google-api-python-client 2.165.0__py2.py3-none-any.whl → 2.167.0__py2.py3-none-any.whl

googleapiclient/discovery_cache/documents/iam.v1.json

@@ -1612,6 +1612,34 @@
 "https://www.googleapis.com/auth/cloud-platform"
 ]
 },
+"getIamPolicy": {
+"description": "Gets IAM policies for one of WorkloadIdentityPool WorkloadIdentityPoolNamespace WorkloadIdentityPoolManagedIdentity",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}:getIamPolicy",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.getIamPolicy",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"resource": {
+"description": "REQUIRED: The resource for which the policy is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:getIamPolicy",
+"request": {
+"$ref": "GetIamPolicyRequest"
+},
+"response": {
+"$ref": "Policy"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
 "list": {
 "description": "Lists all non-deleted WorkloadIdentityPools in a project. If `show_deleted` is set to `true`, then deleted pools are also listed.",
 "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools",
@@ -1647,25 +1675,530 @@
 },
 "path": "v1/{+parent}/workloadIdentityPools",
 "response": {
-"$ref": "ListWorkloadIdentityPoolsResponse"
+"$ref": "ListWorkloadIdentityPoolsResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"patch": {
+"description": "Updates an existing WorkloadIdentityPool.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}",
+"httpMethod": "PATCH",
+"id": "iam.projects.locations.workloadIdentityPools.patch",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Output only. The resource name of the pool.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+},
+"updateMask": {
+"description": "Required. The list of fields to update.",
+"format": "google-fieldmask",
+"location": "query",
+"type": "string"
+}
+},
+"path": "v1/{+name}",
+"request": {
+"$ref": "WorkloadIdentityPool"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"setIamPolicy": {
+"description": "Sets IAM policies on one of WorkloadIdentityPool WorkloadIdentityPoolNamespace WorkloadIdentityPoolManagedIdentity",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}:setIamPolicy",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.setIamPolicy",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"resource": {
+"description": "REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:setIamPolicy",
+"request": {
+"$ref": "SetIamPolicyRequest"
+},
+"response": {
+"$ref": "Policy"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"testIamPermissions": {
+"description": "Returns the caller's permissions on one of WorkloadIdentityPool WorkloadIdentityPoolNamespace WorkloadIdentityPoolManagedIdentity",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}:testIamPermissions",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.testIamPermissions",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"resource": {
+"description": "REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:testIamPermissions",
+"request": {
+"$ref": "TestIamPermissionsRequest"
+},
+"response": {
+"$ref": "TestIamPermissionsResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"undelete": {
+"description": "Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}:undelete",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.undelete",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Required. The name of the pool to undelete.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+name}:undelete",
+"request": {
+"$ref": "UndeleteWorkloadIdentityPoolRequest"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+}
+},
+"resources": {
+"namespaces": {
+"methods": {
+"create": {
+"description": "Creates a new WorkloadIdentityPoolNamespace in a WorkloadIdentityPool.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.create",
+"parameterOrder": [
+"parent"
+],
+"parameters": {
+"parent": {
+"description": "Required. The parent resource to create the namespace in. The only supported location is `global`.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+},
+"workloadIdentityPoolNamespaceId": {
+"description": "Required. The ID to use for the namespace. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix \"gcp-\" will be reserved for future uses.",
+"location": "query",
+"type": "string"
+}
+},
+"path": "v1/{+parent}/namespaces",
+"request": {
+"$ref": "WorkloadIdentityPoolNamespace"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"delete": {
+"description": "Deletes a WorkloadIdentityPoolNamespace. You can undelete a namespace for 30 days. After 30 days, deletion is permanent.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}",
+"httpMethod": "DELETE",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.delete",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Required. The name of the namespace to delete.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+name}",
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"get": {
+"description": "Gets an individual WorkloadIdentityPoolNamespace.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}",
+"httpMethod": "GET",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.get",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Required. The name of the namespace to retrieve.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+name}",
+"response": {
+"$ref": "WorkloadIdentityPoolNamespace"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"list": {
+"description": "Lists all non-deleted WorkloadIdentityPoolNamespaces in a workload identity pool. If `show_deleted` is set to `true`, then deleted namespaces are also listed.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces",
+"httpMethod": "GET",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.list",
+"parameterOrder": [
+"parent"
+],
+"parameters": {
+"pageSize": {
+"description": "The maximum number of namespaces to return. If unspecified, at most 50 namespaces are returned. The maximum value is 1000; values above are 1000 truncated to 1000.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "A page token, received from a previous `ListWorkloadIdentityPoolNamespaces` call. Provide this to retrieve the subsequent page.",
+"location": "query",
+"type": "string"
+},
+"parent": {
+"description": "Required. The parent resource to list namespaces for.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"required": true,
+"type": "string"
+},
+"showDeleted": {
+"description": "Whether to return soft-deleted namespaces.",
+"location": "query",
+"type": "boolean"
+}
+},
+"path": "v1/{+parent}/namespaces",
+"response": {
+"$ref": "ListWorkloadIdentityPoolNamespacesResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"patch": {
+"description": "Updates an existing WorkloadIdentityPoolNamespace in a WorkloadIdentityPool.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}",
+"httpMethod": "PATCH",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.patch",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Output only. The resource name of the namespace.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+$",
+"required": true,
+"type": "string"
+},
+"updateMask": {
+"description": "Required. The list of fields to update.",
+"format": "google-fieldmask",
+"location": "query",
+"type": "string"
+}
+},
+"path": "v1/{+name}",
+"request": {
+"$ref": "WorkloadIdentityPoolNamespace"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"undelete": {
+"description": "Undeletes a WorkloadIdentityPoolNamespace, as long as it was deleted fewer than 30 days ago.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}:undelete",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.undelete",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Required. The name of the namespace to undelete.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+name}:undelete",
+"request": {
+"$ref": "UndeleteWorkloadIdentityPoolNamespaceRequest"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+}
+},
+"resources": {
+"managedIdentities": {
+"methods": {
+"addAttestationRule": {
+"description": "Add an AttestationRule on a WorkloadIdentityPoolManagedIdentity. The total attestation rules after addition must not exceed 50.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}:addAttestationRule",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.addAttestationRule",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"resource": {
+"description": "Required. The resource name of the managed identity or namespace resource to add an attestation rule to.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:addAttestationRule",
+"request": {
+"$ref": "AddAttestationRuleRequest"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"create": {
+"description": "Creates a new WorkloadIdentityPoolManagedIdentity in a WorkloadIdentityPoolNamespace.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.create",
+"parameterOrder": [
+"parent"
+],
+"parameters": {
+"parent": {
+"description": "Required. The parent resource to create the manage identity in. The only supported location is `global`.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+$",
+"required": true,
+"type": "string"
+},
+"workloadIdentityPoolManagedIdentityId": {
+"description": "Required. The ID to use for the managed identity. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix \"gcp-\" will be reserved for future uses.",
+"location": "query",
+"type": "string"
+}
+},
+"path": "v1/{+parent}/managedIdentities",
+"request": {
+"$ref": "WorkloadIdentityPoolManagedIdentity"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"delete": {
+"description": "Deletes a WorkloadIdentityPoolManagedIdentity. You can undelete a managed identity for 30 days. After 30 days, deletion is permanent.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}",
+"httpMethod": "DELETE",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.delete",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Required. The name of the managed identity to delete.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+name}",
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"get": {
+"description": "Gets an individual WorkloadIdentityPoolManagedIdentity.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}",
+"httpMethod": "GET",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.get",
+"parameterOrder": [
+"name"
+],
+"parameters": {
+"name": {
+"description": "Required. The name of the managed identity to retrieve.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+name}",
+"response": {
+"$ref": "WorkloadIdentityPoolManagedIdentity"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"list": {
+"description": "Lists all non-deleted WorkloadIdentityPoolManagedIdentitys in a namespace. If `show_deleted` is set to `true`, then deleted managed identites are also listed.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities",
+"httpMethod": "GET",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.list",
+"parameterOrder": [
+"parent"
+],
+"parameters": {
+"pageSize": {
+"description": "The maximum number of managed identities to return. If unspecified, at most 50 managed identities are returned. The maximum value is 1000; values above are 1000 truncated to 1000.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "A page token, received from a previous `ListWorkloadIdentityPoolManagedIdentities` call. Provide this to retrieve the subsequent page.",
+"location": "query",
+"type": "string"
+},
+"parent": {
+"description": "Required. The parent resource to list managed identities for.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+$",
+"required": true,
+"type": "string"
+},
+"showDeleted": {
+"description": "Whether to return soft-deleted managed identities.",
+"location": "query",
+"type": "boolean"
+}
+},
+"path": "v1/{+parent}/managedIdentities",
+"response": {
+"$ref": "ListWorkloadIdentityPoolManagedIdentitiesResponse"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"listAttestationRules": {
+"description": "List all AttestationRule on a WorkloadIdentityPoolManagedIdentity.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}:listAttestationRules",
+"httpMethod": "GET",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.listAttestationRules",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"filter": {
+"description": "Optional. A query filter. Supports the following function: * `container_ids()`: Returns only the AttestationRules under the specific container ids. The function expects a comma-delimited list with only project numbers and must use the format `projects/`. For example: `container_ids(projects/, projects/,...)`.",
+"location": "query",
+"type": "string"
+},
+"pageSize": {
+"description": "Optional. The maximum number of AttestationRules to return. If unspecified, at most 50 AttestationRules are returned. The maximum value is 100; values above 100 are truncated to 100.",
+"format": "int32",
+"location": "query",
+"type": "integer"
+},
+"pageToken": {
+"description": "Optional. A page token, received from a previous `ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve the subsequent page.",
+"location": "query",
+"type": "string"
+},
+"resource": {
+"description": "Required. The resource name of the managed identity or namespace resource to list attestation rules of.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:listAttestationRules",
+"response": {
+"$ref": "ListAttestationRulesResponse"
 },
 "scopes": [
 "https://www.googleapis.com/auth/cloud-platform"
 ]
 },
 "patch": {
-"description": "Updates an existing WorkloadIdentityPool.",
-"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}",
+"description": "Updates an existing WorkloadIdentityPoolManagedIdentity in a WorkloadIdentityPoolNamespace.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}",
 "httpMethod": "PATCH",
-"id": "iam.projects.locations.workloadIdentityPools.patch",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.patch",
 "parameterOrder": [
 "name"
 ],
 "parameters": {
 "name": {
-"description": "Output only. The resource name of the pool.",
+"description": "Output only. The resource name of the managed identity.",
 "location": "path",
-"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
 "required": true,
 "type": "string"
 },
@@ -1678,7 +2211,63 @@
 },
 "path": "v1/{+name}",
 "request": {
-"$ref": "WorkloadIdentityPool"
+"$ref": "WorkloadIdentityPoolManagedIdentity"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"removeAttestationRule": {
+"description": "Remove an AttestationRule on a WorkloadIdentityPoolManagedIdentity.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}:removeAttestationRule",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.removeAttestationRule",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"resource": {
+"description": "Required. The resource name of the managed identity or namespace resource to remove an attestation rule from.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:removeAttestationRule",
+"request": {
+"$ref": "RemoveAttestationRuleRequest"
+},
+"response": {
+"$ref": "Operation"
+},
+"scopes": [
+"https://www.googleapis.com/auth/cloud-platform"
+]
+},
+"setAttestationRules": {
+"description": "Set all AttestationRule on a WorkloadIdentityPoolManagedIdentity. A maximum of 50 AttestationRules can be set.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}:setAttestationRules",
+"httpMethod": "POST",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.setAttestationRules",
+"parameterOrder": [
+"resource"
+],
+"parameters": {
+"resource": {
+"description": "Required. The resource name of the managed identity or namespace resource to add an attestation rule to.",
+"location": "path",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
+"required": true,
+"type": "string"
+}
+},
+"path": "v1/{+resource}:setAttestationRules",
+"request": {
+"$ref": "SetAttestationRulesRequest"
 },
 "response": {
 "$ref": "Operation"
@@ -1688,25 +2277,25 @@
 ]
 },
 "undelete": {
-"description": "Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.",
-"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}:undelete",
+"description": "Undeletes a WorkloadIdentityPoolManagedIdentity, as long as it was deleted fewer than 30 days ago.",
+"flatPath": "v1/projects/{projectsId}/locations/{locationsId}/workloadIdentityPools/{workloadIdentityPoolsId}/namespaces/{namespacesId}/managedIdentities/{managedIdentitiesId}:undelete",
 "httpMethod": "POST",
-"id": "iam.projects.locations.workloadIdentityPools.undelete",
+"id": "iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.undelete",
 "parameterOrder": [
 "name"
 ],
 "parameters": {
 "name": {
-"description": "Required. The name of the pool to undelete.",
+"description": "Required. The name of the managed identity to undelete.",
 "location": "path",
-"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+$",
+"pattern": "^projects/[^/]+/locations/[^/]+/workloadIdentityPools/[^/]+/namespaces/[^/]+/managedIdentities/[^/]+$",
 "required": true,
 "type": "string"
 }
 },
 "path": "v1/{+name}:undelete",
 "request": {
-"$ref": "UndeleteWorkloadIdentityPoolRequest"
+"$ref": "UndeleteWorkloadIdentityPoolManagedIdentityRequest"
 },
 "response": {
 "$ref": "Operation"
@@ -1717,10 +2306,6 @@
 }
 },
 "resources": {
-"namespaces": {
-"resources": {
-"managedIdentities": {
-"resources": {
 "operations": {
 "methods": {
 "get": {
@@ -2722,7 +3307,7 @@
 },
 "signBlob": {
 "deprecated": true,
-"description": "**Note:** This method is deprecated. Use the [signBlob](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob) method in the IAM Service Account Credentials API instead. If you currently use this method, see the [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) for instructions. Signs a blob using the system-managed private key for a ServiceAccount.",
+"description": " Signs a blob using the system-managed private key for a ServiceAccount.",
 "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signBlob",
 "httpMethod": "POST",
 "id": "iam.projects.serviceAccounts.signBlob",
@@ -2751,7 +3336,7 @@
 },
 "signJwt": {
 "deprecated": true,
-"description": "**Note:** This method is deprecated. Use the [signJwt](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt) method in the IAM Service Account Credentials API instead. If you currently use this method, see the [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.",
+"description": " Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.",
 "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signJwt",
 "httpMethod": "POST",
 "id": "iam.projects.serviceAccounts.signJwt",
@@ -3188,7 +3773,7 @@
 }
 }
 },
-"revision": "20250213",
+"revision": "20250320",
 "rootUrl": "https://iam.googleapis.com/",
 "schemas": {
 "AccessRestrictions": {
@@ -3209,6 +3794,17 @@
 },
 "type": "object"
 },
+"AddAttestationRuleRequest": {
+"description": "Request message for AddAttestationRule.",
+"id": "AddAttestationRuleRequest",
+"properties": {
+"attestationRule": {
+"$ref": "AttestationRule",
+"description": "Required. The attestation rule to be added."
+}
+},
+"type": "object"
+},
 "AdminAuditData": {
 "description": "Audit log information specific to Cloud IAM admin APIs. This message is serialized as an `Any` type in the `ServiceData` message of an `AuditLog` message.",
 "id": "AdminAuditData",
@@ -3220,6 +3816,17 @@
 },
 "type": "object"
 },
+"AttestationRule": {
+"description": "Defines which workloads can receive an identity within a pool. When an AttestationRule is defined under a managed identity, matching workloads may receive that identity.",
+"id": "AttestationRule",
+"properties": {
+"googleCloudResource": {
+"description": "Optional. A single workload operating on Google Cloud. For example: `//compute.googleapis.com/projects/123/uid/zones/us-central1-a/instances/12345`.",
+"type": "string"
+}
+},
+"type": "object"
+},
 "AuditConfig": {
 "description": "Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { \"audit_configs\": [ { \"service\": \"allServices\", \"audit_log_configs\": [ { \"log_type\": \"DATA_READ\", \"exempted_members\": [ \"user:jose@example.com\" ] }, { \"log_type\": \"DATA_WRITE\" }, { \"log_type\": \"ADMIN_READ\" } ] }, { \"service\": \"sampleservice.googleapis.com\", \"audit_log_configs\": [ { \"log_type\": \"DATA_READ\" }, { \"log_type\": \"DATA_WRITE\", \"exempted_members\": [ \"user:aliya@example.com\" ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts `jose@example.com` from DATA_READ logging, and `aliya@example.com` from DATA_WRITE logging.",
 "id": "AuditConfig",
@@ -3698,6 +4305,75 @@
 },
 "type": "object"
 },
+"InlineCertificateIssuanceConfig": {
+"description": "Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool.",
+"id": "InlineCertificateIssuanceConfig",
+"properties": {
+"caPools": {
+"additionalProperties": {
+"type": "string"
+},
+"description": "Optional. A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints: * Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * Value format: A valid CA pool resource path format like: \"projects/{project}/locations/{location}/caPools/{ca_pool}\" * Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).",
+"type": "object"
+},
+"keyAlgorithm": {
+"description": "Optional. Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.",
+"enum": [
+"KEY_ALGORITHM_UNSPECIFIED",
+"RSA_2048",
+"RSA_3072",
+"RSA_4096",
+"ECDSA_P256",
+"ECDSA_P384"
+],
+"enumDescriptions": [
+"Unspecified key algorithm. Defaults to ECDSA_P256.",
+"Specifies RSA with a 2048-bit modulus.",
+"Specifies RSA with a 3072-bit modulus.",
+"Specifies RSA with a 4096-bit modulus.",
+"Specifies ECDSA with curve P256.",
+"Specifies ECDSA with curve P384."
+],
+"type": "string"
+},
+"lifetime": {
+"description": "Optional. Lifetime of the workload certificates issued by the CA pool. Must be between 10 hours - 30 days. If unspecified, this will be defaulted to 24 hours.",
+"format": "google-duration",
+"type": "string"
+},
+"rotationWindowPercentage": {
+"description": "Optional. Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 10 - 80. If unspecified, this will be defaulted to 50.",
+"format": "int32",
+"type": "integer"
+}
+},
+"type": "object"
+},
+"InlineTrustConfig": {
+"description": "Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration.",
+"id": "InlineTrustConfig",
+"properties": {
+"additionalTrustBundles": {
+"additionalProperties": {
+"$ref": "TrustStore"
+},
+"description": "Optional. Maps specific trust domains (e.g., \"example.com\") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be *appended to* the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools.",
+"type": "object"
+}
+},
+"type": "object"
+},
+"IntermediateCA": {
+"description": "Intermediate CA certificates used for building the trust chain to trust anchor",
+"id": "IntermediateCA",
+"properties": {
+"pemCertificate": {
+"description": "PEM certificate of the PKI used for validation. Must only contain one ca certificate.",
+"type": "string"
+}
+},
+"type": "object"
+},
 "KeyData": {
 "description": "Represents a public key data along with its format.",
 "id": "KeyData",
@@ -3836,6 +4512,24 @@
 },
 "type": "object"
 },
+"ListAttestationRulesResponse": {
+"description": "Response message for ListAttestationRules.",
+"id": "ListAttestationRulesResponse",
+"properties": {
+"attestationRules": {
+"description": "A list of AttestationRules.",
+"items": {
+"$ref": "AttestationRule"
+},
+"type": "array"
+},
+"nextPageToken": {
+"description": "Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.",
+"type": "string"
+}
+},
+"type": "object"
+},
 "ListOauthClientCredentialsResponse": {
 "description": "Response message for ListOauthClientCredentials.",
 "id": "ListOauthClientCredentialsResponse",
@@ -3972,6 +4666,42 @@
 },
 "type": "object"
 },
+"ListWorkloadIdentityPoolManagedIdentitiesResponse": {
+"description": "Response message for ListWorkloadIdentityPoolManagedIdentities.",
+"id": "ListWorkloadIdentityPoolManagedIdentitiesResponse",
+"properties": {
+"nextPageToken": {
+"description": "A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.",
+"type": "string"
+},
+"workloadIdentityPoolManagedIdentities": {
+"description": "A list of managed identities.",
+"items": {
+"$ref": "WorkloadIdentityPoolManagedIdentity"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
+"ListWorkloadIdentityPoolNamespacesResponse": {
+"description": "Response message for ListWorkloadIdentityPoolNamespaces.",
+"id": "ListWorkloadIdentityPoolNamespacesResponse",
+"properties": {
+"nextPageToken": {
+"description": "A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.",
+"type": "string"
+},
+"workloadIdentityPoolNamespaces": {
+"description": "A list of namespaces.",
+"items": {
+"$ref": "WorkloadIdentityPoolNamespace"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "ListWorkloadIdentityPoolProviderKeysResponse": {
 "description": "Response message for ListWorkloadIdentityPoolProviderKeys.",
 "id": "ListWorkloadIdentityPoolProviderKeysResponse",
@@ -4245,6 +4975,17 @@
 },
 "type": "object"
 },
+"OwnerService": {
+"description": "The Google Cloud service that owns this namespace.",
+"id": "OwnerService",
+"properties": {
+"principalSubject": {
+"description": "Required. The service agent principal subject, e.g. \"serviceAccount:service-1234@gcp-sa-gkehub.iam.gserviceaccount.com\".",
+"type": "string"
+}
+},
+"type": "object"
+},
 "PatchServiceAccountRequest": {
 "description": "The service account patch request. You can patch only the `display_name` and `description` fields. You must use the `update_mask` field to specify which of these fields you want to patch. Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.",
 "id": "PatchServiceAccountRequest",
@@ -4529,6 +5270,17 @@ false
 },
 "type": "object"
 },
+"RemoveAttestationRuleRequest": {
+"description": "Request message for RemoveAttestationRule.",
+"id": "RemoveAttestationRuleRequest",
+"properties": {
+"attestationRule": {
+"$ref": "AttestationRule",
+"description": "Required. The attestation rule to be removed."
+}
+},
+"type": "object"
+},
 "Role": {
 "description": "A role in the Identity and Access Management API.",
 "id": "Role",
@@ -4772,6 +5524,20 @@ false
 },
 "type": "object"
 },
+"SetAttestationRulesRequest": {
+"description": "Request message for SetAttestationRules.",
+"id": "SetAttestationRulesRequest",
+"properties": {
+"attestationRules": {
+"description": "Required. The attestation rules to be set. At most 50 attestation rules can be set.",
+"items": {
+"$ref": "AttestationRule"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "SetIamPolicyRequest": {
 "description": "Request message for `SetIamPolicy` method.",
 "id": "SetIamPolicyRequest",
@@ -4903,6 +5669,38 @@ false
 },
 "type": "object"
 },
+"TrustAnchor": {
+"description": "Represents a root of trust.",
+"id": "TrustAnchor",
+"properties": {
+"pemCertificate": {
+"description": "PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).",
+"type": "string"
+}
+},
+"type": "object"
+},
+"TrustStore": {
+"description": "Trust store that contains trust anchors and optional intermediate CAs used in PKI to build trust chain and verify client's identity.",
+"id": "TrustStore",
+"properties": {
+"intermediateCas": {
+"description": "Optional. Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: * Intermediate CAs are only supported when configuring x509 federation.",
+"items": {
+"$ref": "IntermediateCA"
+},
+"type": "array"
+},
+"trustAnchors": {
+"description": "Required. List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.",
+"items": {
+"$ref": "TrustAnchor"
+},
+"type": "array"
+}
+},
+"type": "object"
+},
 "UndeleteOauthClientRequest": {
 "description": "Request message for UndeleteOauthClient.",
 "id": "UndeleteOauthClientRequest",
@@ -4961,6 +5759,18 @@ false
 "properties": {},
 "type": "object"
 },
+"UndeleteWorkloadIdentityPoolManagedIdentityRequest": {
+"description": "Request message for UndeleteWorkloadIdentityPoolManagedIdentity.",
+"id": "UndeleteWorkloadIdentityPoolManagedIdentityRequest",
+"properties": {},
+"type": "object"
+},
+"UndeleteWorkloadIdentityPoolNamespaceRequest": {
+"description": "Request message for UndeleteWorkloadIdentityPoolNamespace.",
+"id": "UndeleteWorkloadIdentityPoolNamespaceRequest",
+"properties": {},
+"type": "object"
+},
 "UndeleteWorkloadIdentityPoolProviderKeyRequest": {
 "description": "Request message for UndeleteWorkloadIdentityPoolProviderKey.",
 "id": "UndeleteWorkloadIdentityPoolProviderKeyRequest",
@@ -5185,6 +5995,28 @@ false
 "readOnly": true,
 "type": "string"
 },
+"inlineCertificateIssuanceConfig": {
+"$ref": "InlineCertificateIssuanceConfig",
+"description": "Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates."
+},
+"inlineTrustConfig": {
+"$ref": "InlineTrustConfig",
+"description": "Optional. Represents config to add additional trusted trust domains."
+},
+"mode": {
+"description": "Immutable. The mode the pool is operating in.",
+"enum": [
+"MODE_UNSPECIFIED",
+"FEDERATION_ONLY",
+"TRUST_DOMAIN"
+],
+"enumDescriptions": [
+"State unspecified. New pools should not use this mode. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.",
+"FEDERATION_ONLY mode pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.",
+"TRUST_DOMAIN mode pools can be used to assign identities to either external workloads or those hosted on Google Cloud. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: `ns//sa/` WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools."
+],
+"type": "string"
+},
 "name": {
 "description": "Output only. The resource name of the pool.",
 "readOnly": true,
@@ -5208,6 +6040,93 @@ false
 },
 "type": "object"
 },
+"WorkloadIdentityPoolManagedIdentity": {
+"description": "Represents a managed identity for a workload identity pool namespace.",
+"id": "WorkloadIdentityPoolManagedIdentity",
+"properties": {
+"description": {
+"description": "A description of the managed identity. Cannot exceed 256 characters.",
+"type": "string"
+},
+"disabled": {
+"description": "Whether the managed identity is disabled. If disabled, credentials may no longer be issued for the identity, however existing credentials will still be accepted until they expire.",
+"type": "boolean"
+},
+"expireTime": {
+"description": "Output only. Time after which the managed identity will be permanently purged and cannot be recovered.",
+"format": "google-datetime",
+"readOnly": true,
+"type": "string"
+},
+"name": {
+"description": "Output only. The resource name of the managed identity.",
+"readOnly": true,
+"type": "string"
+},
+"state": {
+"description": "Output only. The state of the managed identity.",
+"enum": [
+"STATE_UNSPECIFIED",
+"ACTIVE",
+"DELETED"
+],
+"enumDescriptions": [
+"State unspecified.",
+"The managed identity is active.",
+"The managed identity is soft-deleted. Soft-deleted managed identities are permanently deleted after approximately 30 days. You can restore a soft-deleted managed identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a soft-deleted managed identity until it is permanently deleted."
+],
+"readOnly": true,
+"type": "string"
+}
+},
+"type": "object"
+},
+"WorkloadIdentityPoolNamespace": {
+"description": "Represents a namespace for a workload identity pool. Namespaces are used to segment identities within the pool.",
+"id": "WorkloadIdentityPoolNamespace",
+"properties": {
+"description": {
+"description": "A description of the namespace. Cannot exceed 256 characters.",
+"type": "string"
+},
+"disabled": {
+"description": "Whether the namespace is disabled. If disabled, credentials may no longer be issued for identities within this namespace, however existing credentials will still be accepted until they expire.",
+"type": "boolean"
+},
+"expireTime": {
+"description": "Output only. Time after which the namespace will be permanently purged and cannot be recovered.",
+"format": "google-datetime",
+"readOnly": true,
+"type": "string"
+},
+"name": {
+"description": "Output only. The resource name of the namespace.",
+"readOnly": true,
+"type": "string"
+},
+"ownerService": {
+"$ref": "OwnerService",
+"description": "Output only. The Google Cloud service that owns this namespace.",
+"readOnly": true
+},
+"state": {
+"description": "Output only. The state of the namespace.",
+"enum": [
+"STATE_UNSPECIFIED",
+"ACTIVE",
+"DELETED"
+],
+"enumDescriptions": [
+"State unspecified.",
+"The namespace is active.",
+"The namespace is soft-deleted. Soft-deleted namespaces are permanently deleted after approximately 30 days. You can restore a soft-deleted namespace using UndeleteWorkloadIdentityPoolNamespace. You cannot reuse the ID of a soft-deleted namespace until it is permanently deleted."
+],
+"readOnly": true,
+"type": "string"
+}
+},
+"type": "object"
+},
 "WorkloadIdentityPoolOperationMetadata": {
 "description": "Metadata for long-running WorkloadIdentityPool operations.",
 "id": "WorkloadIdentityPoolOperationMetadata",