157
+ z.object({
2158
+ $case: z.literal('azureManagedIdentity'),
2159
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2160
+ }),
2161
+ z.object({
2162
+ $case: z.literal('databricksGcpServiceAccount'),
2163
+ databricksGcpServiceAccount: z.lazy(
2164
+ () => marshalDatabricksGcpServiceAccountSchema
2165
+ ),
2166
+ }),
2167
+ z.object({
2168
+ $case: z.literal('cloudflareApiToken'),
2169
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2170
+ }),
2171
+ ])
2172
+ .optional(),
2173
+ comment: z.string().optional(),
2174
+ readOnly: z.boolean().optional(),
2175
+ owner: z.string().optional(),
2176
+ id: z.string().optional(),
2177
+ metastoreId: z.string().optional(),
2178
+ createdAt: z.bigint().optional(),
2179
+ createdBy: z.string().optional(),
2180
+ updatedAt: z.bigint().optional(),
2181
+ updatedBy: z.string().optional(),
2182
+ usedForManagedStorage: z.boolean().optional(),
2183
+ fullName: z.string().optional(),
2184
+ isolationMode: z.enum(IsolationMode).optional(),
2185
+ })
2186
+ .transform(d => ({
2187
+ name: d.name,
2188
+ ...(d.credential?.$case === 'awsIamRole' && {
2189
+ aws_iam_role: d.credential.awsIamRole,
2190
+ }),
2191
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2192
+ azure_service_principal: d.credential.azureServicePrincipal,
2193
+ }),
2194
+ ...(d.credential?.$case === 'gcpServiceAccountKey' && {
2195
+ gcp_service_account_key: d.credential.gcpServiceAccountKey,
2196
+ }),
2197
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2198
+ azure_managed_identity: d.credential.azureManagedIdentity,
2199
+ }),
2200
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2201
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2202
+ }),
2203
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2204
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2205
+ }),
2206
+ comment: d.comment,
2207
+ read_only: d.readOnly,
2208
+ owner: d.owner,
2209
+ id: d.id,
2210
+ metastore_id: d.metastoreId,
2211
+ created_at: d.createdAt,
2212
+ created_by: d.createdBy,
2213
+ updated_at: d.updatedAt,
2214
+ updated_by: d.updatedBy,
2215
+ used_for_managed_storage: d.usedForManagedStorage,
2216
+ full_name: d.fullName,
2217
+ isolation_mode: d.isolationMode,
2218
+ }));
2219
+
2220
+ export const marshalCreateCredentialAwsCredentialsSchema: z.ZodType = z
2221
+ .object({
2222
+ creds: z
2223
+ .discriminatedUnion('$case', [
2224
+ z.object({
2225
+ $case: z.literal('stsRole'),
2226
+ stsRole: z.lazy(() => marshalAwsCredentials_StsRoleSchema),
2227
+ }),
2228
+ ])
2229
+ .optional(),
2230
+ })
2231
+ .transform(d => ({
2232
+ ...(d.creds?.$case === 'stsRole' && {sts_role: d.creds.stsRole}),
2233
+ }));
2234
+
2235
+ export const marshalCreateCredentialRequestSchema: z.ZodType = z
2236
+ .object({
2237
+ skipValidation: z.boolean().optional(),
2238
+ name: z.string().optional(),
2239
+ credential: z
2240
+ .discriminatedUnion('$case', [
2241
+ z.object({
2242
+ $case: z.literal('awsIamRole'),
2243
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2244
+ }),
2245
+ z.object({
2246
+ $case: z.literal('azureServicePrincipal'),
2247
+ azureServicePrincipal: z.lazy(
2248
+ () => marshalAzureServicePrincipalSchema
2249
+ ),
2250
+ }),
2251
+ z.object({
2252
+ $case: z.literal('gcpServiceAccountKey'),
2253
+ gcpServiceAccountKey: z.lazy(() => marshalGcpServiceAccountKeySchema),
2254
+ }),
2255
+ z.object({
2256
+ $case: z.literal('azureManagedIdentity'),
2257
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2258
+ }),
2259
+ z.object({
2260
+ $case: z.literal('databricksGcpServiceAccount'),
2261
+ databricksGcpServiceAccount: z.lazy(
2262
+ () => marshalDatabricksGcpServiceAccountSchema
2263
+ ),
2264
+ }),
2265
+ z.object({
2266
+ $case: z.literal('cloudflareApiToken'),
2267
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2268
+ }),
2269
+ ])
2270
+ .optional(),
2271
+ comment: z.string().optional(),
2272
+ readOnly: z.boolean().optional(),
2273
+ owner: z.string().optional(),
2274
+ id: z.string().optional(),
2275
+ metastoreId: z.string().optional(),
2276
+ createdAt: z.bigint().optional(),
2277
+ createdBy: z.string().optional(),
2278
+ updatedAt: z.bigint().optional(),
2279
+ updatedBy: z.string().optional(),
2280
+ usedForManagedStorage: z.boolean().optional(),
2281
+ fullName: z.string().optional(),
2282
+ isolationMode: z.enum(IsolationMode).optional(),
2283
+ })
2284
+ .transform(d => ({
2285
+ skip_validation: d.skipValidation,
2286
+ name: d.name,
2287
+ ...(d.credential?.$case === 'awsIamRole' && {
2288
+ aws_iam_role: d.credential.awsIamRole,
2289
+ }),
2290
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2291
+ azure_service_principal: d.credential.azureServicePrincipal,
2292
+ }),
2293
+ ...(d.credential?.$case === 'gcpServiceAccountKey' && {
2294
+ gcp_service_account_key: d.credential.gcpServiceAccountKey,
2295
+ }),
2296
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2297
+ azure_managed_identity: d.credential.azureManagedIdentity,
2298
+ }),
2299
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2300
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2301
+ }),
2302
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2303
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2304
+ }),
2305
+ comment: d.comment,
2306
+ read_only: d.readOnly,
2307
+ owner: d.owner,
2308
+ id: d.id,
2309
+ metastore_id: d.metastoreId,
2310
+ created_at: d.createdAt,
2311
+ created_by: d.createdBy,
2312
+ updated_at: d.updatedAt,
2313
+ updated_by: d.updatedBy,
2314
+ used_for_managed_storage: d.usedForManagedStorage,
2315
+ full_name: d.fullName,
2316
+ isolation_mode: d.isolationMode,
2317
+ }));
2318
+
2319
+ export const marshalCreateCredentialsRequestSchema: z.ZodType = z
2320
+ .object({
2321
+ accountId: z.string().optional(),
2322
+ credentialsName: z.string().optional(),
2323
+ cloudCredentials: z
2324
+ .discriminatedUnion('$case', [
2325
+ z.object({
2326
+ $case: z.literal('awsCredentials'),
2327
+ awsCredentials: z.lazy(
2328
+ () => marshalCreateCredentialAwsCredentialsSchema
2329
+ ),
2330
+ }),
2331
+ ])
2332
+ .optional(),
2333
+ })
2334
+ .transform(d => ({
2335
+ account_id: d.accountId,
2336
+ credentials_name: d.credentialsName,
2337
+ ...(d.cloudCredentials?.$case === 'awsCredentials' && {
2338
+ aws_credentials: d.cloudCredentials.awsCredentials,
2339
+ }),
2340
+ }));
2341
+
2342
+ export const marshalCreateStorageCredentialRequestSchema: z.ZodType = z
2343
+ .object({
2344
+ skipValidation: z.boolean().optional(),
2345
+ name: z.string().optional(),
2346
+ credential: z
2347
+ .discriminatedUnion('$case', [
2348
+ z.object({
2349
+ $case: z.literal('awsIamRole'),
2350
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2351
+ }),
2352
+ z.object({
2353
+ $case: z.literal('azureServicePrincipal'),
2354
+ azureServicePrincipal: z.lazy(
2355
+ () => marshalAzureServicePrincipalSchema
2356
+ ),
2357
+ }),
2358
+ z.object({
2359
+ $case: z.literal('gcpServiceAccountKey'),
2360
+ gcpServiceAccountKey: z.lazy(() => marshalGcpServiceAccountKeySchema),
2361
+ }),
2362
+ z.object({
2363
+ $case: z.literal('azureManagedIdentity'),
2364
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2365
+ }),
2366
+ z.object({
2367
+ $case: z.literal('databricksGcpServiceAccount'),
2368
+ databricksGcpServiceAccount: z.lazy(
2369
+ () => marshalDatabricksGcpServiceAccountSchema
2370
+ ),
2371
+ }),
2372
+ z.object({
2373
+ $case: z.literal('cloudflareApiToken'),
2374
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2375
+ }),
2376
+ ])
2377
+ .optional(),
2378
+ comment: z.string().optional(),
2379
+ readOnly: z.boolean().optional(),
2380
+ owner: z.string().optional(),
2381
+ id: z.string().optional(),
2382
+ metastoreId: z.string().optional(),
2383
+ createdAt: z.bigint().optional(),
2384
+ createdBy: z.string().optional(),
2385
+ updatedAt: z.bigint().optional(),
2386
+ updatedBy: z.string().optional(),
2387
+ usedForManagedStorage: z.boolean().optional(),
2388
+ fullName: z.string().optional(),
2389
+ isolationMode: z.enum(IsolationMode).optional(),
2390
+ })
2391
+ .transform(d => ({
2392
+ skip_validation: d.skipValidation,
2393
+ name: d.name,
2394
+ ...(d.credential?.$case === 'awsIamRole' && {
2395
+ aws_iam_role: d.credential.awsIamRole,
2396
+ }),
2397
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2398
+ azure_service_principal: d.credential.azureServicePrincipal,
2399
+ }),
2400
+ ...(d.credential?.$case === 'gcpServiceAccountKey' && {
2401
+ gcp_service_account_key: d.credential.gcpServiceAccountKey,
2402
+ }),
2403
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2404
+ azure_managed_identity: d.credential.azureManagedIdentity,
2405
+ }),
2406
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2407
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2408
+ }),
2409
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2410
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2411
+ }),
2412
+ comment: d.comment,
2413
+ read_only: d.readOnly,
2414
+ owner: d.owner,
2415
+ id: d.id,
2416
+ metastore_id: d.metastoreId,
2417
+ created_at: d.createdAt,
2418
+ created_by: d.createdBy,
2419
+ updated_at: d.updatedAt,
2420
+ updated_by: d.updatedBy,
2421
+ used_for_managed_storage: d.usedForManagedStorage,
2422
+ full_name: d.fullName,
2423
+ isolation_mode: d.isolationMode,
2424
+ }));
2425
+
2426
+ export const marshalDatabricksGcpServiceAccountSchema: z.ZodType = z
2427
+ .object({
2428
+ email: z.string().optional(),
2429
+ privateKeyId: z.string().optional(),
2430
+ credentialId: z.string().optional(),
2431
+ })
2432
+ .transform(d => ({
2433
+ email: d.email,
2434
+ private_key_id: d.privateKeyId,
2435
+ credential_id: d.credentialId,
2436
+ }));
2437
+
2438
+ export const marshalGcpServiceAccountKeySchema: z.ZodType = z
2439
+ .object({
2440
+ email: z.string().optional(),
2441
+ privateKeyId: z.string().optional(),
2442
+ privateKey: z.string().optional(),
2443
+ })
2444
+ .transform(d => ({
2445
+ email: d.email,
2446
+ private_key_id: d.privateKeyId,
2447
+ private_key: d.privateKey,
2448
+ }));
2449
+
2450
+ export const marshalGenerateTemporaryPathCredentialRequestSchema: z.ZodType = z
2451
+ .object({
2452
+ url: z.string().optional(),
2453
+ operation: z.enum(PathOperation).optional(),
2454
+ dryRun: z.boolean().optional(),
2455
+ })
2456
+ .transform(d => ({
2457
+ url: d.url,
2458
+ operation: d.operation,
2459
+ dry_run: d.dryRun,
2460
+ }));
2461
+
2462
+ export const marshalGenerateTemporaryServiceCredentialRequestSchema: z.ZodType =
2463
+ z
2464
+ .object({
2465
+ credentialName: z.string().optional(),
2466
+ options: z
2467
+ .discriminatedUnion('$case', [
2468
+ z.object({
2469
+ $case: z.literal('azureOptions'),
2470
+ azureOptions: z.lazy(
2471
+ () =>
2472
+ marshalGenerateTemporaryServiceCredentialRequest_AzureOptionsSchema
2473
+ ),
2474
+ }),
2475
+ z.object({
2476
+ $case: z.literal('gcpOptions'),
2477
+ gcpOptions: z.lazy(
2478
+ () =>
2479
+ marshalGenerateTemporaryServiceCredentialRequest_GcpOptionsSchema
2480
+ ),
2481
+ }),
2482
+ ])
2483
+ .optional(),
2484
+ })
2485
+ .transform(d => ({
2486
+ credential_name: d.credentialName,
2487
+ ...(d.options?.$case === 'azureOptions' && {
2488
+ azure_options: d.options.azureOptions,
2489
+ }),
2490
+ ...(d.options?.$case === 'gcpOptions' && {
2491
+ gcp_options: d.options.gcpOptions,
2492
+ }),
2493
+ }));
2494
+
2495
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
2496
+ export const marshalGenerateTemporaryServiceCredentialRequest_AzureOptionsSchema: z.ZodType =
2497
+ z
2498
+ .object({
2499
+ resources: z.array(z.string()).optional(),
2500
+ })
2501
+ .transform(d => ({
2502
+ resources: d.resources,
2503
+ }));
2504
+
2505
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
2506
+ export const marshalGenerateTemporaryServiceCredentialRequest_GcpOptionsSchema: z.ZodType =
2507
+ z
2508
+ .object({
2509
+ scopes: z.array(z.string()).optional(),
2510
+ })
2511
+ .transform(d => ({
2512
+ scopes: d.scopes,
2513
+ }));
2514
+
2515
+ export const marshalGenerateTemporaryTableCredentialRequestSchema: z.ZodType = z
2516
+ .object({
2517
+ tableId: z.string().optional(),
2518
+ operation: z.enum(TableOperation).optional(),
2519
+ })
2520
+ .transform(d => ({
2521
+ table_id: d.tableId,
2522
+ operation: d.operation,
2523
+ }));
2524
+
2525
+ export const marshalGenerateTemporaryVolumeCredentialRequestSchema: z.ZodType =
2526
+ z
2527
+ .object({
2528
+ volumeId: z.string().optional(),
2529
+ operation: z.enum(VolumeOperation).optional(),
2530
+ })
2531
+ .transform(d => ({
2532
+ volume_id: d.volumeId,
2533
+ operation: d.operation,
2534
+ }));
2535
+
2536
+ export const marshalUpdateAccountsStorageCredentialSchema: z.ZodType = z
2537
+ .object({
2538
+ name: z.string().optional(),
2539
+ credential: z
2540
+ .discriminatedUnion('$case', [
2541
+ z.object({
2542
+ $case: z.literal('awsIamRole'),
2543
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2544
+ }),
2545
+ z.object({
2546
+ $case: z.literal('azureServicePrincipal'),
2547
+ azureServicePrincipal: z.lazy(
2548
+ () => marshalAzureServicePrincipalSchema
2549
+ ),
2550
+ }),
2551
+ z.object({
2552
+ $case: z.literal('gcpServiceAccountKey'),
2553
+ gcpServiceAccountKey: z.lazy(() => marshalGcpServiceAccountKeySchema),
2554
+ }),
2555
+ z.object({
2556
+ $case: z.literal('azureManagedIdentity'),
2557
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2558
+ }),
2559
+ z.object({
2560
+ $case: z.literal('databricksGcpServiceAccount'),
2561
+ databricksGcpServiceAccount: z.lazy(
2562
+ () => marshalDatabricksGcpServiceAccountSchema
2563
+ ),
2564
+ }),
2565
+ z.object({
2566
+ $case: z.literal('cloudflareApiToken'),
2567
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2568
+ }),
2569
+ ])
2570
+ .optional(),
2571
+ comment: z.string().optional(),
2572
+ readOnly: z.boolean().optional(),
2573
+ owner: z.string().optional(),
2574
+ id: z.string().optional(),
2575
+ metastoreId: z.string().optional(),
2576
+ createdAt: z.bigint().optional(),
2577
+ createdBy: z.string().optional(),
2578
+ updatedAt: z.bigint().optional(),
2579
+ updatedBy: z.string().optional(),
2580
+ usedForManagedStorage: z.boolean().optional(),
2581
+ fullName: z.string().optional(),
2582
+ isolationMode: z.enum(IsolationMode).optional(),
2583
+ })
2584
+ .transform(d => ({
2585
+ name: d.name,
2586
+ ...(d.credential?.$case === 'awsIamRole' && {
2587
+ aws_iam_role: d.credential.awsIamRole,
2588
+ }),
2589
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2590
+ azure_service_principal: d.credential.azureServicePrincipal,
2591
+ }),
2592
+ ...(d.credential?.$case === 'gcpServiceAccountKey' && {
2593
+ gcp_service_account_key: d.credential.gcpServiceAccountKey,
2594
+ }),
2595
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2596
+ azure_managed_identity: d.credential.azureManagedIdentity,
2597
+ }),
2598
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2599
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2600
+ }),
2601
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2602
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2603
+ }),
2604
+ comment: d.comment,
2605
+ read_only: d.readOnly,
2606
+ owner: d.owner,
2607
+ id: d.id,
2608
+ metastore_id: d.metastoreId,
2609
+ created_at: d.createdAt,
2610
+ created_by: d.createdBy,
2611
+ updated_at: d.updatedAt,
2612
+ updated_by: d.updatedBy,
2613
+ used_for_managed_storage: d.usedForManagedStorage,
2614
+ full_name: d.fullName,
2615
+ isolation_mode: d.isolationMode,
2616
+ }));
2617
+
2618
+ export const marshalUpdateCredentialRequestSchema: z.ZodType = z
2619
+ .object({
2620
+ nameArg: z.string().optional(),
2621
+ newName: z.string().optional(),
2622
+ skipValidation: z.boolean().optional(),
2623
+ force: z.boolean().optional(),
2624
+ name: z.string().optional(),
2625
+ credential: z
2626
+ .discriminatedUnion('$case', [
2627
+ z.object({
2628
+ $case: z.literal('awsIamRole'),
2629
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2630
+ }),
2631
+ z.object({
2632
+ $case: z.literal('azureServicePrincipal'),
2633
+ azureServicePrincipal: z.lazy(
2634
+ () => marshalAzureServicePrincipalSchema
2635
+ ),
2636
+ }),
2637
+ z.object({
2638
+ $case: z.literal('gcpServiceAccountKey'),
2639
+ gcpServiceAccountKey: z.lazy(() => marshalGcpServiceAccountKeySchema),
2640
+ }),
2641
+ z.object({
2642
+ $case: z.literal('azureManagedIdentity'),
2643
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2644
+ }),
2645
+ z.object({
2646
+ $case: z.literal('databricksGcpServiceAccount'),
2647
+ databricksGcpServiceAccount: z.lazy(
2648
+ () => marshalDatabricksGcpServiceAccountSchema
2649
+ ),
2650
+ }),
2651
+ z.object({
2652
+ $case: z.literal('cloudflareApiToken'),
2653
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2654
+ }),
2655
+ ])
2656
+ .optional(),
2657
+ comment: z.string().optional(),
2658
+ readOnly: z.boolean().optional(),
2659
+ owner: z.string().optional(),
2660
+ id: z.string().optional(),
2661
+ metastoreId: z.string().optional(),
2662
+ createdAt: z.bigint().optional(),
2663
+ createdBy: z.string().optional(),
2664
+ updatedAt: z.bigint().optional(),
2665
+ updatedBy: z.string().optional(),
2666
+ usedForManagedStorage: z.boolean().optional(),
2667
+ fullName: z.string().optional(),
2668
+ isolationMode: z.enum(IsolationMode).optional(),
2669
+ })
2670
+ .transform(d => ({
2671
+ name_arg: d.nameArg,
2672
+ new_name: d.newName,
2673
+ skip_validation: d.skipValidation,
2674
+ force: d.force,
2675
+ name: d.name,
2676
+ ...(d.credential?.$case === 'awsIamRole' && {
2677
+ aws_iam_role: d.credential.awsIamRole,
2678
+ }),
2679
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2680
+ azure_service_principal: d.credential.azureServicePrincipal,
2681
+ }),
2682
+ ...(d.credential?.$case === 'gcpServiceAccountKey' && {
2683
+ gcp_service_account_key: d.credential.gcpServiceAccountKey,
2684
+ }),
2685
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2686
+ azure_managed_identity: d.credential.azureManagedIdentity,
2687
+ }),
2688
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2689
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2690
+ }),
2691
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2692
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2693
+ }),
2694
+ comment: d.comment,
2695
+ read_only: d.readOnly,
2696
+ owner: d.owner,
2697
+ id: d.id,
2698
+ metastore_id: d.metastoreId,
2699
+ created_at: d.createdAt,
2700
+ created_by: d.createdBy,
2701
+ updated_at: d.updatedAt,
2702
+ updated_by: d.updatedBy,
2703
+ used_for_managed_storage: d.usedForManagedStorage,
2704
+ full_name: d.fullName,
2705
+ isolation_mode: d.isolationMode,
2706
+ }));
2707
+
2708
+ export const marshalUpdateStorageCredentialRequestSchema: z.ZodType = z
2709
+ .object({
2710
+ nameArg: z.string().optional(),
2711
+ newName: z.string().optional(),
2712
+ skipValidation: z.boolean().optional(),
2713
+ force: z.boolean().optional(),
2714
+ name: z.string().optional(),
2715
+ credential: z
2716
+ .discriminatedUnion('$case', [
2717
+ z.object({
2718
+ $case: z.literal('awsIamRole'),
2719
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2720
+ }),
2721
+ z.object({
2722
+ $case: z.literal('azureServicePrincipal'),
2723
+ azureServicePrincipal: z.lazy(
2724
+ () => marshalAzureServicePrincipalSchema
2725
+ ),
2726
+ }),
2727
+ z.object({
2728
+ $case: z.literal('gcpServiceAccountKey'),
2729
+ gcpServiceAccountKey: z.lazy(() => marshalGcpServiceAccountKeySchema),
2730
+ }),
2731
+ z.object({
2732
+ $case: z.literal('azureManagedIdentity'),
2733
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2734
+ }),
2735
+ z.object({
2736
+ $case: z.literal('databricksGcpServiceAccount'),
2737
+ databricksGcpServiceAccount: z.lazy(
2738
+ () => marshalDatabricksGcpServiceAccountSchema
2739
+ ),
2740
+ }),
2741
+ z.object({
2742
+ $case: z.literal('cloudflareApiToken'),
2743
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2744
+ }),
2745
+ ])
2746
+ .optional(),
2747
+ comment: z.string().optional(),
2748
+ readOnly: z.boolean().optional(),
2749
+ owner: z.string().optional(),
2750
+ id: z.string().optional(),
2751
+ metastoreId: z.string().optional(),
2752
+ createdAt: z.bigint().optional(),
2753
+ createdBy: z.string().optional(),
2754
+ updatedAt: z.bigint().optional(),
2755
+ updatedBy: z.string().optional(),
2756
+ usedForManagedStorage: z.boolean().optional(),
2757
+ fullName: z.string().optional(),
2758
+ isolationMode: z.enum(IsolationMode).optional(),
2759
+ })
2760
+ .transform(d => ({
2761
+ name_arg: d.nameArg,
2762
+ new_name: d.newName,
2763
+ skip_validation: d.skipValidation,
2764
+ force: d.force,
2765
+ name: d.name,
2766
+ ...(d.credential?.$case === 'awsIamRole' && {
2767
+ aws_iam_role: d.credential.awsIamRole,
2768
+ }),
2769
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2770
+ azure_service_principal: d.credential.azureServicePrincipal,
2771
+ }),
2772
+ ...(d.credential?.$case === 'gcpServiceAccountKey' && {
2773
+ gcp_service_account_key: d.credential.gcpServiceAccountKey,
2774
+ }),
2775
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2776
+ azure_managed_identity: d.credential.azureManagedIdentity,
2777
+ }),
2778
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2779
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2780
+ }),
2781
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2782
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2783
+ }),
2784
+ comment: d.comment,
2785
+ read_only: d.readOnly,
2786
+ owner: d.owner,
2787
+ id: d.id,
2788
+ metastore_id: d.metastoreId,
2789
+ created_at: d.createdAt,
2790
+ created_by: d.createdBy,
2791
+ updated_at: d.updatedAt,
2792
+ updated_by: d.updatedBy,
2793
+ used_for_managed_storage: d.usedForManagedStorage,
2794
+ full_name: d.fullName,
2795
+ isolation_mode: d.isolationMode,
2796
+ }));
2797
+
2798
+ export const marshalValidateCredentialRequestSchema: z.ZodType = z
2799
+ .object({
2800
+ credential: z
2801
+ .discriminatedUnion('$case', [
2802
+ z.object({
2803
+ $case: z.literal('credentialName'),
2804
+ credentialName: z.string(),
2805
+ }),
2806
+ z.object({
2807
+ $case: z.literal('awsIamRole'),
2808
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2809
+ }),
2810
+ z.object({
2811
+ $case: z.literal('azureManagedIdentity'),
2812
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2813
+ }),
2814
+ z.object({
2815
+ $case: z.literal('databricksGcpServiceAccount'),
2816
+ databricksGcpServiceAccount: z.lazy(
2817
+ () => marshalDatabricksGcpServiceAccountSchema
2818
+ ),
2819
+ }),
2820
+ ])
2821
+ .optional(),
2822
+ externalLocationName: z.string().optional(),
2823
+ url: z.string().optional(),
2824
+ readOnly: z.boolean().optional(),
2825
+ })
2826
+ .transform(d => ({
2827
+ ...(d.credential?.$case === 'credentialName' && {
2828
+ credential_name: d.credential.credentialName,
2829
+ }),
2830
+ ...(d.credential?.$case === 'awsIamRole' && {
2831
+ aws_iam_role: d.credential.awsIamRole,
2832
+ }),
2833
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2834
+ azure_managed_identity: d.credential.azureManagedIdentity,
2835
+ }),
2836
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2837
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2838
+ }),
2839
+ external_location_name: d.externalLocationName,
2840
+ url: d.url,
2841
+ read_only: d.readOnly,
2842
+ }));
2843
+
2844
+ export const marshalValidateStorageCredentialRequestSchema: z.ZodType = z
2845
+ .object({
2846
+ credential: z
2847
+ .discriminatedUnion('$case', [
2848
+ z.object({
2849
+ $case: z.literal('storageCredentialName'),
2850
+ storageCredentialName: z.string(),
2851
+ }),
2852
+ z.object({
2853
+ $case: z.literal('awsIamRole'),
2854
+ awsIamRole: z.lazy(() => marshalAwsIamRoleSchema),
2855
+ }),
2856
+ z.object({
2857
+ $case: z.literal('azureServicePrincipal'),
2858
+ azureServicePrincipal: z.lazy(
2859
+ () => marshalAzureServicePrincipalSchema
2860
+ ),
2861
+ }),
2862
+ z.object({
2863
+ $case: z.literal('azureManagedIdentity'),
2864
+ azureManagedIdentity: z.lazy(() => marshalAzureManagedIdentitySchema),
2865
+ }),
2866
+ z.object({
2867
+ $case: z.literal('databricksGcpServiceAccount'),
2868
+ databricksGcpServiceAccount: z.lazy(
2869
+ () => marshalDatabricksGcpServiceAccountSchema
2870
+ ),
2871
+ }),
2872
+ z.object({
2873
+ $case: z.literal('cloudflareApiToken'),
2874
+ cloudflareApiToken: z.lazy(() => marshalCloudflareApiTokenSchema),
2875
+ }),
2876
+ ])
2877
+ .optional(),
2878
+ externalLocationName: z.string().optional(),
2879
+ url: z.string().optional(),
2880
+ readOnly: z.boolean().optional(),
2881
+ })
2882
+ .transform(d => ({
2883
+ ...(d.credential?.$case === 'storageCredentialName' && {
2884
+ storage_credential_name: d.credential.storageCredentialName,
2885
+ }),
2886
+ ...(d.credential?.$case === 'awsIamRole' && {
2887
+ aws_iam_role: d.credential.awsIamRole,
2888
+ }),
2889
+ ...(d.credential?.$case === 'azureServicePrincipal' && {
2890
+ azure_service_principal: d.credential.azureServicePrincipal,
2891
+ }),
2892
+ ...(d.credential?.$case === 'azureManagedIdentity' && {
2893
+ azure_managed_identity: d.credential.azureManagedIdentity,
2894
+ }),
2895
+ ...(d.credential?.$case === 'databricksGcpServiceAccount' && {
2896
+ databricks_gcp_service_account: d.credential.databricksGcpServiceAccount,
2897
+ }),
2898
+ ...(d.credential?.$case === 'cloudflareApiToken' && {
2899
+ cloudflare_api_token: d.credential.cloudflareApiToken,
2900
+ }),
2901
+ external_location_name: d.externalLocationName,
2902
+ url: d.url,
2903
+ read_only: d.readOnly,
2904
+ }));