1"""Generated message classes for iam version v1. 2 3Manages identity and access control for Google Cloud Platform resources, 4including the creation of service accounts, which you can use to authenticate 5to Google and make API calls. 6""" 7# NOTE: This file is autogenerated and should not be edited by hand. 8 9from apitools.base.protorpclite import messages as _messages 10from apitools.base.py import encoding 11 12 13package = 'iam' 14 15 16class AuditConfig(_messages.Message): 17 """Enables "data access" audit logging for a service and specifies a list of 18 members that are log-exempted. 19 20 Fields: 21 exemptedMembers: Specifies the identities that are exempted from "data 22 access" audit logging for the `service` specified above. Follows the 23 same format of Binding.members. 24 service: Specifies a service that will be enabled for "data access" audit 25 logging. For example, `resourcemanager`, `storage`, `compute`. 26 `allServices` is a special value that covers all services. 27 """ 28 29 exemptedMembers = _messages.StringField(1, repeated=True) 30 service = _messages.StringField(2) 31 32 33class Binding(_messages.Message): 34 """Associates `members` with a `role`. 35 36 Fields: 37 members: Specifies the identities requesting access for a Cloud Platform 38 resource. `members` can have the following values: * `allUsers`: A 39 special identifier that represents anyone who is on the internet; 40 with or without a Google account. * `allAuthenticatedUsers`: A special 41 identifier that represents anyone who is authenticated with a Google 42 account or a service account. * `user:{emailid}`: An email address that 43 represents a specific Google account. For example, `alice@gmail.com` 44 or `joe@example.com`. * `serviceAccount:{emailid}`: An email address 45 that represents a service account. For example, `my-other- 46 app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address 47 that represents a Google group. For example, `admins@example.com`. * 48 `domain:{domain}`: A Google Apps domain name that represents all the 49 users of that domain. For example, `google.com` or `example.com`. 50 role: Role that is assigned to `members`. For example, `roles/viewer`, 51 `roles/editor`, or `roles/owner`. Required 52 """ 53 54 members = _messages.StringField(1, repeated=True) 55 role = _messages.StringField(2) 56 57 58class CloudAuditOptions(_messages.Message): 59 """Write a Cloud Audit log""" 60 61 62class Condition(_messages.Message): 63 """A condition to be met. 64 65 Enums: 66 IamValueValuesEnum: Trusted attributes supplied by the IAM system. 67 OpValueValuesEnum: An operator to apply the subject with. 68 SysValueValuesEnum: Trusted attributes supplied by any service that owns 69 resources and uses the IAM system for access control. 70 71 Fields: 72 iam: Trusted attributes supplied by the IAM system. 73 op: An operator to apply the subject with. 74 svc: Trusted attributes discharged by the service. 75 sys: Trusted attributes supplied by any service that owns resources and 76 uses the IAM system for access control. 77 value: DEPRECATED. Use 'values' instead. 78 values: The objects of the condition. This is mutually exclusive with 79 'value'. 80 """ 81 82 class IamValueValuesEnum(_messages.Enum): 83 """Trusted attributes supplied by the IAM system. 84 85 Values: 86 NO_ATTR: Default non-attribute. 87 AUTHORITY: Either principal or (if present) authority 88 ATTRIBUTION: selector Always the original principal, but making clear 89 """ 90 NO_ATTR = 0 91 AUTHORITY = 1 92 ATTRIBUTION = 2 93 94 class OpValueValuesEnum(_messages.Enum): 95 """An operator to apply the subject with. 96 97 Values: 98 NO_OP: Default no-op. 99 EQUALS: DEPRECATED. Use IN instead. 100 NOT_EQUALS: DEPRECATED. Use NOT_IN instead. 101 IN: Set-inclusion check. 102 NOT_IN: Set-exclusion check. 103 DISCHARGED: Subject is discharged 104 """ 105 NO_OP = 0 106 EQUALS = 1 107 NOT_EQUALS = 2 108 IN = 3 109 NOT_IN = 4 110 DISCHARGED = 5 111 112 class SysValueValuesEnum(_messages.Enum): 113 """Trusted attributes supplied by any service that owns resources and uses 114 the IAM system for access control. 115 116 Values: 117 NO_ATTR: Default non-attribute type 118 REGION: Region of the resource 119 SERVICE: Service name 120 NAME: Resource name 121 IP: IP address of the caller 122 """ 123 NO_ATTR = 0 124 REGION = 1 125 SERVICE = 2 126 NAME = 3 127 IP = 4 128 129 iam = _messages.EnumField('IamValueValuesEnum', 1) 130 op = _messages.EnumField('OpValueValuesEnum', 2) 131 svc = _messages.StringField(3) 132 sys = _messages.EnumField('SysValueValuesEnum', 4) 133 value = _messages.StringField(5) 134 values = _messages.StringField(6, repeated=True) 135 136 137class CounterOptions(_messages.Message): 138 """Options for counters 139 140 Fields: 141 field: The field value to attribute. 142 metric: The metric to update. 143 """ 144 145 field = _messages.StringField(1) 146 metric = _messages.StringField(2) 147 148 149class CreateServiceAccountKeyRequest(_messages.Message): 150 """The service account key create request. 151 152 Enums: 153 PrivateKeyTypeValueValuesEnum: The output format of the private key. 154 `GOOGLE_CREDENTIALS_FILE` is the default output format. 155 156 Fields: 157 privateKeyType: The output format of the private key. 158 `GOOGLE_CREDENTIALS_FILE` is the default output format. 159 """ 160 161 class PrivateKeyTypeValueValuesEnum(_messages.Enum): 162 """The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the 163 default output format. 164 165 Values: 166 TYPE_UNSPECIFIED: Unspecified. Equivalent to 167 `TYPE_GOOGLE_CREDENTIALS_FILE`. 168 TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is 169 `notasecret`. For more information, see 170 https://tools.ietf.org/html/rfc7292. 171 TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format. 172 """ 173 TYPE_UNSPECIFIED = 0 174 TYPE_PKCS12_FILE = 1 175 TYPE_GOOGLE_CREDENTIALS_FILE = 2 176 177 privateKeyType = _messages.EnumField('PrivateKeyTypeValueValuesEnum', 1) 178 179 180class CreateServiceAccountRequest(_messages.Message): 181 """The service account create request. 182 183 Fields: 184 accountId: Required. The account id that is used to generate the service 185 account email address and a stable unique id. It is unique within a 186 project, must be 1-63 characters long, and match the regular expression 187 `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. 188 serviceAccount: The ServiceAccount resource to create. Currently, only the 189 following values are user assignable: `display_name` . 190 """ 191 192 accountId = _messages.StringField(1) 193 serviceAccount = _messages.MessageField('ServiceAccount', 2) 194 195 196class DataAccessOptions(_messages.Message): 197 """Write a Data Access (Gin) log""" 198 199 200class Empty(_messages.Message): 201 """A generic empty message that you can re-use to avoid defining duplicated 202 empty messages in your APIs. A typical example is to use it as the request 203 or the response type of an API method. For instance: service Foo { 204 rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The 205 JSON representation for `Empty` is empty JSON object `{}`. 206 """ 207 208 209 210class GetPolicyDetailsRequest(_messages.Message): 211 """The request to get the current policy and the policies on the inherited 212 resources the user has access to. 213 214 Fields: 215 fullResourcePath: REQUIRED: The full resource path of the current policy 216 being requested, e.g., `//dataflow.googleapis.com/projects/../jobs/..`. 217 pageSize: Limit on the number of policies to include in the response. 218 Further accounts can subsequently be obtained by including the 219 GetPolicyDetailsResponse.next_page_token in a subsequent request. If 220 zero, the default page size 20 will be used. Must be given a value in 221 range [0, 100], otherwise an invalid argument error will be returned. 222 pageToken: Optional pagination token returned in an earlier 223 GetPolicyDetailsResponse.next_page_token response. 224 """ 225 226 fullResourcePath = _messages.StringField(1) 227 pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32) 228 pageToken = _messages.StringField(3) 229 230 231class GetPolicyDetailsResponse(_messages.Message): 232 """The response to the `GetPolicyDetailsRequest` containing the current 233 policy and the policies on the inherited resources the user has access to. 234 235 Fields: 236 nextPageToken: To retrieve the next page of results, set 237 GetPolicyDetailsRequest.page_token to this value. If this value is 238 empty, then there are not any further policies that the user has access 239 to. The lifetime is 60 minutes. An "Expired pagination token" error will 240 be returned if exceeded. 241 policies: The current policy and all the inherited policies the user has 242 access to. 243 """ 244 245 nextPageToken = _messages.StringField(1) 246 policies = _messages.MessageField('PolicyDetail', 2, repeated=True) 247 248 249class IamProjectsServiceAccountsCreateRequest(_messages.Message): 250 """A IamProjectsServiceAccountsCreateRequest object. 251 252 Fields: 253 createServiceAccountRequest: A CreateServiceAccountRequest resource to be 254 passed as the request body. 255 name: Required. The resource name of the project associated with the 256 service accounts, such as `projects/my-project-123`. 257 """ 258 259 createServiceAccountRequest = _messages.MessageField('CreateServiceAccountRequest', 1) 260 name = _messages.StringField(2, required=True) 261 262 263class IamProjectsServiceAccountsDeleteRequest(_messages.Message): 264 """A IamProjectsServiceAccountsDeleteRequest object. 265 266 Fields: 267 name: The resource name of the service account in the following format: 268 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard 269 for the project will infer the project from the account. The `account` 270 value can be the `email` address or the `unique_id` of the service 271 account. 272 """ 273 274 name = _messages.StringField(1, required=True) 275 276 277class IamProjectsServiceAccountsGetIamPolicyRequest(_messages.Message): 278 """A IamProjectsServiceAccountsGetIamPolicyRequest object. 279 280 Fields: 281 resource: REQUIRED: The resource for which the policy is being requested. 282 `resource` is usually specified as a path, such as 283 `projects/*project*/zones/*zone*/disks/*disk*`. The format for the path 284 specified in this value is resource specific and is specified in the 285 `getIamPolicy` documentation. 286 """ 287 288 resource = _messages.StringField(1, required=True) 289 290 291class IamProjectsServiceAccountsGetRequest(_messages.Message): 292 """A IamProjectsServiceAccountsGetRequest object. 293 294 Fields: 295 name: The resource name of the service account in the following format: 296 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard 297 for the project will infer the project from the account. The `account` 298 value can be the `email` address or the `unique_id` of the service 299 account. 300 """ 301 302 name = _messages.StringField(1, required=True) 303 304 305class IamProjectsServiceAccountsKeysCreateRequest(_messages.Message): 306 """A IamProjectsServiceAccountsKeysCreateRequest object. 307 308 Fields: 309 createServiceAccountKeyRequest: A CreateServiceAccountKeyRequest resource 310 to be passed as the request body. 311 name: The resource name of the service account in the following format: 312 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard 313 for the project will infer the project from the account. The `account` 314 value can be the `email` address or the `unique_id` of the service 315 account. 316 """ 317 318 createServiceAccountKeyRequest = _messages.MessageField('CreateServiceAccountKeyRequest', 1) 319 name = _messages.StringField(2, required=True) 320 321 322class IamProjectsServiceAccountsKeysDeleteRequest(_messages.Message): 323 """A IamProjectsServiceAccountsKeysDeleteRequest object. 324 325 Fields: 326 name: The resource name of the service account key in the following 327 format: `projects/{project}/serviceAccounts/{account}/keys/{key}`. Using 328 `-` as a wildcard for the project will infer the project from the 329 account. The `account` value can be the `email` address or the 330 `unique_id` of the service account. 331 """ 332 333 name = _messages.StringField(1, required=True) 334 335 336class IamProjectsServiceAccountsKeysGetRequest(_messages.Message): 337 """A IamProjectsServiceAccountsKeysGetRequest object. 338 339 Enums: 340 PublicKeyTypeValueValuesEnum: The output format of the public key 341 requested. X509_PEM is the default output format. 342 343 Fields: 344 name: The resource name of the service account key in the following 345 format: `projects/{project}/serviceAccounts/{account}/keys/{key}`. 346 Using `-` as a wildcard for the project will infer the project from the 347 account. The `account` value can be the `email` address or the 348 `unique_id` of the service account. 349 publicKeyType: The output format of the public key requested. X509_PEM is 350 the default output format. 351 """ 352 353 class PublicKeyTypeValueValuesEnum(_messages.Enum): 354 """The output format of the public key requested. X509_PEM is the default 355 output format. 356 357 Values: 358 TYPE_NONE: <no description> 359 TYPE_X509_PEM_FILE: <no description> 360 TYPE_RAW_PUBLIC_KEY: <no description> 361 """ 362 TYPE_NONE = 0 363 TYPE_X509_PEM_FILE = 1 364 TYPE_RAW_PUBLIC_KEY = 2 365 366 name = _messages.StringField(1, required=True) 367 publicKeyType = _messages.EnumField('PublicKeyTypeValueValuesEnum', 2) 368 369 370class IamProjectsServiceAccountsKeysListRequest(_messages.Message): 371 """A IamProjectsServiceAccountsKeysListRequest object. 372 373 Enums: 374 KeyTypesValueValuesEnum: Filters the types of keys the user wants to 375 include in the list response. Duplicate key types are not allowed. If no 376 key type is provided, all keys are returned. 377 378 Fields: 379 keyTypes: Filters the types of keys the user wants to include in the list 380 response. Duplicate key types are not allowed. If no key type is 381 provided, all keys are returned. 382 name: The resource name of the service account in the following format: 383 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard 384 for the project, will infer the project from the account. The `account` 385 value can be the `email` address or the `unique_id` of the service 386 account. 387 """ 388 389 class KeyTypesValueValuesEnum(_messages.Enum): 390 """Filters the types of keys the user wants to include in the list 391 response. Duplicate key types are not allowed. If no key type is provided, 392 all keys are returned. 393 394 Values: 395 KEY_TYPE_UNSPECIFIED: <no description> 396 USER_MANAGED: <no description> 397 SYSTEM_MANAGED: <no description> 398 """ 399 KEY_TYPE_UNSPECIFIED = 0 400 USER_MANAGED = 1 401 SYSTEM_MANAGED = 2 402 403 keyTypes = _messages.EnumField('KeyTypesValueValuesEnum', 1, repeated=True) 404 name = _messages.StringField(2, required=True) 405 406 407class IamProjectsServiceAccountsListRequest(_messages.Message): 408 """A IamProjectsServiceAccountsListRequest object. 409 410 Fields: 411 name: Required. The resource name of the project associated with the 412 service accounts, such as `projects/my-project-123`. 413 pageSize: Optional limit on the number of service accounts to include in 414 the response. Further accounts can subsequently be obtained by including 415 the ListServiceAccountsResponse.next_page_token in a subsequent request. 416 pageToken: Optional pagination token returned in an earlier 417 ListServiceAccountsResponse.next_page_token. 418 removeDeletedServiceAccounts: Do not list service accounts deleted from 419 Gaia. <b><font color="red">DO NOT INCLUDE IN EXTERNAL 420 DOCUMENTATION</font></b>. 421 """ 422 423 name = _messages.StringField(1, required=True) 424 pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32) 425 pageToken = _messages.StringField(3) 426 removeDeletedServiceAccounts = _messages.BooleanField(4) 427 428 429class IamProjectsServiceAccountsSetIamPolicyRequest(_messages.Message): 430 """A IamProjectsServiceAccountsSetIamPolicyRequest object. 431 432 Fields: 433 resource: REQUIRED: The resource for which the policy is being specified. 434 `resource` is usually specified as a path, such as 435 `projects/*project*/zones/*zone*/disks/*disk*`. The format for the path 436 specified in this value is resource specific and is specified in the 437 `setIamPolicy` documentation. 438 setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the 439 request body. 440 """ 441 442 resource = _messages.StringField(1, required=True) 443 setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2) 444 445 446class IamProjectsServiceAccountsSignBlobRequest(_messages.Message): 447 """A IamProjectsServiceAccountsSignBlobRequest object. 448 449 Fields: 450 name: The resource name of the service account in the following format: 451 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard 452 for the project will infer the project from the account. The `account` 453 value can be the `email` address or the `unique_id` of the service 454 account. 455 signBlobRequest: A SignBlobRequest resource to be passed as the request 456 body. 457 """ 458 459 name = _messages.StringField(1, required=True) 460 signBlobRequest = _messages.MessageField('SignBlobRequest', 2) 461 462 463class IamProjectsServiceAccountsSignJwtRequest(_messages.Message): 464 """A IamProjectsServiceAccountsSignJwtRequest object. 465 466 Fields: 467 name: The resource name of the service account in the following format: 468 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard 469 for the project will infer the project from the account. The `account` 470 value can be the `email` address or the `unique_id` of the service 471 account. 472 signJwtRequest: A SignJwtRequest resource to be passed as the request 473 body. 474 """ 475 476 name = _messages.StringField(1, required=True) 477 signJwtRequest = _messages.MessageField('SignJwtRequest', 2) 478 479 480class IamProjectsServiceAccountsTestIamPermissionsRequest(_messages.Message): 481 """A IamProjectsServiceAccountsTestIamPermissionsRequest object. 482 483 Fields: 484 resource: REQUIRED: The resource for which the policy detail is being 485 requested. `resource` is usually specified as a path, such as 486 `projects/*project*/zones/*zone*/disks/*disk*`. The format for the path 487 specified in this value is resource specific and is specified in the 488 `testIamPermissions` documentation. 489 testIamPermissionsRequest: A TestIamPermissionsRequest resource to be 490 passed as the request body. 491 """ 492 493 resource = _messages.StringField(1, required=True) 494 testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2) 495 496 497class ListServiceAccountKeysResponse(_messages.Message): 498 """The service account keys list response. 499 500 Fields: 501 keys: The public keys for the service account. 502 """ 503 504 keys = _messages.MessageField('ServiceAccountKey', 1, repeated=True) 505 506 507class ListServiceAccountsResponse(_messages.Message): 508 """The service account list response. 509 510 Fields: 511 accounts: The list of matching service accounts. 512 nextPageToken: To retrieve the next page of results, set 513 ListServiceAccountsRequest.page_token to this value. 514 """ 515 516 accounts = _messages.MessageField('ServiceAccount', 1, repeated=True) 517 nextPageToken = _messages.StringField(2) 518 519 520class LogConfig(_messages.Message): 521 """Specifies what kind of log the caller must write Increment a streamz 522 counter with the specified metric and field names. Metric names should 523 start with a '/', generally be lowercase-only, and end in "_count". Field 524 names should not contain an initial slash. The actual exported metric names 525 will have "/iam/policy" prepended. Field names correspond to IAM request 526 parameters and field values are their respective values. At present the 527 only supported field names are - "iam_principal", corresponding to 528 IAMContext.principal; - "" (empty string), resulting in one aggretated 529 counter with no field. Examples: counter { metric: "/debug_access_count" 530 field: "iam_principal" } ==> increment counter 531 /iam/policy/backend_debug_access_count 532 {iam_principal=[value of IAMContext.principal]} At this time we do not 533 support: * multiple field names (though this may be supported in the future) 534 * decrementing the counter * incrementing it by anything other than 1 535 536 Fields: 537 cloudAudit: Cloud audit options. 538 counter: Counter options. 539 dataAccess: Data access options. 540 """ 541 542 cloudAudit = _messages.MessageField('CloudAuditOptions', 1) 543 counter = _messages.MessageField('CounterOptions', 2) 544 dataAccess = _messages.MessageField('DataAccessOptions', 3) 545 546 547class Policy(_messages.Message): 548 """Defines an Identity and Access Management (IAM) policy. It is used to 549 specify access control policies for Cloud Platform resources. A `Policy` 550 consists of a list of `bindings`. A `Binding` binds a list of `members` to a 551 `role`, where the members can be user accounts, Google groups, Google 552 domains, and service accounts. A `role` is a named list of permissions 553 defined by IAM. **Example** { "bindings": [ { 554 "role": "roles/owner", "members": [ 555 "user:mike@example.com", "group:admins@example.com", 556 "domain:google.com", "serviceAccount:my-other- 557 app@appspot.gserviceaccount.com", ] }, { 558 "role": "roles/viewer", "members": ["user:sean@example.com"] 559 } ] } For a description of IAM and its features, see the [IAM 560 developer's guide](https://cloud.google.com/iam). 561 562 Fields: 563 auditConfigs: Specifies audit logging configs for "data access". "data 564 access": generally refers to data reads/writes and admin reads. "admin 565 activity": generally refers to admin writes. Note: `AuditConfig` 566 doesn't apply to "admin activity", which always enables audit logging. 567 bindings: Associates a list of `members` to a `role`. Multiple `bindings` 568 must not be specified for the same `role`. `bindings` with no members 569 will result in an error. 570 etag: `etag` is used for optimistic concurrency control as a way to help 571 prevent simultaneous updates of a policy from overwriting each other. It 572 is strongly suggested that systems make use of the `etag` in the read- 573 modify-write cycle to perform policy updates in order to avoid race 574 conditions: An `etag` is returned in the response to `getIamPolicy`, and 575 systems are expected to put that etag in the request to `setIamPolicy` 576 to ensure that their change will be applied to the same version of the 577 policy. If no `etag` is provided in the call to `setIamPolicy`, then 578 the existing policy is overwritten blindly. 579 iamOwned: A boolean attribute. 580 rules: If more than one rule is specified, the rules are applied in the 581 following manner: - All matching LOG rules are always applied. - If any 582 DENY/DENY_WITH_LOG rule matches, permission is denied. Logging will be 583 applied if one or more matching rule requires logging. - Otherwise, if 584 any ALLOW/ALLOW_WITH_LOG rule matches, permission is granted. 585 Logging will be applied if one or more matching rule requires logging. - 586 Otherwise, if no rule applies, permission is denied. 587 version: Version of the `Policy`. The default version is 0. 588 """ 589 590 auditConfigs = _messages.MessageField('AuditConfig', 1, repeated=True) 591 bindings = _messages.MessageField('Binding', 2, repeated=True) 592 etag = _messages.BytesField(3) 593 iamOwned = _messages.BooleanField(4) 594 rules = _messages.MessageField('Rule', 5, repeated=True) 595 version = _messages.IntegerField(6, variant=_messages.Variant.INT32) 596 597 598class PolicyDetail(_messages.Message): 599 """A policy and its full resource path. 600 601 Fields: 602 fullResourcePath: The full resource path of the policy e.g., 603 `//dataflow.googleapis.com/projects/../jobs/..`. Note that a resource 604 and its inherited resource have different `full_resource_path`. 605 policy: The policy of a `resource/project/folder`. 606 """ 607 608 fullResourcePath = _messages.StringField(1) 609 policy = _messages.MessageField('Policy', 2) 610 611 612class QueryGrantableRolesRequest(_messages.Message): 613 """The grantable role query request. 614 615 Fields: 616 fullResourceName: Required. The full resource name to query from the list 617 of grantable roles. The name follows the Google Cloud Platform resource 618 format. For example, a Cloud Platform project with id `my-project` will 619 be named `//cloudresourcemanager.googleapis.com/projects/my-project`. 620 """ 621 622 fullResourceName = _messages.StringField(1) 623 624 625class QueryGrantableRolesResponse(_messages.Message): 626 """The grantable role query response. 627 628 Fields: 629 roles: The list of matching roles. 630 """ 631 632 roles = _messages.MessageField('Role', 1, repeated=True) 633 634 635class Role(_messages.Message): 636 """A role in the Identity and Access Management API. 637 638 Fields: 639 apiTokens: A string attribute. 640 description: Optional. A human-readable description for the role. 641 name: The name of the role. Examples of roles names are: `roles/editor`, 642 `roles/viewer` and `roles/logging.viewer`. 643 title: Optional. A human-readable title for the role. Typically this is 644 limited to 100 UTF-8 bytes. 645 """ 646 647 apiTokens = _messages.StringField(1, repeated=True) 648 description = _messages.StringField(2) 649 name = _messages.StringField(3) 650 title = _messages.StringField(4) 651 652 653class Rule(_messages.Message): 654 """A rule to be applied in a Policy. 655 656 Enums: 657 ActionValueValuesEnum: Required 658 659 Fields: 660 action: Required 661 conditions: Additional restrictions that must be met 662 description: Human-readable description of the rule. 663 in_: If one or more 'in' clauses are specified, the rule matches if the 664 PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries. 665 logConfig: The config returned to callers of tech.iam.IAM.CheckPolicy for 666 any entries that match the LOG action. 667 notIn: If one or more 'not_in' clauses are specified, the rule matches if 668 the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. The format 669 for in and not_in entries is the same as for members in a Binding (see 670 google/iam/v1/policy.proto). 671 permissions: A permission is a string of form '<service>.<resource 672 type>.<verb>' (e.g., 'storage.buckets.list'). A value of '*' matches all 673 permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches 674 all verbs. 675 """ 676 677 class ActionValueValuesEnum(_messages.Enum): 678 """Required 679 680 Values: 681 NO_ACTION: Default no action. 682 ALLOW: Matching 'Entries' grant access. 683 ALLOW_WITH_LOG: Matching 'Entries' grant access and the caller promises 684 to log the request per the returned log_configs. 685 DENY: Matching 'Entries' deny access. 686 DENY_WITH_LOG: Matching 'Entries' deny access and the caller promises to 687 log the request per the returned log_configs. 688 LOG: Matching 'Entries' tell IAM.Check callers to generate logs. 689 """ 690 NO_ACTION = 0 691 ALLOW = 1 692 ALLOW_WITH_LOG = 2 693 DENY = 3 694 DENY_WITH_LOG = 4 695 LOG = 5 696 697 action = _messages.EnumField('ActionValueValuesEnum', 1) 698 conditions = _messages.MessageField('Condition', 2, repeated=True) 699 description = _messages.StringField(3) 700 in_ = _messages.StringField(4, repeated=True) 701 logConfig = _messages.MessageField('LogConfig', 5, repeated=True) 702 notIn = _messages.StringField(6, repeated=True) 703 permissions = _messages.StringField(7, repeated=True) 704 705 706class ServiceAccount(_messages.Message): 707 """A service account in the Identity and Access Management API. To create a 708 service account, specify the `project_id` and the `account_id` for the 709 account. The `account_id` is unique within the project, and is used to 710 generate the service account email address and a stable `unique_id`. All 711 other methods can identify the service account using the format 712 `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard for 713 the project will infer the project from the account. The `account` value can 714 be the `email` address or the `unique_id` of the service account. 715 716 Fields: 717 description: Optional. A user-specified opaque description of the service 718 account. 719 displayName: Optional. A user-specified description of the service 720 account. Must be fewer than 100 UTF-8 bytes. 721 email: @OutputOnly The email address of the service account. 722 etag: Used to perform a consistent read-modify-write. 723 name: The resource name of the service account in the following format: 724 `projects/{project}/serviceAccounts/{account}`. Requests using `-` as a 725 wildcard for the project will infer the project from the `account` and 726 the `account` value can be the `email` address or the `unique_id` of the 727 service account. In responses the resource name will always be in the 728 format `projects/{project}/serviceAccounts/{email}`. 729 oauth2ClientId: @OutputOnly. The OAuth2 client id for the service account. 730 This is used in conjunction with the OAuth2 clientconfig API to make 731 three legged OAuth2 (3LO) flows to access the data of Google users. 732 projectId: @OutputOnly The id of the project that owns the service 733 account. 734 uniqueId: @OutputOnly The unique and stable id of the service account. 735 """ 736 737 description = _messages.StringField(1) 738 displayName = _messages.StringField(2) 739 email = _messages.StringField(3) 740 etag = _messages.BytesField(4) 741 name = _messages.StringField(5) 742 oauth2ClientId = _messages.StringField(6) 743 projectId = _messages.StringField(7) 744 uniqueId = _messages.StringField(8) 745 746 747class ServiceAccountKey(_messages.Message): 748 """Represents a service account key. A service account has two sets of key- 749 pairs: user-managed, and system-managed. User-managed key-pairs can be 750 created and deleted by users. Users are responsible for rotating these keys 751 periodically to ensure security of their service accounts. Users retain the 752 private key of these key-pairs, and Google retains ONLY the public key. 753 System-managed key-pairs are managed automatically by Google, and rotated 754 daily without user intervention. The private key never leaves Google's 755 servers to maximize security. Public keys for all service accounts are also 756 published at the OAuth2 Service Account API. 757 758 Enums: 759 PrivateKeyTypeValueValuesEnum: The output format for the private key. Only 760 provided in `CreateServiceAccountKey` responses, not in 761 `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google 762 never exposes system-managed private keys, and never retains user- 763 managed private keys. 764 765 Fields: 766 name: The resource name of the service account key in the following format 767 `projects/{project}/serviceAccounts/{account}/keys/{key}`. 768 privateKeyData: The private key data. Only provided in 769 `CreateServiceAccountKey` responses. 770 privateKeyType: The output format for the private key. Only provided in 771 `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or 772 `ListServiceAccountKey` responses. Google never exposes system-managed 773 private keys, and never retains user-managed private keys. 774 publicKeyData: The public key data. Only provided in 775 `GetServiceAccountKey` responses. 776 validAfterTime: The key can be used after this timestamp. 777 validBeforeTime: The key can be used before this timestamp. 778 """ 779 780 class PrivateKeyTypeValueValuesEnum(_messages.Enum): 781 """The output format for the private key. Only provided in 782 `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or 783 `ListServiceAccountKey` responses. Google never exposes system-managed 784 private keys, and never retains user-managed private keys. 785 786 Values: 787 TYPE_UNSPECIFIED: Unspecified. Equivalent to 788 `TYPE_GOOGLE_CREDENTIALS_FILE`. 789 TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is 790 `notasecret`. For more information, see 791 https://tools.ietf.org/html/rfc7292. 792 TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format. 793 """ 794 TYPE_UNSPECIFIED = 0 795 TYPE_PKCS12_FILE = 1 796 TYPE_GOOGLE_CREDENTIALS_FILE = 2 797 798 name = _messages.StringField(1) 799 privateKeyData = _messages.BytesField(2) 800 privateKeyType = _messages.EnumField('PrivateKeyTypeValueValuesEnum', 3) 801 publicKeyData = _messages.BytesField(4) 802 validAfterTime = _messages.StringField(5) 803 validBeforeTime = _messages.StringField(6) 804 805 806class SetIamPolicyRequest(_messages.Message): 807 """Request message for `SetIamPolicy` method. 808 809 Fields: 810 policy: REQUIRED: The complete policy to be applied to the `resource`. The 811 size of the policy is limited to a few 10s of KB. An empty policy is a 812 valid policy but certain Cloud Platform services (such as Projects) 813 might reject them. 814 """ 815 816 policy = _messages.MessageField('Policy', 1) 817 818 819class SignBlobRequest(_messages.Message): 820 """The service account sign blob request. 821 822 Fields: 823 bytesToSign: The bytes to sign. 824 """ 825 826 bytesToSign = _messages.BytesField(1) 827 828 829class SignBlobResponse(_messages.Message): 830 """The service account sign blob response. 831 832 Fields: 833 keyId: The id of the key used to sign the blob. 834 signature: The signed blob. 835 """ 836 837 keyId = _messages.StringField(1) 838 signature = _messages.BytesField(2) 839 840 841class SignJwtRequest(_messages.Message): 842 """The service account sign JWT request. 843 844 Fields: 845 payload: The JWT payload to sign, a JSON JWT Claim set. 846 """ 847 848 payload = _messages.StringField(1) 849 850 851class SignJwtResponse(_messages.Message): 852 """The service account sign JWT response. 853 854 Fields: 855 keyId: The id of the key used to sign the JWT. 856 signedJwt: The signed JWT. 857 """ 858 859 keyId = _messages.StringField(1) 860 signedJwt = _messages.StringField(2) 861 862 863class StandardQueryParameters(_messages.Message): 864 """Query parameters accepted by all methods. 865 866 Enums: 867 FXgafvValueValuesEnum: V1 error format. 868 AltValueValuesEnum: Data format for response. 869 870 Fields: 871 f__xgafv: V1 error format. 872 access_token: OAuth access token. 873 alt: Data format for response. 874 bearer_token: OAuth bearer token. 875 callback: JSONP 876 fields: Selector specifying which fields to include in a partial response. 877 key: API key. Your API key identifies your project and provides you with 878 API access, quota, and reports. Required unless you provide an OAuth 2.0 879 token. 880 oauth_token: OAuth 2.0 token for the current user. 881 pp: Pretty-print response. 882 prettyPrint: Returns response with indentations and line breaks. 883 quotaUser: Available to use for quota purposes for server-side 884 applications. Can be any arbitrary string assigned to a user, but should 885 not exceed 40 characters. 886 trace: A tracing token of the form "token:<tokenid>" to include in api 887 requests. 888 uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). 889 upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). 890 """ 891 892 class AltValueValuesEnum(_messages.Enum): 893 """Data format for response. 894 895 Values: 896 json: Responses with Content-Type of application/json 897 media: Media download with context-dependent Content-Type 898 proto: Responses with Content-Type of application/x-protobuf 899 """ 900 json = 0 901 media = 1 902 proto = 2 903 904 class FXgafvValueValuesEnum(_messages.Enum): 905 """V1 error format. 906 907 Values: 908 _1: v1 error format 909 _2: v2 error format 910 """ 911 _1 = 0 912 _2 = 1 913 914 f__xgafv = _messages.EnumField('FXgafvValueValuesEnum', 1) 915 access_token = _messages.StringField(2) 916 alt = _messages.EnumField('AltValueValuesEnum', 3, default=u'json') 917 bearer_token = _messages.StringField(4) 918 callback = _messages.StringField(5) 919 fields = _messages.StringField(6) 920 key = _messages.StringField(7) 921 oauth_token = _messages.StringField(8) 922 pp = _messages.BooleanField(9, default=True) 923 prettyPrint = _messages.BooleanField(10, default=True) 924 quotaUser = _messages.StringField(11) 925 trace = _messages.StringField(12) 926 uploadType = _messages.StringField(13) 927 upload_protocol = _messages.StringField(14) 928 929 930class TestIamPermissionsRequest(_messages.Message): 931 """Request message for `TestIamPermissions` method. 932 933 Fields: 934 permissions: The set of permissions to check for the `resource`. 935 Permissions with wildcards (such as '*' or 'storage.*') are not allowed. 936 For more information see IAM Overview. 937 """ 938 939 permissions = _messages.StringField(1, repeated=True) 940 941 942class TestIamPermissionsResponse(_messages.Message): 943 """Response message for `TestIamPermissions` method. 944 945 Fields: 946 permissions: A subset of `TestPermissionsRequest.permissions` that the 947 caller is allowed. 948 """ 949 950 permissions = _messages.StringField(1, repeated=True) 951 952 953encoding.AddCustomJsonFieldMapping( 954 Rule, 'in_', 'in', 955 package=u'iam') 956encoding.AddCustomJsonFieldMapping( 957 StandardQueryParameters, 'f__xgafv', '$.xgafv', 958 package=u'iam') 959encoding.AddCustomJsonEnumMapping( 960 StandardQueryParameters.FXgafvValueValuesEnum, '_1', '1', 961 package=u'iam') 962encoding.AddCustomJsonEnumMapping( 963 StandardQueryParameters.FXgafvValueValuesEnum, '_2', '2', 964 package=u'iam') 965