// Copyright 2022 Google LLC

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

// http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

syntax = "proto3";

package google.iam.admin.v1;

import "google/api/annotations.proto";

import "google/api/client.proto";

import "google/api/field_behavior.proto";

import "google/api/resource.proto";

import "google/iam/v1/iam_policy.proto";

import "google/iam/v1/policy.proto";

import "google/protobuf/empty.proto";

import "google/protobuf/field_mask.proto";

import "google/protobuf/timestamp.proto";

import "google/type/expr.proto";

option cc_enable_arenas = true;

option csharp_namespace = "Google.Cloud.Iam.Admin.V1";

option go_package = "cloud.google.com/go/iam/admin/apiv1/adminpb;adminpb";

option java_multiple_files = true;

option java_package = "com.google.iam.admin.v1";

option php_namespace = "Google\\Cloud\\Iam\\Admin\\V1";

// Creates and manages Identity and Access Management (IAM) resources.

//

// You can use this service to work with all of the following resources:

//

// * **Service accounts**, which identify an application or a virtual machine

// (VM) instance rather than a person

// * **Service account keys**, which service accounts use to authenticate with

// Google APIs

// * **IAM policies for service accounts**, which specify the roles that a

// principal has for the service account

// * **IAM custom roles**, which help you limit the number of permissions that

// you grant to principals

//

// In addition, you can use this service to complete the following tasks, among

// others:

//

// * Test whether a service account can use specific permissions

// * Check which roles you can grant for a specific resource

// * Lint, or validate, condition expressions in an IAM policy

//

// When you read data from the IAM API, each read is eventually consistent. In

// other words, if you write data with the IAM API, then immediately read that

// data, the read operation might return an older version of the data. To deal

// with this behavior, your application can retry the request with truncated

// exponential backoff.

//

// In contrast, writing data to the IAM API is sequentially consistent. In other

// words, write operations are always processed in the order in which they were

// received.

service IAM {

option (google.api.default_host) = "iam.googleapis.com";

option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

// Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.

rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {

option (google.api.http) = {

get: "/v1/{name=projects/*}/serviceAccounts"

};

option (google.api.method_signature) = "name";

}

// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {

option (google.api.http) = {

get: "/v1/{name=projects/*/serviceAccounts/*}"

};

option (google.api.method_signature) = "name";

}

// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {

option (google.api.http) = {

post: "/v1/{name=projects/*}/serviceAccounts"

body: "*"

};

option (google.api.method_signature) = "name,account_id,service_account";

}

// **Note:** We are in the process of deprecating this method. Use

// [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead.

//

// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

//

// You can update only the `display_name` field.

rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {

option (google.api.http) = {

put: "/v1/{name=projects/*/serviceAccounts/*}"

body: "*"

};

}

// Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

rpc PatchServiceAccount(PatchServiceAccountRequest) returns (ServiceAccount) {

option (google.api.http) = {

patch: "/v1/{service_account.name=projects/*/serviceAccounts/*}"

body: "*"

};

}

// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

//

// **Warning:** After you delete a service account, you might not be able to

// undelete it. If you know that you need to re-enable the service account in

// the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.

//

// If you delete a service account, IAM permanently removes the service

// account 30 days later. Google Cloud cannot recover the service account

// after it is permanently removed, even if you file a support request.

//

// To help avoid unplanned outages, we recommend that you disable the service

// account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the

// service account, then wait at least 24 hours and watch for unintended

// consequences. If there are no unintended consequences, you can delete the

// service account.

rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {

option (google.api.http) = {

delete: "/v1/{name=projects/*/serviceAccounts/*}"

};

option (google.api.method_signature) = "name";

}

// Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].

//

// **Important:** It is not always possible to restore a deleted service

// account. Use this method only as a last resort.

//

// After you delete a service account, IAM permanently removes the service

// account 30 days later. There is no way to restore a deleted service account

// that has been permanently removed.

rpc UndeleteServiceAccount(UndeleteServiceAccountRequest) returns (UndeleteServiceAccountResponse) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}:undelete"

body: "*"

};

}

// Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by

// [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].

//

// If the service account is already enabled, then this method has no effect.

//

// If the service account was disabled by other means—for example, if Google

// disabled the service account because it was compromised—you cannot use this

// method to enable the service account.

rpc EnableServiceAccount(EnableServiceAccountRequest) returns (google.protobuf.Empty) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}:enable"

body: "*"

};

}

// Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.

//

// If an application uses the service account to authenticate, that

// application can no longer call Google APIs or access Google Cloud

// resources. Existing access tokens for the service account are rejected, and

// requests for new access tokens will fail.

//

// To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you

// re-enable the service account, its existing access tokens will be accepted,

// and you can request new access tokens.

//

// To help avoid unplanned outages, we recommend that you disable the service

// account before you delete it. Use this method to disable the service

// account, then wait at least 24 hours and watch for unintended consequences.

// If there are no unintended consequences, you can delete the service account

// with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].

rpc DisableServiceAccount(DisableServiceAccountRequest) returns (google.protobuf.Empty) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}:disable"

body: "*"

};

}

// Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.

rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {

option (google.api.http) = {

get: "/v1/{name=projects/*/serviceAccounts/*}/keys"

};

option (google.api.method_signature) = "name,key_types";

}

// Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {

option (google.api.http) = {

get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"

};

option (google.api.method_signature) = "name,public_key_type";

}

// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}/keys"

body: "*"

};

option (google.api.method_signature) = "name,private_key_type,key_algorithm";

}

// Uploads the public key portion of a key pair that you manage, and

// associates the public key with a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

//

// After you upload the public key, you can use the private key from the key

// pair as a service account key.

rpc UploadServiceAccountKey(UploadServiceAccountKeyRequest) returns (ServiceAccountKey) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}/keys:upload"

body: "*"

};

}

// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not

// revoke short-lived credentials that have been issued based on the service

// account key.

rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {

option (google.api.http) = {

delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"

};

option (google.api.method_signature) = "name";

}

// Disable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. A disabled service account key can be

// re-enabled with [EnableServiceAccountKey][google.iam.admin.v1.IAM.EnableServiceAccountKey].

rpc DisableServiceAccountKey(DisableServiceAccountKeyRequest) returns (google.protobuf.Empty) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*/keys/*}:disable"

body: "*"

};

option (google.api.method_signature) = "name";

}

// Enable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

rpc EnableServiceAccountKey(EnableServiceAccountKeyRequest) returns (google.protobuf.Empty) {

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*/keys/*}:enable"

body: "*"

};

option (google.api.method_signature) = "name";

}

// **Note:** This method is deprecated. Use the

// [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob)

// method in the IAM Service Account Credentials API instead. If you currently

// use this method, see the [migration

// guide](https://cloud.google.com/iam/help/credentials/migrate-api) for

// instructions.

//

// Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {

option deprecated = true;

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"

body: "*"

};

option (google.api.method_signature) = "name,bytes_to_sign";

}

// **Note:** This method is deprecated. Use the

// [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt)

// method in the IAM Service Account Credentials API instead. If you currently

// use this method, see the [migration

// guide](https://cloud.google.com/iam/help/credentials/migrate-api) for

// instructions.

//

// Signs a JSON Web Token (JWT) using the system-managed private key for a

// [ServiceAccount][google.iam.admin.v1.ServiceAccount].

rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {

option deprecated = true;

option (google.api.http) = {

post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"

body: "*"

};

option (google.api.method_signature) = "name,payload";

}

// Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM

// policy specifies which principals have access to the service account.

//

// This method does not tell you whether the service account has been granted

// any roles on other resources. To check whether a service account has role

// grants on a resource, use the `getIamPolicy` method for that resource. For

// example, to view the role grants for a project, call the Resource Manager

// API's

// [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)

// method.

rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {

option (google.api.http) = {

post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"

};

option (google.api.method_signature) = "resource";

}

// Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

//

// Use this method to grant or revoke access to the service account. For

// example, you could grant a principal the ability to impersonate the service

// account.

//

// This method does not enable the service account to access other resources.

// To grant roles to a service account on a resource, follow these steps:

//

// 1. Call the resource's `getIamPolicy` method to get its current IAM policy.

// 2. Edit the policy so that it binds the service account to an IAM role for

// the resource.

// 3. Call the resource's `setIamPolicy` method to update its IAM policy.

//

// For detailed instructions, see

// [Manage access to project, folders, and

// organizations](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts)

// or [Manage access to other

// resources](https://cloud.google.com/iam/help/access/manage-other-resources).

rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {

option (google.api.http) = {

post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"

body: "*"

};

option (google.api.method_signature) = "resource,policy";

}

// Tests whether the caller has the specified permissions on a

// [ServiceAccount][google.iam.admin.v1.ServiceAccount].

rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {

option (google.api.http) = {

post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"

body: "*"

};

option (google.api.method_signature) = "resource,permissions";

}

// Lists roles that can be granted on a Google Cloud resource. A role is

// grantable if the IAM policy for the resource can contain bindings to the

// role.

rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {

option (google.api.http) = {

post: "/v1/roles:queryGrantableRoles"

body: "*"

};

option (google.api.method_signature) = "full_resource_name";

}

// Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role

// that is defined for an organization or project.

rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {

option (google.api.http) = {

get: "/v1/roles"

additional_bindings {

get: "/v1/{parent=organizations/*}/roles"

}

additional_bindings {

get: "/v1/{parent=projects/*}/roles"

}

};

}

// Gets the definition of a [Role][google.iam.admin.v1.Role].

rpc GetRole(GetRoleRequest) returns (Role) {

option (google.api.http) = {

get: "/v1/{name=roles/*}"

additional_bindings {

get: "/v1/{name=organizations/*/roles/*}"

}

additional_bindings {

get: "/v1/{name=projects/*/roles/*}"

}

};

}

// Creates a new custom [Role][google.iam.admin.v1.Role].

rpc CreateRole(CreateRoleRequest) returns (Role) {

option (google.api.http) = {

post: "/v1/{parent=organizations/*}/roles"

body: "*"

additional_bindings {

post: "/v1/{parent=projects/*}/roles"

body: "*"

}

};

}

// Updates the definition of a custom [Role][google.iam.admin.v1.Role].

rpc UpdateRole(UpdateRoleRequest) returns (Role) {

option (google.api.http) = {

patch: "/v1/{name=organizations/*/roles/*}"

body: "role"

additional_bindings {

patch: "/v1/{name=projects/*/roles/*}"

body: "role"

}

};

}

// Deletes a custom [Role][google.iam.admin.v1.Role].

//

// When you delete a custom role, the following changes occur immediately:

//

// * You cannot bind a principal to the custom role in an IAM

// [Policy][google.iam.v1.Policy].

// * Existing bindings to the custom role are not changed, but they have no

// effect.

// * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom

// role.

//

// You have 7 days to undelete the custom role. After 7 days, the following

// changes occur:

//

// * The custom role is permanently deleted and cannot be recovered.

// * If an IAM policy contains a binding to the custom role, the binding is

// permanently removed.

rpc DeleteRole(DeleteRoleRequest) returns (Role) {

option (google.api.http) = {

delete: "/v1/{name=organizations/*/roles/*}"

additional_bindings {

delete: "/v1/{name=projects/*/roles/*}"

}

};

}

// Undeletes a custom [Role][google.iam.admin.v1.Role].

rpc UndeleteRole(UndeleteRoleRequest) returns (Role) {

option (google.api.http) = {

post: "/v1/{name=organizations/*/roles/*}:undelete"

body: "*"

additional_bindings {

post: "/v1/{name=projects/*/roles/*}:undelete"

body: "*"

}

};

}

// Lists every permission that you can test on a resource. A permission is

// testable if you can check whether a principal has that permission on the

// resource.

rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) {

option (google.api.http) = {

post: "/v1/permissions:queryTestablePermissions"

body: "*"

};

}

// Returns a list of services that allow you to opt into audit logs that are

// not generated by default.

//

// To learn more about audit logs, see the [Logging

// documentation](https://cloud.google.com/logging/docs/audit).

rpc QueryAuditableServices(QueryAuditableServicesRequest) returns (QueryAuditableServicesResponse) {

option (google.api.http) = {

post: "/v1/iamPolicies:queryAuditableServices"

body: "*"

};

}

// Lints, or validates, an IAM policy. Currently checks the

// [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition

// expression for a role binding.

//

// Successful calls to this method always return an HTTP `200 OK` status code,

// even if the linter detects an issue in the IAM policy.

rpc LintPolicy(LintPolicyRequest) returns (LintPolicyResponse) {

option (google.api.http) = {

post: "/v1/iamPolicies:lintPolicy"

body: "*"

};

}

}

// An IAM service account.

//

// A service account is an account for an application or a virtual machine (VM)

// instance, not a person. You can use a service account to call Google APIs. To

// learn more, read the [overview of service

// accounts](https://cloud.google.com/iam/help/service-accounts/overview).

//

// When you create a service account, you specify the project ID that owns the

// service account, as well as a name that must be unique within the project.

// IAM uses these values to create an email address that identifies the service

// account.

message ServiceAccount {

option (google.api.resource) = {

type: "iam.googleapis.com/ServiceAccount"

pattern: "projects/{project}/serviceAccounts/{service_account}"

};

// The resource name of the service account.

//

// Use one of the following formats:

//

// * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`

// * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`

//

// As an alternative, you can use the `-` wildcard character instead of the

// project ID:

//

// * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`

// * `projects/-/serviceAccounts/{UNIQUE_ID}`

//

// When possible, avoid using the `-` wildcard character, because it can cause

// response messages to contain misleading error codes. For example, if you

// try to get the service account

// `projects/-/serviceAccounts/fake@example.com`, which does not exist, the

// response contains an HTTP `403 Forbidden` error instead of a `404 Not

// Found` error.

string name = 1;

// Output only. The ID of the project that owns the service account.

string project_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

// Output only. The unique, stable numeric ID for the service account.

//

// Each service account retains its unique ID even if you delete the service

// account. For example, if you delete a service account, then create a new

// service account with the same name, the new service account has a different

// unique ID than the deleted service account.

string unique_id = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

// Output only. The email address of the service account.

string email = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

// Optional. A user-specified, human-readable name for the service account. The maximum

// length is 100 UTF-8 bytes.

string display_name = 6 [(google.api.field_behavior) = OPTIONAL];

// Deprecated. Do not use.

bytes etag = 7 [deprecated = true];

// Optional. A user-specified, human-readable description of the service account. The

// maximum length is 256 UTF-8 bytes.

string description = 8 [(google.api.field_behavior) = OPTIONAL];

// Output only. The OAuth 2.0 client ID for the service account.

string oauth2_client_id = 9 [(google.api.field_behavior) = OUTPUT_ONLY];

// Output only. Whether the service account is disabled.

bool disabled = 11 [(google.api.field_behavior) = OUTPUT_ONLY];

}

// The service account create request.

message CreateServiceAccountRequest {

// Required. The resource name of the project associated with the service

// accounts, such as `projects/my-project-123`.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "cloudresourcemanager.googleapis.com/Project"

}

];

// Required. The account id that is used to generate the service account

// email address and a stable unique id. It is unique within a project,

// must be 6-30 characters long, and match the regular expression

// `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.

string account_id = 2 [(google.api.field_behavior) = REQUIRED];

// The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to

// create. Currently, only the following values are user assignable:

// `display_name` and `description`.

ServiceAccount service_account = 3;

}

// The service account list request.

message ListServiceAccountsRequest {

// Required. The resource name of the project associated with the service

// accounts, such as `projects/my-project-123`.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "cloudresourcemanager.googleapis.com/Project"

}

];

// Optional limit on the number of service accounts to include in the

// response. Further accounts can subsequently be obtained by including the

// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]

// in a subsequent request.

//

// The default is 20, and the maximum is 100.

int32 page_size = 2;

// Optional pagination token returned in an earlier

// [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].

string page_token = 3;

}

// The service account list response.

message ListServiceAccountsResponse {

// The list of matching service accounts.

repeated ServiceAccount accounts = 1;

// To retrieve the next page of results, set

// [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]

// to this value.

string next_page_token = 2;

}

// The service account get request.

message GetServiceAccountRequest {

// Required. The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/ServiceAccount"

}

];

}

// The service account delete request.

message DeleteServiceAccountRequest {

// Required. The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/ServiceAccount"

}

];

}

// The service account patch request.

//

// You can patch only the `display_name` and `description` fields. You must use

// the `update_mask` field to specify which of these fields you want to patch.

//

// Only the fields specified in the request are guaranteed to be returned in

// the response. Other fields may be empty in the response.

message PatchServiceAccountRequest {

ServiceAccount service_account = 1;

google.protobuf.FieldMask update_mask = 2;

}

// The service account undelete request.

message UndeleteServiceAccountRequest {

// The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account.

string name = 1;

}

message UndeleteServiceAccountResponse {

// Metadata for the restored service account.

ServiceAccount restored_account = 1;

}

// The service account enable request.

message EnableServiceAccountRequest {

// The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1;

}

// The service account disable request.

message DisableServiceAccountRequest {

// The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1;

}

// The service account keys list request.

message ListServiceAccountKeysRequest {

// `KeyType` filters to selectively retrieve certain varieties

// of keys.

enum KeyType {

// Unspecified key type. The presence of this in the

// message will immediately result in an error.

KEY_TYPE_UNSPECIFIED = 0;

// User-managed keys (managed and rotated by the user).

USER_MANAGED = 1;

// System-managed keys (managed and rotated by Google).

SYSTEM_MANAGED = 2;

}

// Required. The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

//

// Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/ServiceAccount"

}

];

// Filters the types of keys the user wants to include in the list

// response. Duplicate key types are not allowed. If no key type

// is provided, all keys are returned.

repeated KeyType key_types = 2;

}

// The service account keys list response.

message ListServiceAccountKeysResponse {

// The public keys for the service account.

repeated ServiceAccountKey keys = 1;

}

// The service account key get by id request.

message GetServiceAccountKeyRequest {

// Required. The resource name of the service account key in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.

//

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/Key"

}

];

// Optional. The output format of the public key. The default is `TYPE_NONE`, which

// means that the public key is not returned.

ServiceAccountPublicKeyType public_key_type = 2 [(google.api.field_behavior) = OPTIONAL];

}

// Supported key algorithms.

enum ServiceAccountKeyAlgorithm {

// An unspecified key algorithm.

KEY_ALG_UNSPECIFIED = 0;

// 1k RSA Key.

KEY_ALG_RSA_1024 = 1;

// 2k RSA Key.

KEY_ALG_RSA_2048 = 2;

}

// Supported private key output formats.

enum ServiceAccountPrivateKeyType {

// Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.

TYPE_UNSPECIFIED = 0;

// PKCS12 format.

// The password for the PKCS12 file is `notasecret`.

// For more information, see https://tools.ietf.org/html/rfc7292.

TYPE_PKCS12_FILE = 1;

// Google Credentials File format.

TYPE_GOOGLE_CREDENTIALS_FILE = 2;

}

// Supported public key output formats.

enum ServiceAccountPublicKeyType {

// Do not return the public key.

TYPE_NONE = 0;

// X509 PEM format.

TYPE_X509_PEM_FILE = 1;

// Raw public key.

TYPE_RAW_PUBLIC_KEY = 2;

}

// Service Account Key Origin.

enum ServiceAccountKeyOrigin {

// Unspecified key origin.

ORIGIN_UNSPECIFIED = 0;

// Key is provided by user.

USER_PROVIDED = 1;

// Key is provided by Google.

GOOGLE_PROVIDED = 2;

}

// Represents a service account key.

//

// A service account has two sets of key-pairs: user-managed, and

// system-managed.

//

// User-managed key-pairs can be created and deleted by users. Users are

// responsible for rotating these keys periodically to ensure security of

// their service accounts. Users retain the private key of these key-pairs,

// and Google retains ONLY the public key.

//

// System-managed keys are automatically rotated by Google, and are used for

// signing for a maximum of two weeks. The rotation process is probabilistic,

// and usage of the new key will gradually ramp up and down over the key's

// lifetime.

//

// If you cache the public key set for a service account, we recommend that you

// update the cache every 15 minutes. User-managed keys can be added and removed

// at any time, so it is important to update the cache frequently. For

// Google-managed keys, Google will publish a key at least 6 hours before it is

// first used for signing and will keep publishing it for at least 6 hours after

// it was last used for signing.

//

// Public keys for all service accounts are also published at the OAuth2

// Service Account API.

message ServiceAccountKey {

option (google.api.resource) = {

type: "iam.googleapis.com/Key"

pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}"

};

// The resource name of the service account key in the following format

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.

string name = 1;

// The output format for the private key.

// Only provided in `CreateServiceAccountKey` responses, not

// in `GetServiceAccountKey` or `ListServiceAccountKey` responses.

//

// Google never exposes system-managed private keys, and never retains

// user-managed private keys.

ServiceAccountPrivateKeyType private_key_type = 2;

// Specifies the algorithm (and possibly key size) for the key.

ServiceAccountKeyAlgorithm key_algorithm = 8;

// The private key data. Only provided in `CreateServiceAccountKey`

// responses. Make sure to keep the private key data secure because it

// allows for the assertion of the service account identity.

// When base64 decoded, the private key data can be used to authenticate with

// Google API client libraries and with

// <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud

// auth activate-service-account</a>.

bytes private_key_data = 3;

// The public key data. Only provided in `GetServiceAccountKey` responses.

bytes public_key_data = 7;

// The key can be used after this timestamp.

google.protobuf.Timestamp valid_after_time = 4;

// The key can be used before this timestamp.

// For system-managed key pairs, this timestamp is the end time for the

// private key signing operation. The public key could still be used

// for verification for a few hours after this time.

google.protobuf.Timestamp valid_before_time = 5;

// The key origin.

ServiceAccountKeyOrigin key_origin = 9;

// The key type.

ListServiceAccountKeysRequest.KeyType key_type = 10;

// The key status.

bool disabled = 11;

}

// The service account key create request.

message CreateServiceAccountKeyRequest {

// Required. The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/ServiceAccount"

}

];

// The output format of the private key. The default value is

// `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File

// format.

ServiceAccountPrivateKeyType private_key_type = 2;

// Which type of key and algorithm to use for the key.

// The default is currently a 2K RSA key. However this may change in the

// future.

ServiceAccountKeyAlgorithm key_algorithm = 3;

}

// The service account key upload request.

message UploadServiceAccountKeyRequest {

// The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1;

// The public key to associate with the service account. Must be an RSA public

// key that is wrapped in an X.509 v3 certificate. Include the first line,

// `-----BEGIN CERTIFICATE-----`, and the last line,

// `-----END CERTIFICATE-----`.

bytes public_key_data = 2;

}

// The service account key delete request.

message DeleteServiceAccountKeyRequest {

// Required. The resource name of the service account key in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/Key"

}

];

}

// The service account key disable request.

message DisableServiceAccountKeyRequest {

// Required. The resource name of the service account key in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.

//

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/Key"

}

];

}

// The service account key enable request.

message EnableServiceAccountKeyRequest {

// Required. The resource name of the service account key in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.

//

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/Key"

}

];

}

// Deprecated. [Migrate to Service Account Credentials

// API](https://cloud.google.com/iam/help/credentials/migrate-api).

//

// The service account sign blob request.

message SignBlobRequest {

// Required. Deprecated. [Migrate to Service Account Credentials

// API](https://cloud.google.com/iam/help/credentials/migrate-api).

//

// The resource name of the service account in the following format:

// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.

// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from

// the account. The `ACCOUNT` value can be the `email` address or the

// `unique_id` of the service account.

string name = 1 [

deprecated = true,

(google.api.field_behavior) = REQUIRED,

(google.api.resource_reference) = {

type: "iam.googleapis.com/ServiceAccount"

}

];

// Required. Deprecated. [Migrate to Service Account Credentials

// API](https://cloud.google.com/iam/help/credentials/migrate-api).

//

// The bytes to sign.

bytes bytes_to_sign = 2 [

deprecated = true,

(google.api.field_behavior) = REQUIRED

];

}

// Deprecated. [Migrate to Service Account Credentials

// API](https://cloud.google.com/iam/help/credentials/migrate-api).

//

// The service account sign blob response.

message SignBlobResponse {

// Deprecated. [Migrate to Service Account Credentials

// API](https://cloud.google.com/iam/help/credentials/migrate-api).

//