File: //snap/google-cloud-cli/394/lib/googlecloudsdk/generated_clients/apis/iam/v1/iam_v1_messages.py
"""Generated message classes for iam version v1.
Manages identity and access control for Google Cloud resources, including the
creation of service accounts, which you can use to authenticate to Google and
make API calls. Enabling this API also enables the IAM Service Account
Credentials API (iamcredentials.googleapis.com). However, disabling this API
doesn't disable the IAM Service Account Credentials API.
"""
# NOTE: This file is autogenerated and should not be edited by hand.
from __future__ import absolute_import
from apitools.base.protorpclite import messages as _messages
from apitools.base.py import encoding
from apitools.base.py import extra_types
package = 'iam'
class AccessRestrictions(_messages.Message):
r"""Access related restrictions on the workforce pool.
Fields:
allowedServices: Optional. Immutable. Services allowed for web sign-in
with the workforce pool. If not set by default there are no
restrictions.
disableProgrammaticSignin: Optional. Disable programmatic sign-in by
disabling token issue via the Security Token API endpoint. See [Security
Token Service API]
(https://cloud.google.com/iam/docs/reference/sts/rest).
"""
allowedServices = _messages.MessageField('ServiceConfig', 1, repeated=True)
disableProgrammaticSignin = _messages.BooleanField(2)
class AddAttestationRuleRequest(_messages.Message):
r"""Request message for AddAttestationRule.
Fields:
attestationRule: Required. The attestation rule to be added.
"""
attestationRule = _messages.MessageField('AttestationRule', 1)
class AdminAuditData(_messages.Message):
r"""Audit log information specific to Cloud IAM admin APIs. This message is
serialized as an `Any` type in the `ServiceData` message of an `AuditLog`
message.
Fields:
permissionDelta: The permission_delta when when creating or updating a
Role.
"""
permissionDelta = _messages.MessageField('PermissionDelta', 1)
class AppMetadata(_messages.Message):
r"""Represents the metadata for an installed app.
Enums:
StateValueValuesEnum: Output only. The state of the app.
Fields:
disabled: Output only. Whether the app is disabled.
name: Immutable. The full resource name of the app to be installed.
Format: For OauthClient:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
state: Output only. The state of the app.
uuid: Output only. This field represents the system generated UUID for the
OauthClient.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the app.
Values:
STATE_UNSPECIFIED: Default value. This value is unused.
ACTIVE: The app is active.
DELETED: The app is deleted.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
disabled = _messages.BooleanField(1)
name = _messages.StringField(2)
state = _messages.EnumField('StateValueValuesEnum', 3)
uuid = _messages.StringField(4)
class AttestationRule(_messages.Message):
r"""Defines which workloads can receive an identity within a pool. When an
AttestationRule is defined under a managed identity, matching workloads may
receive that identity.
Fields:
googleCloudResource: Optional. A single workload operating on Google
Cloud. For example: `//compute.googleapis.com/projects/123/uid/zones/us-
central1-a/instances/12345`.
"""
googleCloudResource = _messages.StringField(1)
class AttributeTranslatorCEL(_messages.Message):
r"""Specifies a list of output attribute names and the corresponding input
attribute to use for that output attribute. Each defined output attribute is
populated with the value of the specified input attribute.
Messages:
AttributesValue: Each entry specifies the desired output attribute and a
CEL field selector expression for the corresponding input to read. This
field supports a subset of the CEL functionality to select fields from
the input (no boolean expressions, functions or arithmetics). Output
attributes must match `(google.sub|a-z_*)`. The output attribute
google.sub is interpreted to be the "identity" of the requesting user.
For example, to copy the inbound attribute "sub" into the output
`google.sub` add an entry `google.sub` -> `inclaim.sub` or `google.sub`
-> `inclaim[\"sub\"]`. See https://github.com/google/cel-spec for more
details. If the input does not exist the output attribute will be null.
Fields:
attributes: Each entry specifies the desired output attribute and a CEL
field selector expression for the corresponding input to read. This
field supports a subset of the CEL functionality to select fields from
the input (no boolean expressions, functions or arithmetics). Output
attributes must match `(google.sub|a-z_*)`. The output attribute
google.sub is interpreted to be the "identity" of the requesting user.
For example, to copy the inbound attribute "sub" into the output
`google.sub` add an entry `google.sub` -> `inclaim.sub` or `google.sub`
-> `inclaim[\"sub\"]`. See https://github.com/google/cel-spec for more
details. If the input does not exist the output attribute will be null.
"""
@encoding.MapUnrecognizedFields('additionalProperties')
class AttributesValue(_messages.Message):
r"""Each entry specifies the desired output attribute and a CEL field
selector expression for the corresponding input to read. This field
supports a subset of the CEL functionality to select fields from the input
(no boolean expressions, functions or arithmetics). Output attributes must
match `(google.sub|a-z_*)`. The output attribute google.sub is interpreted
to be the "identity" of the requesting user. For example, to copy the
inbound attribute "sub" into the output `google.sub` add an entry
`google.sub` -> `inclaim.sub` or `google.sub` -> `inclaim[\"sub\"]`. See
https://github.com/google/cel-spec for more details. If the input does not
exist the output attribute will be null.
Messages:
AdditionalProperty: An additional property for a AttributesValue object.
Fields:
additionalProperties: Additional properties of type AttributesValue
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a AttributesValue object.
Fields:
key: Name of the additional property.
value: A string attribute.
"""
key = _messages.StringField(1)
value = _messages.StringField(2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
attributes = _messages.MessageField('AttributesValue', 1)
class AuditConfig(_messages.Message):
r"""Specifies the audit configuration for a service. The configuration
determines which permission types are logged, and what identities, if any,
are exempted from logging. An AuditConfig must have one or more
AuditLogConfigs. If there are AuditConfigs for both `allServices` and a
specific service, the union of the two AuditConfigs is used for that
service: the log_types specified in each AuditConfig are enabled, and the
exempted_members in each AuditLogConfig are exempted. Example Policy with
multiple AuditConfigs: { "audit_configs": [ { "service": "allServices",
"audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [
"user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type":
"ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com",
"audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type":
"DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For
sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
logging. It also exempts `jose@example.com` from DATA_READ logging, and
`aliya@example.com` from DATA_WRITE logging.
Fields:
auditLogConfigs: The configuration for logging of each type of permission.
service: Specifies a service that will be enabled for audit logging. For
example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
`allServices` is a special value that covers all services.
"""
auditLogConfigs = _messages.MessageField('AuditLogConfig', 1, repeated=True)
service = _messages.StringField(2)
class AuditData(_messages.Message):
r"""Audit log information specific to Cloud IAM. This message is serialized
as an `Any` type in the `ServiceData` message of an `AuditLog` message.
Fields:
policyDelta: Policy delta between the original policy and the newly set
policy.
"""
policyDelta = _messages.MessageField('PolicyDelta', 1)
class AuditLogConfig(_messages.Message):
r"""Provides the configuration for logging a type of permissions. Example: {
"audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [
"user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables
'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from
DATA_READ logging.
Enums:
LogTypeValueValuesEnum: The log type that this config enables.
Fields:
exemptedMembers: Specifies the identities that do not cause logging for
this type of permission. Follows the same format of Binding.members.
logType: The log type that this config enables.
"""
class LogTypeValueValuesEnum(_messages.Enum):
r"""The log type that this config enables.
Values:
LOG_TYPE_UNSPECIFIED: Default case. Should never be this.
ADMIN_READ: Admin reads. Example: CloudIAM getIamPolicy
DATA_WRITE: Data writes. Example: CloudSQL Users create
DATA_READ: Data reads. Example: CloudSQL Users list
"""
LOG_TYPE_UNSPECIFIED = 0
ADMIN_READ = 1
DATA_WRITE = 2
DATA_READ = 3
exemptedMembers = _messages.StringField(1, repeated=True)
logType = _messages.EnumField('LogTypeValueValuesEnum', 2)
class AuditableService(_messages.Message):
r"""Contains information about an auditable service.
Fields:
name: Public name of the service. For example, the service name for IAM is
'iam.googleapis.com'.
"""
name = _messages.StringField(1)
class Aws(_messages.Message):
r"""Represents an Amazon Web Services identity provider.
Fields:
accountId: Required. The AWS account ID.
"""
accountId = _messages.StringField(1)
class Binding(_messages.Message):
r"""Associates `members`, or principals, with a `role`.
Fields:
condition: The condition that is associated with this binding. If the
condition evaluates to `true`, then this binding applies to the current
request. If the condition evaluates to `false`, then this binding does
not apply to the current request. However, a different role binding
might grant the same role to one or more of the principals in this
binding. To learn which resources support conditions in their IAM
policies, see the [IAM
documentation](https://cloud.google.com/iam/help/conditions/resource-
policies).
members: Specifies the principals requesting access for a Google Cloud
resource. `members` can have the following values: * `allUsers`: A
special identifier that represents anyone who is on the internet; with
or without a Google account. * `allAuthenticatedUsers`: A special
identifier that represents anyone who is authenticated with a Google
account or a service account. Does not include identities that come from
external identity providers (IdPs) through identity federation. *
`user:{emailid}`: An email address that represents a specific Google
account. For example, `alice@example.com` . *
`serviceAccount:{emailid}`: An email address that represents a Google
service account. For example, `my-other-
app@appspot.gserviceaccount.com`. *
`serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`:
An identifier for a [Kubernetes service
account](https://cloud.google.com/kubernetes-engine/docs/how-
to/kubernetes-service-accounts). For example, `my-
project.svc.id.goog[my-namespace/my-kubernetes-sa]`. *
`group:{emailid}`: An email address that represents a Google group. For
example, `admins@example.com`. * `domain:{domain}`: The G Suite domain
(primary) that represents all the users of that domain. For example,
`google.com` or `example.com`. * `principal://iam.googleapis.com/locatio
ns/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A
single identity in a workforce identity pool. * `principalSet://iam.goog
leapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`:
All workforce identities in a group. * `principalSet://iam.googleapis.co
m/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{
attribute_value}`: All workforce identities with a specific attribute
value. * `principalSet://iam.googleapis.com/locations/global/workforcePo
ols/{pool_id}/*`: All identities in a workforce identity pool. * `princi
pal://iam.googleapis.com/projects/{project_number}/locations/global/work
loadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single
identity in a workload identity pool. * `principalSet://iam.googleapis.c
om/projects/{project_number}/locations/global/workloadIdentityPools/{poo
l_id}/group/{group_id}`: A workload identity pool group. * `principalSet
://iam.googleapis.com/projects/{project_number}/locations/global/workloa
dIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`:
All identities in a workload identity pool with a certain attribute. * `
principalSet://iam.googleapis.com/projects/{project_number}/locations/gl
obal/workloadIdentityPools/{pool_id}/*`: All identities in a workload
identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email
address (plus unique identifier) representing a user that has been
recently deleted. For example,
`alice@example.com?uid=123456789012345678901`. If the user is recovered,
this value reverts to `user:{emailid}` and the recovered user retains
the role in the binding. *
`deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address
(plus unique identifier) representing a service account that has been
recently deleted. For example, `my-other-
app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the
service account is undeleted, this value reverts to
`serviceAccount:{emailid}` and the undeleted service account retains the
role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An
email address (plus unique identifier) representing a Google group that
has been recently deleted. For example,
`admins@example.com?uid=123456789012345678901`. If the group is
recovered, this value reverts to `group:{emailid}` and the recovered
group retains the role in the binding. * `deleted:principal://iam.google
apis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attr
ibute_value}`: Deleted single identity in a workforce identity pool. For
example, `deleted:principal://iam.googleapis.com/locations/global/workfo
rcePools/my-pool-id/subject/my-subject-attribute-value`.
role: Role that is assigned to the list of `members`, or principals. For
example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an
overview of the IAM roles and permissions, see the [IAM
documentation](https://cloud.google.com/iam/docs/roles-overview). For a
list of the available pre-defined roles, see
[here](https://cloud.google.com/iam/docs/understanding-roles).
"""
condition = _messages.MessageField('Expr', 1)
members = _messages.StringField(2, repeated=True)
role = _messages.StringField(3)
class BindingDelta(_messages.Message):
r"""One delta entry for Binding. Each individual change (only one member in
each entry) to a binding will be a separate entry.
Enums:
ActionValueValuesEnum: The action that was performed on a Binding.
Required
Fields:
action: The action that was performed on a Binding. Required
condition: The condition that is associated with this binding.
member: A single identity requesting access for a Google Cloud resource.
Follows the same format of Binding.members. Required
role: Role that is assigned to `members`. For example, `roles/viewer`,
`roles/editor`, or `roles/owner`. Required
"""
class ActionValueValuesEnum(_messages.Enum):
r"""The action that was performed on a Binding. Required
Values:
ACTION_UNSPECIFIED: Unspecified.
ADD: Addition of a Binding.
REMOVE: Removal of a Binding.
"""
ACTION_UNSPECIFIED = 0
ADD = 1
REMOVE = 2
action = _messages.EnumField('ActionValueValuesEnum', 1)
condition = _messages.MessageField('Expr', 2)
member = _messages.StringField(3)
role = _messages.StringField(4)
class CreateRoleRequest(_messages.Message):
r"""The request to create a new role.
Fields:
role: The Role resource to create.
roleId: The role ID to use for this role. A role ID may contain
alphanumeric characters, underscores (`_`), and periods (`.`). It must
contain a minimum of 3 characters and a maximum of 64 characters.
"""
role = _messages.MessageField('Role', 1)
roleId = _messages.StringField(2)
class CreateServiceAccountIdentityBindingRequest(_messages.Message):
r"""The service account identity binding create request.
Fields:
acceptanceFilter: A CEL expression that is evaluated to determine whether
a credential should be accepted. To accept any credential, specify
"true". See: https://github.com/google/cel-spec . The input claims are
available using "inclaim[\"attribute_name\"]". The output attributes
calculated by the translator are available using
"outclaim[\"attribute_name\"]"
cel: A set of output attributes and corresponding input attribute names.
oidc: An OIDC reference with Discovery.
"""
acceptanceFilter = _messages.StringField(1)
cel = _messages.MessageField('AttributeTranslatorCEL', 2)
oidc = _messages.MessageField('IDPReferenceOIDC', 3)
class CreateServiceAccountKeyRequest(_messages.Message):
r"""The service account key create request.
Enums:
KeyAlgorithmValueValuesEnum: Which type of key and algorithm to use for
the key. The default is currently a 2K RSA key. However this may change
in the future.
PrivateKeyTypeValueValuesEnum: The output format of the private key. The
default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google
Credentials File format.
Fields:
keyAlgorithm: Which type of key and algorithm to use for the key. The
default is currently a 2K RSA key. However this may change in the
future.
privateKeyType: The output format of the private key. The default value is
`TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
format.
"""
class KeyAlgorithmValueValuesEnum(_messages.Enum):
r"""Which type of key and algorithm to use for the key. The default is
currently a 2K RSA key. However this may change in the future.
Values:
KEY_ALG_UNSPECIFIED: An unspecified key algorithm.
KEY_ALG_RSA_1024: 1k RSA Key.
KEY_ALG_RSA_2048: 2k RSA Key.
"""
KEY_ALG_UNSPECIFIED = 0
KEY_ALG_RSA_1024 = 1
KEY_ALG_RSA_2048 = 2
class PrivateKeyTypeValueValuesEnum(_messages.Enum):
r"""The output format of the private key. The default value is
`TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
format.
Values:
TYPE_UNSPECIFIED: Unspecified. Equivalent to
`TYPE_GOOGLE_CREDENTIALS_FILE`.
TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is
`notasecret`. For more information, see
https://tools.ietf.org/html/rfc7292.
TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format.
"""
TYPE_UNSPECIFIED = 0
TYPE_PKCS12_FILE = 1
TYPE_GOOGLE_CREDENTIALS_FILE = 2
keyAlgorithm = _messages.EnumField('KeyAlgorithmValueValuesEnum', 1)
privateKeyType = _messages.EnumField('PrivateKeyTypeValueValuesEnum', 2)
class CreateServiceAccountRequest(_messages.Message):
r"""The service account create request.
Fields:
accountId: Required. The account id that is used to generate the service
account email address and a stable unique id. It is unique within a
project, must be 6-30 characters long, and match the regular expression
`[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
serviceAccount: The ServiceAccount resource to create. Currently, only the
following values are user assignable: `display_name` and `description`.
"""
accountId = _messages.StringField(1)
serviceAccount = _messages.MessageField('ServiceAccount', 2)
class DisableServiceAccountKeyRequest(_messages.Message):
r"""The service account key disable request.
Enums:
ServiceAccountKeyDisableReasonValueValuesEnum: Optional. Describes the
reason this key is being disabled. If unspecified, the default value of
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.
Fields:
extendedStatusMessage: Optional. Usable by internal google services only.
An extended_status_message can be used to include additional information
about the key, such as its private key data being exposed on a public
repository like GitHub.
serviceAccountKeyDisableReason: Optional. Describes the reason this key is
being disabled. If unspecified, the default value of
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.
"""
class ServiceAccountKeyDisableReasonValueValuesEnum(_messages.Enum):
r"""Optional. Describes the reason this key is being disabled. If
unspecified, the default value of
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.
Values:
SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED: Unspecified disable
reason
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED: Disabled by the user
SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED: Google detected this Service
Account external key's private key data as exposed, typically in a
public repository on GitHub or similar.
SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED: This service
account external key was detected as compromised and used by an
attacker.
"""
SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED = 0
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED = 1
SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED = 2
SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED = 3
extendedStatusMessage = _messages.StringField(1)
serviceAccountKeyDisableReason = _messages.EnumField('ServiceAccountKeyDisableReasonValueValuesEnum', 2)
class DisableServiceAccountRequest(_messages.Message):
r"""The service account disable request."""
class Empty(_messages.Message):
r"""A generic empty message that you can re-use to avoid defining duplicated
empty messages in your APIs. A typical example is to use it as the request
or the response type of an API method. For instance: service Foo { rpc
Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
"""
class EnableServiceAccountKeyRequest(_messages.Message):
r"""The service account key enable request."""
class EnableServiceAccountRequest(_messages.Message):
r"""The service account enable request."""
class Expr(_messages.Message):
r"""Represents a textual expression in the Common Expression Language (CEL)
syntax. CEL is a C-like expression language. The syntax and semantics of CEL
are documented at https://github.com/google/cel-spec. Example (Comparison):
title: "Summary size limit" description: "Determines if a summary is less
than 100 chars" expression: "document.summary.size() < 100" Example
(Equality): title: "Requestor is owner" description: "Determines if
requestor is the document owner" expression: "document.owner ==
request.auth.claims.email" Example (Logic): title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"
Example (Data Manipulation): title: "Notification string" description:
"Create a notification string with a timestamp." expression: "'New message
received at ' + string(document.create_time)" The exact variables and
functions that may be referenced within an expression are determined by the
service that evaluates it. See the service documentation for additional
information.
Fields:
description: Optional. Description of the expression. This is a longer
text which describes the expression, e.g. when hovered over it in a UI.
expression: Textual representation of an expression in Common Expression
Language syntax.
location: Optional. String indicating the location of the expression for
error reporting, e.g. a file name and a position in the file.
title: Optional. Title for the expression, i.e. a short string describing
its purpose. This can be used e.g. in UIs which allow to enter the
expression.
"""
description = _messages.StringField(1)
expression = _messages.StringField(2)
location = _messages.StringField(3)
title = _messages.StringField(4)
class ExtendedStatus(_messages.Message):
r"""Extended status can store additional metadata. For example, for keys
disabled due to their private key data being expoesed we may include a
message with more information about the exposure.
Enums:
KeyValueValuesEnum: The key for this extended status.
Fields:
key: The key for this extended status.
value: The value for the extended status.
"""
class KeyValueValuesEnum(_messages.Enum):
r"""The key for this extended status.
Values:
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_UNSPECIFIED: Unspecified
extended status, should not be used.
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED: This key has been
detected as exposed. extended_status_value may contain information
about the exposure (public GitHub repo, open internet, etc.)
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_COMPROMISE_DETECTED: This key
was implicated in a compromise or other attack. extended_status_value
may contain information about the abuse perpetrated.
"""
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_UNSPECIFIED = 0
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED = 1
SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_COMPROMISE_DETECTED = 2
key = _messages.EnumField('KeyValueValuesEnum', 1)
value = _messages.StringField(2)
class GetIamPolicyRequest(_messages.Message):
r"""Request message for `GetIamPolicy` method.
Fields:
options: OPTIONAL: A `GetPolicyOptions` object for specifying options to
`GetIamPolicy`.
"""
options = _messages.MessageField('GetPolicyOptions', 1)
class GetPolicyOptions(_messages.Message):
r"""Encapsulates settings provided to GetIamPolicy.
Fields:
requestedPolicyVersion: Optional. The maximum policy version that will be
used to format the policy. Valid values are 0, 1, and 3. Requests
specifying an invalid value will be rejected. Requests for policies with
any conditional role bindings must specify version 3. Policies with no
conditional role bindings may specify any valid value or leave the field
unset. The policy in the response might use the policy version that you
specified, or it might use a lower policy version. For example, if you
specify version 3, but the policy has no conditional role bindings, the
response uses version 1. To learn which resources support conditions in
their IAM policies, see the [IAM
documentation](https://cloud.google.com/iam/help/conditions/resource-
policies).
"""
requestedPolicyVersion = _messages.IntegerField(1, variant=_messages.Variant.INT32)
class GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client(_messages.Message):
r"""Represents the OAuth 2.0 client credential configuration for retrieving
additional user attributes that are not present in the initial
authentication credentials from the identity provider, e.g. groups. See
https://datatracker.ietf.org/doc/html/rfc6749#section-4.4 for more details
on client credentials grant flow.
Enums:
AttributesTypeValueValuesEnum: Required. Represents the IdP and type of
claims that should be fetched.
Fields:
attributesType: Required. Represents the IdP and type of claims that
should be fetched.
clientId: Required. The OAuth 2.0 client ID for retrieving extra
attributes from the identity provider. Required to get the Access Token
using client credentials grant flow.
clientSecret: Required. The OAuth 2.0 client secret for retrieving extra
attributes from the identity provider. Required to get the Access Token
using client credentials grant flow.
issuerUri: Required. The OIDC identity provider's issuer URI. Must be a
valid URI using the `https` scheme. Required to get the OIDC discovery
document.
queryParameters: Optional. Represents the parameters to control which
claims are fetched from an IdP.
"""
class AttributesTypeValueValuesEnum(_messages.Enum):
r"""Required. Represents the IdP and type of claims that should be
fetched.
Values:
ATTRIBUTES_TYPE_UNSPECIFIED: No AttributesType specified.
AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the
Microsoft Entra ID identity provider using the configuration provided
in ExtraAttributesOAuth2Client. The `mail` property of the
`microsoft.graph.group` object is used for claim mapping. See
https://learn.microsoft.com/en-
us/graph/api/resources/group?view=graph-rest-1.0#properties for more
details on `microsoft.graph.group` properties. The group mail
addresses of the user's groups that are returned from Microsoft Entra
ID can be mapped by using the following attributes: * OIDC:
`assertion.groups` * SAML: `assertion.attributes.groups`
AZURE_AD_GROUPS_ID: Used to get the user's group claims from the
Microsoft Entra ID identity provider using the configuration provided
in ExtraAttributesOAuth2Client. The `id` property of the
`microsoft.graph.group` object is used for claim mapping. See
https://learn.microsoft.com/en-
us/graph/api/resources/group?view=graph-rest-1.0#properties for more
details on `microsoft.graph.group` properties. The group IDs of the
user's groups that are returned from Microsoft Entra ID can be mapped
by using the following attributes: * OIDC: `assertion.groups` * SAML:
`assertion.attributes.groups`
AZURE_AD_GROUPS_DISPLAY_NAME: Used to get the user's group claims from
the Microsoft Entra ID identity provider using the configuration
provided in ExtraAttributesOAuth2Client. The `displayName` property of
the `microsoft.graph.group` object is used for claim mapping. See
https://learn.microsoft.com/en-
us/graph/api/resources/group?view=graph-rest-1.0#properties for more
details on `microsoft.graph.group` properties. The display names of
the user's groups that are returned from Microsoft Entra ID can be
mapped by using the following attributes: * OIDC: `assertion.groups` *
SAML: `assertion.attributes.groups`
"""
ATTRIBUTES_TYPE_UNSPECIFIED = 0
AZURE_AD_GROUPS_MAIL = 1
AZURE_AD_GROUPS_ID = 2
AZURE_AD_GROUPS_DISPLAY_NAME = 3
attributesType = _messages.EnumField('AttributesTypeValueValuesEnum', 1)
clientId = _messages.StringField(2)
clientSecret = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderOidcClientSecret', 3)
issuerUri = _messages.StringField(4)
queryParameters = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientQueryParameters', 5)
class GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientQueryParameters(_messages.Message):
r"""Represents the parameters to control which claims are fetched from an
IdP.
Fields:
filter: Optional. The filter used to request specific records from the
IdP. By default, all of the groups that are associated with a user are
fetched. For Microsoft Entra ID, you can add `$search` query parameters
using [Keyword Query Language] (https://learn.microsoft.com/en-
us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-
reference). To learn more about `$search` querying in Microsoft Entra
ID, see [Use the `$search` query parameter]
(https://learn.microsoft.com/en-us/graph/search-query-parameter).
Additionally, Workforce Identity Federation automatically adds the
following [`$filter` query parameters] (https://learn.microsoft.com/en-
us/graph/filter-query-parameter), based on the value of
`attributes_type`. Values passed to `filter` are converted to `$search`
query parameters. Additional `$filter` query parameters cannot be added
using this field. * `AZURE_AD_GROUPS_MAIL`: `mailEnabled` and
`securityEnabled` filters are applied. * `AZURE_AD_GROUPS_ID`:
`securityEnabled` filter is applied.
"""
filter = _messages.StringField(1)
class GoogleIamAdminV1WorkforcePoolProviderOidc(_messages.Message):
r"""Represents an OpenId Connect 1.0 identity provider.
Fields:
clientId: Required. The client ID. Must match the audience claim of the
JWT issued by the identity provider.
clientSecret: Optional. The optional client secret. Required to enable
Authorization Code flow for web sign-in.
issuerUri: Required. The OIDC issuer URI. Must be a valid URI using the
`https` scheme.
jwksJson: Optional. OIDC JWKs in JSON String format. For details on the
definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not
set, the `jwks_uri` from the discovery document(fetched from the .well-
known path of the `issuer_uri`) will be used. Currently, RSA and EC
asymmetric keys are supported. The JWK must use following format and
include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg":
"", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv":
"" } ] }
webSsoConfig: Required. Configuration for web single sign-on for the OIDC
provider. Here, web sign-in refers to console sign-in and gcloud sign-in
through the browser.
"""
clientId = _messages.StringField(1)
clientSecret = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderOidcClientSecret', 2)
issuerUri = _messages.StringField(3)
jwksJson = _messages.StringField(4)
webSsoConfig = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig', 5)
class GoogleIamAdminV1WorkforcePoolProviderOidcClientSecret(_messages.Message):
r"""Representation of a client secret configured for the OIDC provider.
Fields:
value: The value of the client secret.
"""
value = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderOidcClientSecretValue', 1)
class GoogleIamAdminV1WorkforcePoolProviderOidcClientSecretValue(_messages.Message):
r"""Representation of the value of the client secret.
Fields:
plainText: Optional. Input only. The plain text of the client secret
value. For security reasons, this field is only used for input and will
never be populated in any response.
thumbprint: Output only. A thumbprint to represent the current client
secret value.
"""
plainText = _messages.StringField(1)
thumbprint = _messages.StringField(2)
class GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig(_messages.Message):
r"""Configuration for web single sign-on for the OIDC provider.
Enums:
AssertionClaimsBehaviorValueValuesEnum: Required. The behavior for how
OIDC Claims are included in the `assertion` object used for attribute
mapping and attribute condition.
ResponseTypeValueValuesEnum: Required. The Response Type to request for in
the OIDC Authorization Request for web sign-in. The `CODE` Response Type
is recommended to avoid the Implicit Flow, for security reasons.
Fields:
additionalScopes: Optional. Additional scopes to request for in the OIDC
authentication request on top of scopes requested by default. By
default, the `openid`, `profile` and `email` scopes that are supported
by the identity provider are requested. Each additional scope may be at
most 256 characters. A maximum of 10 additional scopes may be
configured.
assertionClaimsBehavior: Required. The behavior for how OIDC Claims are
included in the `assertion` object used for attribute mapping and
attribute condition.
responseType: Required. The Response Type to request for in the OIDC
Authorization Request for web sign-in. The `CODE` Response Type is
recommended to avoid the Implicit Flow, for security reasons.
"""
class AssertionClaimsBehaviorValueValuesEnum(_messages.Enum):
r"""Required. The behavior for how OIDC Claims are included in the
`assertion` object used for attribute mapping and attribute condition.
Values:
ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED: No assertion claims behavior
specified.
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims
with ID Token Claims, preferring UserInfo Claim Values for the same
Claim Name. This option is available only for the Authorization Code
Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
"""
ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED = 0
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS = 1
ONLY_ID_TOKEN_CLAIMS = 2
class ResponseTypeValueValuesEnum(_messages.Enum):
r"""Required. The Response Type to request for in the OIDC Authorization
Request for web sign-in. The `CODE` Response Type is recommended to avoid
the Implicit Flow, for security reasons.
Values:
RESPONSE_TYPE_UNSPECIFIED: No Response Type specified.
CODE: The `response_type=code` selection uses the Authorization Code
Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The `response_type=id_token` selection uses the Implicit Flow
for web sign-in.
"""
RESPONSE_TYPE_UNSPECIFIED = 0
CODE = 1
ID_TOKEN = 2
additionalScopes = _messages.StringField(1, repeated=True)
assertionClaimsBehavior = _messages.EnumField('AssertionClaimsBehaviorValueValuesEnum', 2)
responseType = _messages.EnumField('ResponseTypeValueValuesEnum', 3)
class GoogleIamAdminV1WorkforcePoolProviderSaml(_messages.Message):
r"""Represents a SAML identity provider.
Fields:
idpMetadataXml: Required. SAML Identity provider configuration metadata
xml doc. The xml document should comply with [SAML 2.0
specification](https://docs.oasis-open.org/security/saml/v2.0/saml-
metadata-2.0-os.pdf). The max size of the acceptable xml document will
be bounded to 128k characters. The metadata xml document should satisfy
the following constraints: 1) Must contain an Identity Provider Entity
ID. 2) Must contain at least one non-expired signing key certificate. 3)
For each signing key: a) Valid from should be no more than 7 days from
now. b) Valid to should be no more than 25 years in the future. 4) Up to
3 IdP signing keys are allowed in the metadata xml. When updating the
provider's metadata xml, at least one non-expired signing key must
overlap with the existing metadata. This requirement is skipped if there
are no non-expired signing keys present in the existing metadata.
"""
idpMetadataXml = _messages.StringField(1)
class IDPReferenceOIDC(_messages.Message):
r"""Represents a reference to an OIDC provider.
Fields:
audience: Optional. The acceptable audience. Default is the unique_id of
the Service Account.
maxTokenLifetimeSeconds: This optional field allows enforcing a maximum
lifetime for tokens. Using a lifetime that is as short as possible
improves security since it prevents use of exfiltrated tokens after a
certain amount of time. All tokens must specify both exp and iat or they
will be rejected. If "nbf" is present we will reject tokens that are not
yet valid. Expiration and lifetime will be enforced in the following
way: - "exp" > "current time" is always required (expired tokens are
rejected) - "iat" < "current time" + 300 seconds is required (tokens
from the future . are rejected although a small amount of clock skew is
tolerated). - If max_token_lifetime_seconds is set: "exp" - "iat" <
max_token_lifetime_seconds will be checked - The default is otherwise to
accept a max_token_lifetime_seconds of 3600 (1 hour)
oidcJwks: Optional. OIDC verification keys in JWKS format (RFC 7517). It
contains a list of OIDC verification keys that can be used to verify
OIDC JWTs. When OIDC verification key is provided, it will be directly
used to verify the OIDC JWT asserted by the IDP.
url: The OpenID Connect URL. To use this Identity Binding, JWT 'iss' field
should match this field. When URL is set, public keys will be fetched
from the provided URL for credentials verification unless `oidc_jwks`
field is set.
"""
audience = _messages.StringField(1)
maxTokenLifetimeSeconds = _messages.IntegerField(2)
oidcJwks = _messages.BytesField(3)
url = _messages.StringField(4)
class IamLocationsWorkforcePoolsCreateRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsCreateRequest object.
Fields:
location: Optional. The location of the pool to create. Format:
`locations/{location}`.
workforcePool: A WorkforcePool resource to be passed as the request body.
workforcePoolId: Optional. The ID to use for the pool, which becomes the
final component of the resource name. The IDs must be a globally unique
string of 6 to 63 lowercase letters, digits, or hyphens. It must start
with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is
reserved for use by Google, and may not be specified.
"""
location = _messages.StringField(1, required=True)
workforcePool = _messages.MessageField('WorkforcePool', 2)
workforcePoolId = _messages.StringField(3)
class IamLocationsWorkforcePoolsDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsDeleteRequest object.
Fields:
name: Required. The name of the pool to delete. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsGetIamPolicyRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsGetIamPolicyRequest object.
Fields:
getIamPolicyRequest: A GetIamPolicyRequest resource to be passed as the
request body.
resource: REQUIRED: The resource for which the policy is being requested.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
"""
getIamPolicyRequest = _messages.MessageField('GetIamPolicyRequest', 1)
resource = _messages.StringField(2, required=True)
class IamLocationsWorkforcePoolsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsGetRequest object.
Fields:
name: Required. The name of the pool to retrieve. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsInstalledAppsCreateRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsInstalledAppsCreateRequest object.
Fields:
parent: Required. The pool to create this workforce pool installed app in.
Format: `locations/{location}/workforcePools/{workforce_pool}`
workforcePoolInstalledApp: A WorkforcePoolInstalledApp resource to be
passed as the request body.
workforcePoolInstalledAppId: Required. The ID to use for the workforce
pool installed app, which becomes the final component of the resource
name. This value should be 4-32 characters, and may contain the
characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google,
and may not be specified.
"""
parent = _messages.StringField(1, required=True)
workforcePoolInstalledApp = _messages.MessageField('WorkforcePoolInstalledApp', 2)
workforcePoolInstalledAppId = _messages.StringField(3)
class IamLocationsWorkforcePoolsInstalledAppsDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsInstalledAppsDeleteRequest object.
Fields:
name: Required. The name of the workforce pool installed app to delete.
Format: `locations/{location}/workforcePools/{workforce_pool}/installedA
pps/{installed_app}`
validateOnly: Optional. If set, validate the request and preview the
response, but do not actually post it.
"""
name = _messages.StringField(1, required=True)
validateOnly = _messages.BooleanField(2)
class IamLocationsWorkforcePoolsInstalledAppsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsInstalledAppsGetRequest object.
Fields:
name: Required. The name of the workforce pool installed app to retrieve.
Format: `locations/{location}/workforcePools/{workforce_pool}/installedA
pps/{installed_app}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsInstalledAppsListRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsInstalledAppsListRequest object.
Fields:
pageSize: Optional. The maximum number of workforce pool installed apps to
return. If unspecified, at most 50 workforce pool installed apps will be
returned. The maximum value is 100; values above 100 are truncated to
100.
pageToken: Optional. A page token, received from a previous
`ListWorkforcePoolInstalledApps` call. Provide this to retrieve the
subsequent page.
parent: Required. The parent to list installed apps, format:
'locations/{location}/workforcePools/{workforce_pool}'
showDeleted: Optional. Whether to return soft-deleted workforce pool
installed apps.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamLocationsWorkforcePoolsInstalledAppsPatchRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsInstalledAppsPatchRequest object.
Fields:
name: Identifier. The resource name of the workforce pool installed app.
Format: `locations/{location}/workforcePools/{workforce_pool}/installedA
pps/{installed_app}`
updateMask: Required. The list of fields to update.
workforcePoolInstalledApp: A WorkforcePoolInstalledApp resource to be
passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workforcePoolInstalledApp = _messages.MessageField('WorkforcePoolInstalledApp', 3)
class IamLocationsWorkforcePoolsInstalledAppsUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsInstalledAppsUndeleteRequest object.
Fields:
name: Required. The name of the workforce pool installed app to undelete.
Format: `locations/{location}/workforcePools/{workforce_pool}/installedA
pps/{installed_app}`
undeleteWorkforcePoolInstalledAppRequest: A
UndeleteWorkforcePoolInstalledAppRequest resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolInstalledAppRequest = _messages.MessageField('UndeleteWorkforcePoolInstalledAppRequest', 2)
class IamLocationsWorkforcePoolsListRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsListRequest object.
Fields:
location: The location of the pool. Format: `locations/{location}`.
pageSize: The maximum number of pools to return. The default value is 50.
The maximum value is 100.
pageToken: A page token, received from a previous `ListWorkforcePools`
call. Provide this to retrieve the subsequent page.
parent: Required. The parent resource to list pools for. Format:
`organizations/{org-id}`.
showDeleted: Whether to return soft-deleted pools.
"""
location = _messages.StringField(1, required=True)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
parent = _messages.StringField(4)
showDeleted = _messages.BooleanField(5)
class IamLocationsWorkforcePoolsOperationsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsOperationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsPatchRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsPatchRequest object.
Fields:
name: Identifier. The resource name of the pool. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
updateMask: Required. The list of fields to update.
workforcePool: A WorkforcePool resource to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workforcePool = _messages.MessageField('WorkforcePool', 3)
class IamLocationsWorkforcePoolsProvidersCreateRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersCreateRequest object.
Fields:
parent: Required. The pool to create this provider in. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
workforcePoolProvider: A WorkforcePoolProvider resource to be passed as
the request body.
workforcePoolProviderId: Required. The ID for the provider, which becomes
the final component of the resource name. This value must be 4-32
characters, and may contain the characters [a-z0-9-]. The prefix `gcp-`
is reserved for use by Google, and may not be specified.
"""
parent = _messages.StringField(1, required=True)
workforcePoolProvider = _messages.MessageField('WorkforcePoolProvider', 2)
workforcePoolProviderId = _messages.StringField(3)
class IamLocationsWorkforcePoolsProvidersDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersDeleteRequest object.
Fields:
name: Required. The name of the provider to delete. Format: `locations/{lo
cation}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersGetRequest object.
Fields:
name: Required. The name of the provider to retrieve. Format: `locations/{
location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersKeysCreateRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersKeysCreateRequest object.
Fields:
parent: Required. The provider to create this key in.
workforcePoolProviderKey: A WorkforcePoolProviderKey resource to be passed
as the request body.
workforcePoolProviderKeyId: Required. The ID to use for the key, which
becomes the final component of the resource name. This value must be
4-32 characters, and may contain the characters [a-z0-9-].
"""
parent = _messages.StringField(1, required=True)
workforcePoolProviderKey = _messages.MessageField('WorkforcePoolProviderKey', 2)
workforcePoolProviderKeyId = _messages.StringField(3)
class IamLocationsWorkforcePoolsProvidersKeysDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersKeysDeleteRequest object.
Fields:
name: Required. The name of the key to delete.
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersKeysGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersKeysGetRequest object.
Fields:
name: Required. The name of the key to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersKeysListRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersKeysListRequest object.
Fields:
pageSize: The maximum number of keys to return. If unspecified, all keys
are returned. The maximum value is 10; values above 10 are truncated to
10.
pageToken: A page token, received from a previous
`ListWorkforcePoolProviderKeys` call. Provide this to retrieve the
subsequent page.
parent: Required. The provider resource to list encryption keys for.
Format: `locations/{location}/workforcePools/{workforce_pool_id}/provide
rs/{provider_id}`
showDeleted: Whether to return soft-deleted keys.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamLocationsWorkforcePoolsProvidersKeysOperationsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersKeysOperationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersKeysUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersKeysUndeleteRequest object.
Fields:
name: Required. The name of the key to undelete.
undeleteWorkforcePoolProviderKeyRequest: A
UndeleteWorkforcePoolProviderKeyRequest resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolProviderKeyRequest = _messages.MessageField('UndeleteWorkforcePoolProviderKeyRequest', 2)
class IamLocationsWorkforcePoolsProvidersListRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersListRequest object.
Fields:
pageSize: The maximum number of providers to return. If unspecified, at
most 50 providers are returned. The maximum value is 100; values above
100 are truncated to 100.
pageToken: A page token, received from a previous
`ListWorkforcePoolProviders` call. Provide this to retrieve the
subsequent page.
parent: Required. The pool to list providers for. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
showDeleted: Whether to return soft-deleted providers.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamLocationsWorkforcePoolsProvidersOperationsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersOperationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersPatchRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersPatchRequest object.
Fields:
name: Identifier. The resource name of the provider. Format: `locations/{l
ocation}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
updateMask: Required. The list of fields to update.
workforcePoolProvider: A WorkforcePoolProvider resource to be passed as
the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workforcePoolProvider = _messages.MessageField('WorkforcePoolProvider', 3)
class IamLocationsWorkforcePoolsProvidersScimTenantsCreateRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsCreateRequest object.
Fields:
parent: Required. The parent to create scim tenant. Format: 'locations/{lo
cation}/workforcePools/{workforce_pool}/providers/{provider}'
workforcePoolProviderScimTenant: A WorkforcePoolProviderScimTenant
resource to be passed as the request body.
workforcePoolProviderScimTenantId: Required. The ID to use for the scim
tenant, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters
[a-z0-9-].
"""
parent = _messages.StringField(1, required=True)
workforcePoolProviderScimTenant = _messages.MessageField('WorkforcePoolProviderScimTenant', 2)
workforcePoolProviderScimTenantId = _messages.StringField(3)
class IamLocationsWorkforcePoolsProvidersScimTenantsDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsDeleteRequest object.
Fields:
hardDelete: Optional. If set, hard delete the scim tenant. This will
delete the scim tenant resources i.e. the scim tenant and service
account associated with it. This action cannot be undone.
name: Required. The name of the scim tenant to delete. Format: `locations/
{location}/workforcePools/{workforce_pool}/providers/{provider}/scimTena
nts/{scim_tenant}`
"""
hardDelete = _messages.BooleanField(1)
name = _messages.StringField(2, required=True)
class IamLocationsWorkforcePoolsProvidersScimTenantsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsGetRequest object.
Fields:
name: Required. The name of the scim tenant to retrieve. Format: `location
s/{location}/workforcePools/{workforce_pool}/providers/{provider}/scimTe
nants/{scim_tenant}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersScimTenantsListRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsListRequest object.
Fields:
pageSize: Optional. The maximum number of scim tenants to return. If
unspecified, at most 1 scim tenant will be returned.
pageToken: Optional. A page token, received from a previous
`ListScimTenants` call. Provide this to retrieve the subsequent page.
parent: Required. The parent to list scim tenants. Format: 'locations/{loc
ation}/workforcePools/{workforce_pool}/providers/{provider}'
showDeleted: Optional. Whether to return soft-deleted scim tenants.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamLocationsWorkforcePoolsProvidersScimTenantsPatchRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsPatchRequest object.
Fields:
name: Identifier. The resource name of the SCIM Tenant. Format:
`locations/{location}/workforcePools/{workforce_pool}/providers/
{workforce_pool_provider}/scimTenants/{scim_tenant}`
updateMask: Optional. The list of fields to update.
workforcePoolProviderScimTenant: A WorkforcePoolProviderScimTenant
resource to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workforcePoolProviderScimTenant = _messages.MessageField('WorkforcePoolProviderScimTenant', 3)
class IamLocationsWorkforcePoolsProvidersScimTenantsTokensCreateRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsTokensCreateRequest
object.
Fields:
parent: Required. The parent tenant to create scim token. Format: 'locatio
ns/{location}/workforcePools/{workforce_pool}/providers/{provider}/scimT
enants/{scim_tenant}'
workforcePoolProviderScimToken: A WorkforcePoolProviderScimToken resource
to be passed as the request body.
workforcePoolProviderScimTokenId: Required. The ID to use for the scim
token, which becomes the final component of the resource name. This
value should be 4-32 characters and follow this pattern:
"([a-z]([a-z0-9\\-]{2,30}[a-z0-9]))"
"""
parent = _messages.StringField(1, required=True)
workforcePoolProviderScimToken = _messages.MessageField('WorkforcePoolProviderScimToken', 2)
workforcePoolProviderScimTokenId = _messages.StringField(3)
class IamLocationsWorkforcePoolsProvidersScimTenantsTokensDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsTokensDeleteRequest
object.
Fields:
name: Required. The name of the scim token to delete. Format: `locations/{
location}/workforcePools/{workforce_pool}/providers/{provider}/scimTenan
ts/{scim_tenant}/tokens/{token}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersScimTenantsTokensGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsTokensGetRequest object.
Fields:
name: Required. The name of the scim token to retrieve. Format: `locations
/{location}/workforcePools/{workforce_pool}/providers/{provider}/scimTen
ants/{scim_tenant}/tokens/{token}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsProvidersScimTenantsTokensListRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsTokensListRequest
object.
Fields:
pageSize: Optional. The maximum number of scim tokens to return. If
unspecified, at most 2 scim tokens will be returned.
pageToken: Optional. A page token, received from a previous
`ListWorkforcePoolProviderScimTokens` call. Provide this to retrieve the
subsequent page.
parent: Required. The parent to list scim tokens. Format: 'locations/{loca
tion}/workforcePools/{workforce_pool}/providers/{provider}/scimTenants/{
scim_tenant}'
showDeleted: Optional. Whether to return soft-deleted scim tokens.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamLocationsWorkforcePoolsProvidersScimTenantsTokensPatchRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsTokensPatchRequest
object.
Fields:
name: Identifier. The resource name of the SCIM Token. Format:
`locations/{location}/workforcePools/{workforce_pool}/providers/
{workforce_pool_provider}/scimTenants/{scim_tenant}/tokens/{token}`
updateMask: Optional. The list of fields to update.
workforcePoolProviderScimToken: A WorkforcePoolProviderScimToken resource
to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workforcePoolProviderScimToken = _messages.MessageField('WorkforcePoolProviderScimToken', 3)
class IamLocationsWorkforcePoolsProvidersScimTenantsTokensUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsTokensUndeleteRequest
object.
Fields:
name: Required. The name of the scim token to undelete. Format: `locations
/{location}/workforcePools/{workforce_pool}/providers/{provider}/scimTen
ants/{scim_tenant}/tokens/{token}`
undeleteWorkforcePoolProviderScimTokenRequest: A
UndeleteWorkforcePoolProviderScimTokenRequest resource to be passed as
the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolProviderScimTokenRequest = _messages.MessageField('UndeleteWorkforcePoolProviderScimTokenRequest', 2)
class IamLocationsWorkforcePoolsProvidersScimTenantsUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersScimTenantsUndeleteRequest object.
Fields:
name: Required. The name of the scim tenant to undelete. Format: `location
s/{location}/workforcePools/{workforce_pool}/providers/{provider}/scimTe
nants/{scim_tenant}`
undeleteWorkforcePoolProviderScimTenantRequest: A
UndeleteWorkforcePoolProviderScimTenantRequest resource to be passed as
the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolProviderScimTenantRequest = _messages.MessageField('UndeleteWorkforcePoolProviderScimTenantRequest', 2)
class IamLocationsWorkforcePoolsProvidersUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsProvidersUndeleteRequest object.
Fields:
name: Required. The name of the provider to undelete. Format: `locations/{
location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
undeleteWorkforcePoolProviderRequest: A
UndeleteWorkforcePoolProviderRequest resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolProviderRequest = _messages.MessageField('UndeleteWorkforcePoolProviderRequest', 2)
class IamLocationsWorkforcePoolsSetIamPolicyRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsSetIamPolicyRequest object.
Fields:
resource: REQUIRED: The resource for which the policy is being specified.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the
request body.
"""
resource = _messages.StringField(1, required=True)
setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2)
class IamLocationsWorkforcePoolsSubjectsDeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsSubjectsDeleteRequest object.
Fields:
name: Required. The resource name of the WorkforcePoolSubject. Special
characters, like `/` and `:`, must be escaped, because all URLs need to
conform to the "When to Escape and Unescape" section of
[RFC3986](https://www.ietf.org/rfc/rfc2396.txt). Format: `locations/{loc
ation}/workforcePools/{workforce_pool_id}/subjects/{subject_id}`
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsSubjectsOperationsGetRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsSubjectsOperationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamLocationsWorkforcePoolsSubjectsUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsSubjectsUndeleteRequest object.
Fields:
name: Required. The resource name of the WorkforcePoolSubject. Special
characters, like `/` and `:`, must be escaped, because all URLs need to
conform to the "When to Escape and Unescape" section of
[RFC3986](https://www.ietf.org/rfc/rfc2396.txt). Format: `locations/{loc
ation}/workforcePools/{workforce_pool_id}/subjects/{subject_id}`
undeleteWorkforcePoolSubjectRequest: A UndeleteWorkforcePoolSubjectRequest
resource to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolSubjectRequest = _messages.MessageField('UndeleteWorkforcePoolSubjectRequest', 2)
class IamLocationsWorkforcePoolsTestIamPermissionsRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsTestIamPermissionsRequest object.
Fields:
resource: REQUIRED: The resource for which the policy detail is being
requested. See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
testIamPermissionsRequest: A TestIamPermissionsRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2)
class IamLocationsWorkforcePoolsUndeleteRequest(_messages.Message):
r"""A IamLocationsWorkforcePoolsUndeleteRequest object.
Fields:
name: Required. The name of the pool to undelete. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
undeleteWorkforcePoolRequest: A UndeleteWorkforcePoolRequest resource to
be passed as the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkforcePoolRequest = _messages.MessageField('UndeleteWorkforcePoolRequest', 2)
class IamOrganizationsRolesCreateRequest(_messages.Message):
r"""A IamOrganizationsRolesCreateRequest object.
Fields:
createRoleRequest: A CreateRoleRequest resource to be passed as the
request body.
parent: The `parent` parameter's value depends on the target resource for
the request, namely [projects](https://cloud.google.com/iam/docs/referen
ce/rest/v1/projects.roles) or [organizations](https://cloud.google.com/i
am/docs/reference/rest/v1/organizations.roles). Each resource type's
`parent` value format is described below: * [projects.roles.create](http
s://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/create):
`projects/{PROJECT_ID}`. This method creates project-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat
ions.roles.create](https://cloud.google.com/iam/docs/reference/rest/v1/o
rganizations.roles/create): `organizations/{ORGANIZATION_ID}`. This
method creates organization-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
Note: Wildcard (*) values are invalid; you must specify a complete
project ID or organization ID.
"""
createRoleRequest = _messages.MessageField('CreateRoleRequest', 1)
parent = _messages.StringField(2, required=True)
class IamOrganizationsRolesDeleteRequest(_messages.Message):
r"""A IamOrganizationsRolesDeleteRequest object.
Fields:
etag: Used to perform a consistent read-modify-write.
name: The `name` parameter's value depends on the target resource for the
request, namely [projects](https://cloud.google.com/iam/docs/reference/r
est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d
ocs/reference/rest/v1/organizations.roles). Each resource type's `name`
value format is described below: * [projects.roles.delete](https://cloud
.google.com/iam/docs/reference/rest/v1/projects.roles/delete):
`projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
[custom roles](https://cloud.google.com/iam/docs/understanding-custom-
roles) that have been created at the project level. Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_
ID}` * [organizations.roles.delete](https://cloud.google.com/iam/docs/re
ference/rest/v1/organizations.roles/delete):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
deletes only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
"""
etag = _messages.BytesField(1)
name = _messages.StringField(2, required=True)
class IamOrganizationsRolesGetRequest(_messages.Message):
r"""A IamOrganizationsRolesGetRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely
[roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro
jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role
s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/
v1/organizations.roles). Each resource type's `name` value format is
described below: * [roles.get](https://cloud.google.com/iam/docs/referen
ce/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results
from all [predefined
roles](https://cloud.google.com/iam/docs/understanding-
roles#predefined_roles) in IAM. Example request URL:
`https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get]
(https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get)
: `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns
only [custom roles](https://cloud.google.com/iam/docs/understanding-
custom-roles) that have been created at the project level. Example
request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/
{CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/i
am/docs/reference/rest/v1/organizations.roles/get):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
returns only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
"""
name = _messages.StringField(1, required=True)
class IamOrganizationsRolesListRequest(_messages.Message):
r"""A IamOrganizationsRolesListRequest object.
Enums:
ViewValueValuesEnum: Optional view for the returned Role objects. When
`FULL` is specified, the `includedPermissions` field is returned, which
includes a list of all permissions in the role. The default value is
`BASIC`, which does not return the `includedPermissions` field.
Fields:
pageSize: Optional limit on the number of roles to include in the
response. The default is 300, and the maximum is 1,000.
pageToken: Optional pagination token returned in an earlier
ListRolesResponse.
parent: The `parent` parameter's value depends on the target resource for
the request, namely
[roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro
jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role
s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/
v1/organizations.roles). Each resource type's `parent` value format is
described below: * [roles.list](https://cloud.google.com/iam/docs/refere
nce/rest/v1/roles/list): An empty string. This method doesn't require a
resource; it simply returns all [predefined
roles](https://cloud.google.com/iam/docs/understanding-
roles#predefined_roles) in IAM. Example request URL:
`https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cl
oud.google.com/iam/docs/reference/rest/v1/projects.roles/list):
`projects/{PROJECT_ID}`. This method lists all project-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat
ions.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/org
anizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method
lists all organization-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
Note: Wildcard (*) values are invalid; you must specify a complete
project ID or organization ID.
showDeleted: Include Roles that have been deleted.
view: Optional view for the returned Role objects. When `FULL` is
specified, the `includedPermissions` field is returned, which includes a
list of all permissions in the role. The default value is `BASIC`, which
does not return the `includedPermissions` field.
"""
class ViewValueValuesEnum(_messages.Enum):
r"""Optional view for the returned Role objects. When `FULL` is specified,
the `includedPermissions` field is returned, which includes a list of all
permissions in the role. The default value is `BASIC`, which does not
return the `includedPermissions` field.
Values:
BASIC: Omits the `included_permissions` field. This is the default
value.
FULL: Returns all fields.
"""
BASIC = 0
FULL = 1
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
view = _messages.EnumField('ViewValueValuesEnum', 5)
class IamOrganizationsRolesPatchRequest(_messages.Message):
r"""A IamOrganizationsRolesPatchRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely [projects](https://cloud.google.com/iam/docs/reference/r
est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d
ocs/reference/rest/v1/organizations.roles). Each resource type's `name`
value format is described below: * [projects.roles.patch](https://cloud.
google.com/iam/docs/reference/rest/v1/projects.roles/patch):
`projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
[custom roles](https://cloud.google.com/iam/docs/understanding-custom-
roles) that have been created at the project level. Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_
ID}` * [organizations.roles.patch](https://cloud.google.com/iam/docs/ref
erence/rest/v1/organizations.roles/patch):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
updates only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
role: A Role resource to be passed as the request body.
updateMask: A mask describing which fields in the Role have changed.
"""
name = _messages.StringField(1, required=True)
role = _messages.MessageField('Role', 2)
updateMask = _messages.StringField(3)
class IamOrganizationsRolesUndeleteRequest(_messages.Message):
r"""A IamOrganizationsRolesUndeleteRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely [projects](https://cloud.google.com/iam/docs/reference/r
est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d
ocs/reference/rest/v1/organizations.roles). Each resource type's `name`
value format is described below: * [projects.roles.undelete](https://clo
ud.google.com/iam/docs/reference/rest/v1/projects.roles/undelete):
`projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
only [custom roles](https://cloud.google.com/iam/docs/understanding-
custom-roles) that have been created at the project level. Example
request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/
{CUSTOM_ROLE_ID}` * [organizations.roles.undelete](https://cloud.google.
com/iam/docs/reference/rest/v1/organizations.roles/undelete):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
undeletes only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
undeleteRoleRequest: A UndeleteRoleRequest resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
undeleteRoleRequest = _messages.MessageField('UndeleteRoleRequest', 2)
class IamProjectsLocationsOauthClientsCreateRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsCreateRequest object.
Fields:
oauthClient: A OauthClient resource to be passed as the request body.
oauthClientId: Required. The ID to use for the OauthClient, which becomes
the final component of the resource name. This value should be a string
of 6 to 63 lowercase letters, digits, or hyphens. It must start with a
letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved
for use by Google, and may not be specified.
parent: Required. The parent resource to create the OauthClient in. The
only supported location is `global`.
"""
oauthClient = _messages.MessageField('OauthClient', 1)
oauthClientId = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
class IamProjectsLocationsOauthClientsCredentialsCreateRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsCredentialsCreateRequest object.
Fields:
oauthClientCredential: A OauthClientCredential resource to be passed as
the request body.
oauthClientCredentialId: Required. The ID to use for the
OauthClientCredential, which becomes the final component of the resource
name. This value should be 4-32 characters, and may contain the
characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google,
and may not be specified.
parent: Required. The parent resource to create the OauthClientCredential
in.
"""
oauthClientCredential = _messages.MessageField('OauthClientCredential', 1)
oauthClientCredentialId = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
class IamProjectsLocationsOauthClientsCredentialsDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsCredentialsDeleteRequest object.
Fields:
name: Required. The name of the OauthClientCredential to delete. Format: `
projects/{project}/locations/{location}/oauthClients/{oauth_client}/cred
entials/{credential}`.
validateOnly: Optional. If set, validate the request and preview the
response, but do not actually post it.
"""
name = _messages.StringField(1, required=True)
validateOnly = _messages.BooleanField(2)
class IamProjectsLocationsOauthClientsCredentialsGetRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsCredentialsGetRequest object.
Fields:
name: Required. The name of the OauthClientCredential to retrieve. Format:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}/cre
dentials/{credential}`.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsOauthClientsCredentialsListRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsCredentialsListRequest object.
Fields:
parent: Required. The parent to list OauthClientCredentials for.
"""
parent = _messages.StringField(1, required=True)
class IamProjectsLocationsOauthClientsCredentialsPatchRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsCredentialsPatchRequest object.
Fields:
name: Immutable. Identifier. The resource name of the
OauthClientCredential. Format: `projects/{project}/locations/{location}/
oauthClients/{oauth_client}/credentials/{credential}`
oauthClientCredential: A OauthClientCredential resource to be passed as
the request body.
updateMask: Required. The list of fields to update.
"""
name = _messages.StringField(1, required=True)
oauthClientCredential = _messages.MessageField('OauthClientCredential', 2)
updateMask = _messages.StringField(3)
class IamProjectsLocationsOauthClientsDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsDeleteRequest object.
Fields:
name: Required. The name of the OauthClient to delete. Format:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
validateOnly: Optional. If set, validate the request and preview the
response, but do not actually post it.
"""
name = _messages.StringField(1, required=True)
validateOnly = _messages.BooleanField(2)
class IamProjectsLocationsOauthClientsGetRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsGetRequest object.
Fields:
name: Required. The name of the OauthClient to retrieve. Format:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsOauthClientsListRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsListRequest object.
Fields:
pageSize: Optional. The maximum number of OauthClients to return. If
unspecified, at most 50 OauthClients will be returned. The maximum value
is 100; values above 100 are truncated to 100.
pageToken: Optional. A page token, received from a previous
`ListOauthClients` call. Provide this to retrieve the subsequent page.
parent: Required. The parent to list OauthClients for.
showDeleted: Optional. Whether to return soft-deleted OauthClients.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamProjectsLocationsOauthClientsPatchRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsPatchRequest object.
Fields:
name: Immutable. Identifier. The resource name of the OauthClient. Format:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
oauthClient: A OauthClient resource to be passed as the request body.
updateMask: Required. The list of fields to update.
"""
name = _messages.StringField(1, required=True)
oauthClient = _messages.MessageField('OauthClient', 2)
updateMask = _messages.StringField(3)
class IamProjectsLocationsOauthClientsUndeleteRequest(_messages.Message):
r"""A IamProjectsLocationsOauthClientsUndeleteRequest object.
Fields:
name: Required. The name of the OauthClient to undelete. Format:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
undeleteOauthClientRequest: A UndeleteOauthClientRequest resource to be
passed as the request body.
"""
name = _messages.StringField(1, required=True)
undeleteOauthClientRequest = _messages.MessageField('UndeleteOauthClientRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsAddAttestationRuleRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsAddAttestationRuleRequest
object.
Fields:
addAttestationRuleRequest: A AddAttestationRuleRequest resource to be
passed as the request body.
resource: Required. The resource name of the managed identity or namespace
resource to add an attestation rule to.
"""
addAttestationRuleRequest = _messages.MessageField('AddAttestationRuleRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsCreateRequest object.
Fields:
parent: Required. The parent resource to create the pool in. The only
supported location is `global`.
workloadIdentityPool: A WorkloadIdentityPool resource to be passed as the
request body.
workloadIdentityPoolId: Required. The ID to use for the pool, which
becomes the final component of the resource name. This value should be
4-32 characters, and may contain the characters [a-z0-9-]. The prefix
`gcp-` is reserved for use by Google, and may not be specified.
"""
parent = _messages.StringField(1, required=True)
workloadIdentityPool = _messages.MessageField('WorkloadIdentityPool', 2)
workloadIdentityPoolId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsDeleteRequest object.
Fields:
name: Required. The name of the pool to delete.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsGetIamPolicyRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsGetIamPolicyRequest object.
Fields:
getIamPolicyRequest: A GetIamPolicyRequest resource to be passed as the
request body.
resource: REQUIRED: The resource for which the policy is being requested.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
"""
getIamPolicyRequest = _messages.MessageField('GetIamPolicyRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsGetRequest object.
Fields:
name: Required. The name of the pool to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsListAttestationRulesRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsListAttestationRulesRequest
object.
Fields:
filter: Optional. A query filter. Supports the following function: *
`container_ids()`: Returns only the AttestationRules under the specific
container ids. The function expects a comma-delimited list with only
project numbers and must use the format `projects/`. For example:
`container_ids(projects/, projects/,...)`.
pageSize: Optional. The maximum number of AttestationRules to return. If
unspecified, at most 50 AttestationRules are returned. The maximum value
is 100; values above 100 are truncated to 100.
pageToken: Optional. A page token, received from a previous
`ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve
the subsequent page.
resource: Required. The resource name of the managed identity or namespace
resource to list attestation rules of.
"""
filter = _messages.StringField(1)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
resource = _messages.StringField(4, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsListRequest object.
Fields:
pageSize: The maximum number of pools to return. If unspecified, at most
50 pools are returned. The maximum value is 1000; values above are 1000
truncated to 1000.
pageToken: A page token, received from a previous
`ListWorkloadIdentityPools` call. Provide this to retrieve the
subsequent page.
parent: Required. The parent resource to list pools for.
showDeleted: Whether to return soft-deleted pools.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesAddAttestationRuleRequest(_messages.Message):
r"""A
IamProjectsLocationsWorkloadIdentityPoolsNamespacesAddAttestationRuleRequest
object.
Fields:
addAttestationRuleRequest: A AddAttestationRuleRequest resource to be
passed as the request body.
resource: Required. The resource name of the managed identity or namespace
resource to add an attestation rule to.
"""
addAttestationRuleRequest = _messages.MessageField('AddAttestationRuleRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesCreateRequest
object.
Fields:
parent: Required. The parent resource to create the namespace in. The only
supported location is `global`.
workloadIdentityPoolNamespace: A WorkloadIdentityPoolNamespace resource to
be passed as the request body.
workloadIdentityPoolNamespaceId: Required. The ID to use for the
namespace. This value must: * contain at most 63 characters * contain
only lowercase alphanumeric characters or `-` * start with an
alphanumeric character * end with an alphanumeric character The prefix
"gcp-" will be reserved for future uses.
"""
parent = _messages.StringField(1, required=True)
workloadIdentityPoolNamespace = _messages.MessageField('WorkloadIdentityPoolNamespace', 2)
workloadIdentityPoolNamespaceId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesDeleteRequest
object.
Fields:
name: Required. The name of the namespace to delete.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesGetIamPolicyRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesGetIamPolicyRequest
object.
Fields:
getIamPolicyRequest: A GetIamPolicyRequest resource to be passed as the
request body.
resource: REQUIRED: The resource for which the policy is being requested.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
"""
getIamPolicyRequest = _messages.MessageField('GetIamPolicyRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesGetRequest object.
Fields:
name: Required. The name of the namespace to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesListAttestationRulesRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesListAttestationRule
sRequest object.
Fields:
filter: Optional. A query filter. Supports the following function: *
`container_ids()`: Returns only the AttestationRules under the specific
container ids. The function expects a comma-delimited list with only
project numbers and must use the format `projects/`. For example:
`container_ids(projects/, projects/,...)`.
pageSize: Optional. The maximum number of AttestationRules to return. If
unspecified, at most 50 AttestationRules are returned. The maximum value
is 100; values above 100 are truncated to 100.
pageToken: Optional. A page token, received from a previous
`ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve
the subsequent page.
resource: Required. The resource name of the managed identity or namespace
resource to list attestation rules of.
"""
filter = _messages.StringField(1)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
resource = _messages.StringField(4, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesListRequest object.
Fields:
pageSize: The maximum number of namespaces to return. If unspecified, at
most 50 namespaces are returned. The maximum value is 1000; values above
are 1000 truncated to 1000.
pageToken: A page token, received from a previous
`ListWorkloadIdentityPoolNamespaces` call. Provide this to retrieve the
subsequent page.
parent: Required. The parent resource to list namespaces for.
showDeleted: Whether to return soft-deleted namespaces.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesAddAttestationRuleRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesAd
dAttestationRuleRequest object.
Fields:
addAttestationRuleRequest: A AddAttestationRuleRequest resource to be
passed as the request body.
resource: Required. The resource name of the managed identity or namespace
resource to add an attestation rule to.
"""
addAttestationRuleRequest = _messages.MessageField('AddAttestationRuleRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesCr
eateRequest object.
Fields:
parent: Required. The parent resource to create the manage identity in.
The only supported location is `global`.
workloadIdentityPoolManagedIdentity: A WorkloadIdentityPoolManagedIdentity
resource to be passed as the request body.
workloadIdentityPoolManagedIdentityId: Required. The ID to use for the
managed identity. This value must: * contain at most 63 characters *
contain only lowercase alphanumeric characters or `-` * start with an
alphanumeric character * end with an alphanumeric character The prefix
"gcp-" will be reserved for future uses.
"""
parent = _messages.StringField(1, required=True)
workloadIdentityPoolManagedIdentity = _messages.MessageField('WorkloadIdentityPoolManagedIdentity', 2)
workloadIdentityPoolManagedIdentityId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesDe
leteRequest object.
Fields:
name: Required. The name of the managed identity to delete.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGetIamPolicyRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGe
tIamPolicyRequest object.
Fields:
getIamPolicyRequest: A GetIamPolicyRequest resource to be passed as the
request body.
resource: REQUIRED: The resource for which the policy is being requested.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
"""
getIamPolicyRequest = _messages.MessageField('GetIamPolicyRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGe
tRequest object.
Fields:
name: Required. The name of the managed identity to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesListAttestationRulesRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesLi
stAttestationRulesRequest object.
Fields:
filter: Optional. A query filter. Supports the following function: *
`container_ids()`: Returns only the AttestationRules under the specific
container ids. The function expects a comma-delimited list with only
project numbers and must use the format `projects/`. For example:
`container_ids(projects/, projects/,...)`.
pageSize: Optional. The maximum number of AttestationRules to return. If
unspecified, at most 50 AttestationRules are returned. The maximum value
is 100; values above 100 are truncated to 100.
pageToken: Optional. A page token, received from a previous
`ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve
the subsequent page.
resource: Required. The resource name of the managed identity or namespace
resource to list attestation rules of.
"""
filter = _messages.StringField(1)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
resource = _messages.StringField(4, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesLi
stRequest object.
Fields:
pageSize: The maximum number of managed identities to return. If
unspecified, at most 50 managed identities are returned. The maximum
value is 1000; values above are 1000 truncated to 1000.
pageToken: A page token, received from a previous
`ListWorkloadIdentityPoolManagedIdentities` call. Provide this to
retrieve the subsequent page.
parent: Required. The parent resource to list managed identities for.
showDeleted: Whether to return soft-deleted managed identities.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesOperationsGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesOp
erationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesPatchRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesPa
tchRequest object.
Fields:
name: Identifier. The resource name of the managed identity.
updateMask: Required. The list of fields to update.
workloadIdentityPoolManagedIdentity: A WorkloadIdentityPoolManagedIdentity
resource to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workloadIdentityPoolManagedIdentity = _messages.MessageField('WorkloadIdentityPoolManagedIdentity', 3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesRemoveAttestationRuleRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesRe
moveAttestationRuleRequest object.
Fields:
removeAttestationRuleRequest: A RemoveAttestationRuleRequest resource to
be passed as the request body.
resource: Required. The resource name of the managed identity or namespace
resource to remove an attestation rule from.
"""
removeAttestationRuleRequest = _messages.MessageField('RemoveAttestationRuleRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSetAttestationRulesRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSe
tAttestationRulesRequest object.
Fields:
resource: Required. The resource name of the managed identity or namespace
resource to add an attestation rule to.
setAttestationRulesRequest: A SetAttestationRulesRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
setAttestationRulesRequest = _messages.MessageField('SetAttestationRulesRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSetIamPolicyRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSe
tIamPolicyRequest object.
Fields:
resource: REQUIRED: The resource for which the policy is being specified.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the
request body.
"""
resource = _messages.StringField(1, required=True)
setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesTestIamPermissionsRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesTe
stIamPermissionsRequest object.
Fields:
resource: REQUIRED: The resource for which the policy detail is being
requested. See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
testIamPermissionsRequest: A TestIamPermissionsRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesUndeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesUn
deleteRequest object.
Fields:
name: Required. The name of the managed identity to undelete.
undeleteWorkloadIdentityPoolManagedIdentityRequest: A
UndeleteWorkloadIdentityPoolManagedIdentityRequest resource to be passed
as the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkloadIdentityPoolManagedIdentityRequest = _messages.MessageField('UndeleteWorkloadIdentityPoolManagedIdentityRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo
rkloadSourcesCreateRequest object.
Fields:
parent: Required. The parent resource to create the workload source in.
workloadSource: A WorkloadSource resource to be passed as the request
body.
workloadSourceId: Required. The ID to use for the workload source, which
becomes the final component of the resource name. If ID of the
WorkloadSource resource determines which workloads may be matched. The
following formats are supported: - `project-{project_number}` matches
workloads within the referenced Google Cloud project.
"""
parent = _messages.StringField(1, required=True)
workloadSource = _messages.MessageField('WorkloadSource', 2)
workloadSourceId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo
rkloadSourcesDeleteRequest object.
Fields:
etag: Optional. The etag for this workload source. If provided, it must
match the server's etag.
name: Required. The name of the workload source to delete.
"""
etag = _messages.StringField(1)
name = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo
rkloadSourcesGetRequest object.
Fields:
name: Required. The name of the workload source to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo
rkloadSourcesListRequest object.
Fields:
pageSize: The maximum number of workload sources to return. If
unspecified, at most 50 workload sources are returned. The maximum value
is 1000; values above are 1000 truncated to 1000.
pageToken: A page token, received from a previous `ListWorkloadSources`
call. Provide this to retrieve the subsequent page.
parent: Required. The parent resource to list workload sources for.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesOperationsGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo
rkloadSourcesOperationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesPatchRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo
rkloadSourcesPatchRequest object.
Fields:
name: Output only. The resource name of the workload source. If ID of the
WorkloadSource resource determines which workloads may be matched. The
following formats are supported: - `project-{project_number}` matches
workloads within the referenced Google Cloud project.
updateMask: Required. The list of fields to update.
workloadSource: A WorkloadSource resource to be passed as the request
body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workloadSource = _messages.MessageField('WorkloadSource', 3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesOperationsGetRequest(_messages.Message):
r"""A
IamProjectsLocationsWorkloadIdentityPoolsNamespacesOperationsGetRequest
object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesPatchRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesPatchRequest
object.
Fields:
name: Output only. The resource name of the namespace.
updateMask: Required. The list of fields to update.
workloadIdentityPoolNamespace: A WorkloadIdentityPoolNamespace resource to
be passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workloadIdentityPoolNamespace = _messages.MessageField('WorkloadIdentityPoolNamespace', 3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesRemoveAttestationRuleRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesRemoveAttestationRu
leRequest object.
Fields:
removeAttestationRuleRequest: A RemoveAttestationRuleRequest resource to
be passed as the request body.
resource: Required. The resource name of the managed identity or namespace
resource to remove an attestation rule from.
"""
removeAttestationRuleRequest = _messages.MessageField('RemoveAttestationRuleRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetAttestationRulesRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetAttestationRules
Request object.
Fields:
resource: Required. The resource name of the managed identity or namespace
resource to add an attestation rule to.
setAttestationRulesRequest: A SetAttestationRulesRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
setAttestationRulesRequest = _messages.MessageField('SetAttestationRulesRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetIamPolicyRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetIamPolicyRequest
object.
Fields:
resource: REQUIRED: The resource for which the policy is being specified.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the
request body.
"""
resource = _messages.StringField(1, required=True)
setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesTestIamPermissionsRequest(_messages.Message):
r"""A
IamProjectsLocationsWorkloadIdentityPoolsNamespacesTestIamPermissionsRequest
object.
Fields:
resource: REQUIRED: The resource for which the policy detail is being
requested. See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
testIamPermissionsRequest: A TestIamPermissionsRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesUndeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesUndeleteRequest
object.
Fields:
name: Required. The name of the namespace to undelete.
undeleteWorkloadIdentityPoolNamespaceRequest: A
UndeleteWorkloadIdentityPoolNamespaceRequest resource to be passed as
the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkloadIdentityPoolNamespaceRequest = _messages.MessageField('UndeleteWorkloadIdentityPoolNamespaceRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesCrea
teRequest object.
Fields:
parent: Required. The parent resource to create the workload source in.
workloadSource: A WorkloadSource resource to be passed as the request
body.
workloadSourceId: Required. The ID to use for the workload source, which
becomes the final component of the resource name. If ID of the
WorkloadSource resource determines which workloads may be matched. The
following formats are supported: - `project-{project_number}` matches
workloads within the referenced Google Cloud project.
"""
parent = _messages.StringField(1, required=True)
workloadSource = _messages.MessageField('WorkloadSource', 2)
workloadSourceId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesDele
teRequest object.
Fields:
etag: Optional. The etag for this workload source. If provided, it must
match the server's etag.
name: Required. The name of the workload source to delete.
"""
etag = _messages.StringField(1)
name = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesGetRequest(_messages.Message):
r"""A
IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesGetRequest
object.
Fields:
name: Required. The name of the workload source to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesList
Request object.
Fields:
pageSize: The maximum number of workload sources to return. If
unspecified, at most 50 workload sources are returned. The maximum value
is 1000; values above are 1000 truncated to 1000.
pageToken: A page token, received from a previous `ListWorkloadSources`
call. Provide this to retrieve the subsequent page.
parent: Required. The parent resource to list workload sources for.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesOperationsGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesOper
ationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesPatchRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesPatc
hRequest object.
Fields:
name: Output only. The resource name of the workload source. If ID of the
WorkloadSource resource determines which workloads may be matched. The
following formats are supported: - `project-{project_number}` matches
workloads within the referenced Google Cloud project.
updateMask: Required. The list of fields to update.
workloadSource: A WorkloadSource resource to be passed as the request
body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workloadSource = _messages.MessageField('WorkloadSource', 3)
class IamProjectsLocationsWorkloadIdentityPoolsOperationsGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsOperationsGetRequest object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsPatchRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsPatchRequest object.
Fields:
name: Output only. The resource name of the pool.
updateMask: Required. The list of fields to update.
workloadIdentityPool: A WorkloadIdentityPool resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workloadIdentityPool = _messages.MessageField('WorkloadIdentityPool', 3)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersCreateRequest
object.
Fields:
parent: Required. The pool to create this provider in.
workloadIdentityPoolProvider: A WorkloadIdentityPoolProvider resource to
be passed as the request body.
workloadIdentityPoolProviderId: Required. The ID for the provider, which
becomes the final component of the resource name. This value must be
4-32 characters, and may contain the characters [a-z0-9-]. The prefix
`gcp-` is reserved for use by Google, and may not be specified.
"""
parent = _messages.StringField(1, required=True)
workloadIdentityPoolProvider = _messages.MessageField('WorkloadIdentityPoolProvider', 2)
workloadIdentityPoolProviderId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersDeleteRequest
object.
Fields:
name: Required. The name of the provider to delete.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersGetRequest object.
Fields:
name: Required. The name of the provider to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysCreateRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysCreateRequest
object.
Fields:
parent: Required. The parent provider resource to create the key in.
workloadIdentityPoolProviderKey: A WorkloadIdentityPoolProviderKey
resource to be passed as the request body.
workloadIdentityPoolProviderKeyId: Required. The ID to use for the key,
which becomes the final component of the resource name. This value
should be 4-32 characters, and may contain the characters [a-z0-9-].
"""
parent = _messages.StringField(1, required=True)
workloadIdentityPoolProviderKey = _messages.MessageField('WorkloadIdentityPoolProviderKey', 2)
workloadIdentityPoolProviderKeyId = _messages.StringField(3)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysDeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysDeleteRequest
object.
Fields:
name: Required. The name of the encryption key to delete.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysGetRequest
object.
Fields:
name: Required. The name of the key to retrieve.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysListRequest
object.
Fields:
pageSize: The maximum number of keys to return. If unspecified, all keys
are returned. The maximum value is 10; values above 10 are truncated to
10.
pageToken: A page token, received from a previous
`ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve
the subsequent page.
parent: Required. The parent provider resource to list encryption keys
for.
showDeleted: Whether to return soft deleted resources as well.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysOperationsGetRequest(_messages.Message):
r"""A
IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysOperationsGetRequest
object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysUndeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysUndeleteRequest
object.
Fields:
name: Required. The name of the encryption key to undelete.
undeleteWorkloadIdentityPoolProviderKeyRequest: A
UndeleteWorkloadIdentityPoolProviderKeyRequest resource to be passed as
the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkloadIdentityPoolProviderKeyRequest = _messages.MessageField('UndeleteWorkloadIdentityPoolProviderKeyRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersListRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersListRequest object.
Fields:
pageSize: The maximum number of providers to return. If unspecified, at
most 50 providers are returned. The maximum value is 100; values above
100 are truncated to 100.
pageToken: A page token, received from a previous
`ListWorkloadIdentityPoolProviders` call. Provide this to retrieve the
subsequent page.
parent: Required. The pool to list providers for.
showDeleted: Whether to return soft-deleted providers.
"""
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersOperationsGetRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersOperationsGetRequest
object.
Fields:
name: The name of the operation resource.
"""
name = _messages.StringField(1, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersPatchRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersPatchRequest object.
Fields:
name: Identifier. The resource name of the provider.
updateMask: Required. The list of fields to update.
workloadIdentityPoolProvider: A WorkloadIdentityPoolProvider resource to
be passed as the request body.
"""
name = _messages.StringField(1, required=True)
updateMask = _messages.StringField(2)
workloadIdentityPoolProvider = _messages.MessageField('WorkloadIdentityPoolProvider', 3)
class IamProjectsLocationsWorkloadIdentityPoolsProvidersUndeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsProvidersUndeleteRequest
object.
Fields:
name: Required. The name of the provider to undelete.
undeleteWorkloadIdentityPoolProviderRequest: A
UndeleteWorkloadIdentityPoolProviderRequest resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkloadIdentityPoolProviderRequest = _messages.MessageField('UndeleteWorkloadIdentityPoolProviderRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsRemoveAttestationRuleRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsRemoveAttestationRuleRequest
object.
Fields:
removeAttestationRuleRequest: A RemoveAttestationRuleRequest resource to
be passed as the request body.
resource: Required. The resource name of the managed identity or namespace
resource to remove an attestation rule from.
"""
removeAttestationRuleRequest = _messages.MessageField('RemoveAttestationRuleRequest', 1)
resource = _messages.StringField(2, required=True)
class IamProjectsLocationsWorkloadIdentityPoolsSetAttestationRulesRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsSetAttestationRulesRequest
object.
Fields:
resource: Required. The resource name of the managed identity or namespace
resource to add an attestation rule to.
setAttestationRulesRequest: A SetAttestationRulesRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
setAttestationRulesRequest = _messages.MessageField('SetAttestationRulesRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsSetIamPolicyRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsSetIamPolicyRequest object.
Fields:
resource: REQUIRED: The resource for which the policy is being specified.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the
request body.
"""
resource = _messages.StringField(1, required=True)
setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsTestIamPermissionsRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsTestIamPermissionsRequest
object.
Fields:
resource: REQUIRED: The resource for which the policy detail is being
requested. See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
testIamPermissionsRequest: A TestIamPermissionsRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2)
class IamProjectsLocationsWorkloadIdentityPoolsUndeleteRequest(_messages.Message):
r"""A IamProjectsLocationsWorkloadIdentityPoolsUndeleteRequest object.
Fields:
name: Required. The name of the pool to undelete.
undeleteWorkloadIdentityPoolRequest: A UndeleteWorkloadIdentityPoolRequest
resource to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
undeleteWorkloadIdentityPoolRequest = _messages.MessageField('UndeleteWorkloadIdentityPoolRequest', 2)
class IamProjectsRolesCreateRequest(_messages.Message):
r"""A IamProjectsRolesCreateRequest object.
Fields:
createRoleRequest: A CreateRoleRequest resource to be passed as the
request body.
parent: The `parent` parameter's value depends on the target resource for
the request, namely [projects](https://cloud.google.com/iam/docs/referen
ce/rest/v1/projects.roles) or [organizations](https://cloud.google.com/i
am/docs/reference/rest/v1/organizations.roles). Each resource type's
`parent` value format is described below: * [projects.roles.create](http
s://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/create):
`projects/{PROJECT_ID}`. This method creates project-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat
ions.roles.create](https://cloud.google.com/iam/docs/reference/rest/v1/o
rganizations.roles/create): `organizations/{ORGANIZATION_ID}`. This
method creates organization-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
Note: Wildcard (*) values are invalid; you must specify a complete
project ID or organization ID.
"""
createRoleRequest = _messages.MessageField('CreateRoleRequest', 1)
parent = _messages.StringField(2, required=True)
class IamProjectsRolesDeleteRequest(_messages.Message):
r"""A IamProjectsRolesDeleteRequest object.
Fields:
etag: Used to perform a consistent read-modify-write.
name: The `name` parameter's value depends on the target resource for the
request, namely [projects](https://cloud.google.com/iam/docs/reference/r
est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d
ocs/reference/rest/v1/organizations.roles). Each resource type's `name`
value format is described below: * [projects.roles.delete](https://cloud
.google.com/iam/docs/reference/rest/v1/projects.roles/delete):
`projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
[custom roles](https://cloud.google.com/iam/docs/understanding-custom-
roles) that have been created at the project level. Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_
ID}` * [organizations.roles.delete](https://cloud.google.com/iam/docs/re
ference/rest/v1/organizations.roles/delete):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
deletes only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
"""
etag = _messages.BytesField(1)
name = _messages.StringField(2, required=True)
class IamProjectsRolesGetRequest(_messages.Message):
r"""A IamProjectsRolesGetRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely
[roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro
jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role
s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/
v1/organizations.roles). Each resource type's `name` value format is
described below: * [roles.get](https://cloud.google.com/iam/docs/referen
ce/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results
from all [predefined
roles](https://cloud.google.com/iam/docs/understanding-
roles#predefined_roles) in IAM. Example request URL:
`https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get]
(https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get)
: `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns
only [custom roles](https://cloud.google.com/iam/docs/understanding-
custom-roles) that have been created at the project level. Example
request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/
{CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/i
am/docs/reference/rest/v1/organizations.roles/get):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
returns only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
"""
name = _messages.StringField(1, required=True)
class IamProjectsRolesListRequest(_messages.Message):
r"""A IamProjectsRolesListRequest object.
Enums:
ViewValueValuesEnum: Optional view for the returned Role objects. When
`FULL` is specified, the `includedPermissions` field is returned, which
includes a list of all permissions in the role. The default value is
`BASIC`, which does not return the `includedPermissions` field.
Fields:
pageSize: Optional limit on the number of roles to include in the
response. The default is 300, and the maximum is 1,000.
pageToken: Optional pagination token returned in an earlier
ListRolesResponse.
parent: The `parent` parameter's value depends on the target resource for
the request, namely
[roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro
jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role
s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/
v1/organizations.roles). Each resource type's `parent` value format is
described below: * [roles.list](https://cloud.google.com/iam/docs/refere
nce/rest/v1/roles/list): An empty string. This method doesn't require a
resource; it simply returns all [predefined
roles](https://cloud.google.com/iam/docs/understanding-
roles#predefined_roles) in IAM. Example request URL:
`https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cl
oud.google.com/iam/docs/reference/rest/v1/projects.roles/list):
`projects/{PROJECT_ID}`. This method lists all project-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat
ions.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/org
anizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method
lists all organization-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
Note: Wildcard (*) values are invalid; you must specify a complete
project ID or organization ID.
showDeleted: Include Roles that have been deleted.
view: Optional view for the returned Role objects. When `FULL` is
specified, the `includedPermissions` field is returned, which includes a
list of all permissions in the role. The default value is `BASIC`, which
does not return the `includedPermissions` field.
"""
class ViewValueValuesEnum(_messages.Enum):
r"""Optional view for the returned Role objects. When `FULL` is specified,
the `includedPermissions` field is returned, which includes a list of all
permissions in the role. The default value is `BASIC`, which does not
return the `includedPermissions` field.
Values:
BASIC: Omits the `included_permissions` field. This is the default
value.
FULL: Returns all fields.
"""
BASIC = 0
FULL = 1
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3, required=True)
showDeleted = _messages.BooleanField(4)
view = _messages.EnumField('ViewValueValuesEnum', 5)
class IamProjectsRolesPatchRequest(_messages.Message):
r"""A IamProjectsRolesPatchRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely [projects](https://cloud.google.com/iam/docs/reference/r
est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d
ocs/reference/rest/v1/organizations.roles). Each resource type's `name`
value format is described below: * [projects.roles.patch](https://cloud.
google.com/iam/docs/reference/rest/v1/projects.roles/patch):
`projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
[custom roles](https://cloud.google.com/iam/docs/understanding-custom-
roles) that have been created at the project level. Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_
ID}` * [organizations.roles.patch](https://cloud.google.com/iam/docs/ref
erence/rest/v1/organizations.roles/patch):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
updates only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
role: A Role resource to be passed as the request body.
updateMask: A mask describing which fields in the Role have changed.
"""
name = _messages.StringField(1, required=True)
role = _messages.MessageField('Role', 2)
updateMask = _messages.StringField(3)
class IamProjectsRolesUndeleteRequest(_messages.Message):
r"""A IamProjectsRolesUndeleteRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely [projects](https://cloud.google.com/iam/docs/reference/r
est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d
ocs/reference/rest/v1/organizations.roles). Each resource type's `name`
value format is described below: * [projects.roles.undelete](https://clo
ud.google.com/iam/docs/reference/rest/v1/projects.roles/undelete):
`projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
only [custom roles](https://cloud.google.com/iam/docs/understanding-
custom-roles) that have been created at the project level. Example
request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/
{CUSTOM_ROLE_ID}` * [organizations.roles.undelete](https://cloud.google.
com/iam/docs/reference/rest/v1/organizations.roles/undelete):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
undeletes only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
undeleteRoleRequest: A UndeleteRoleRequest resource to be passed as the
request body.
"""
name = _messages.StringField(1, required=True)
undeleteRoleRequest = _messages.MessageField('UndeleteRoleRequest', 2)
class IamProjectsServiceAccountsCreateRequest(_messages.Message):
r"""A IamProjectsServiceAccountsCreateRequest object.
Fields:
createServiceAccountRequest: A CreateServiceAccountRequest resource to be
passed as the request body.
name: Required. The resource name of the project associated with the
service accounts, such as `projects/my-project-123`.
"""
createServiceAccountRequest = _messages.MessageField('CreateServiceAccountRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsDeleteRequest(_messages.Message):
r"""A IamProjectsServiceAccountsDeleteRequest object.
Fields:
name: Required. The resource name of the service account. Use one of the
following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
name = _messages.StringField(1, required=True)
class IamProjectsServiceAccountsDisableRequest(_messages.Message):
r"""A IamProjectsServiceAccountsDisableRequest object.
Fields:
disableServiceAccountRequest: A DisableServiceAccountRequest resource to
be passed as the request body.
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
disableServiceAccountRequest = _messages.MessageField('DisableServiceAccountRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsEnableRequest(_messages.Message):
r"""A IamProjectsServiceAccountsEnableRequest object.
Fields:
enableServiceAccountRequest: A EnableServiceAccountRequest resource to be
passed as the request body.
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
enableServiceAccountRequest = _messages.MessageField('EnableServiceAccountRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsGetIamPolicyRequest(_messages.Message):
r"""A IamProjectsServiceAccountsGetIamPolicyRequest object.
Fields:
options_requestedPolicyVersion: Optional. The maximum policy version that
will be used to format the policy. Valid values are 0, 1, and 3.
Requests specifying an invalid value will be rejected. Requests for
policies with any conditional role bindings must specify version 3.
Policies with no conditional role bindings may specify any valid value
or leave the field unset. The policy in the response might use the
policy version that you specified, or it might use a lower policy
version. For example, if you specify version 3, but the policy has no
conditional role bindings, the response uses version 1. To learn which
resources support conditions in their IAM policies, see the [IAM
documentation](https://cloud.google.com/iam/help/conditions/resource-
policies).
resource: REQUIRED: The resource for which the policy is being requested.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
"""
options_requestedPolicyVersion = _messages.IntegerField(1, variant=_messages.Variant.INT32)
resource = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsGetRequest(_messages.Message):
r"""A IamProjectsServiceAccountsGetRequest object.
Fields:
name: Required. The resource name of the service account. Use one of the
following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
name = _messages.StringField(1, required=True)
class IamProjectsServiceAccountsIdentityBindingsCreateRequest(_messages.Message):
r"""A IamProjectsServiceAccountsIdentityBindingsCreateRequest object.
Fields:
createServiceAccountIdentityBindingRequest: A
CreateServiceAccountIdentityBindingRequest resource to be passed as the
request body.
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
createServiceAccountIdentityBindingRequest = _messages.MessageField('CreateServiceAccountIdentityBindingRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsIdentityBindingsDeleteRequest(_messages.Message):
r"""A IamProjectsServiceAccountsIdentityBindingsDeleteRequest object.
Fields:
name: The resource name of the service account identity binding. Use one
of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAI
L_ADDRESS}/identityBindings/{BINDING}` * `projects/{PROJECT_ID}/serviceA
ccounts/{UNIQUE_ID}/identityBindings/{BINDING}` As an alternative, you
can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}/identityBindings/{BINDING}`
* `projects/-/serviceAccounts/{UNIQUE_ID}/identityBindings/{BINDING}`
When possible, avoid using the `-` wildcard character, because it can
cause response messages to contain misleading error codes. For example,
if you try to access the service account identity binding
`projects/-/serviceAccounts/fake@example.com/identityBindings/fake-
binding`, which does not exist, the response contains an HTTP `403
Forbidden` error instead of a `404 Not Found` error.
"""
name = _messages.StringField(1, required=True)
class IamProjectsServiceAccountsIdentityBindingsGetRequest(_messages.Message):
r"""A IamProjectsServiceAccountsIdentityBindingsGetRequest object.
Fields:
name: The resource name of the service account identity binding. Use one
of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAI
L_ADDRESS}/identityBindings/{BINDING}` * `projects/{PROJECT_ID}/serviceA
ccounts/{UNIQUE_ID}/identityBindings/{BINDING}` As an alternative, you
can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}/identityBindings/{BINDING}`
* `projects/-/serviceAccounts/{UNIQUE_ID}/identityBindings/{BINDING}`
When possible, avoid using the `-` wildcard character, because it can
cause response messages to contain misleading error codes. For example,
if you try to access the service account identity binding
`projects/-/serviceAccounts/fake@example.com/identityBindings/fake-
binding`, which does not exist, the response contains an HTTP `403
Forbidden` error instead of a `404 Not Found` error.
"""
name = _messages.StringField(1, required=True)
class IamProjectsServiceAccountsIdentityBindingsListRequest(_messages.Message):
r"""A IamProjectsServiceAccountsIdentityBindingsListRequest object.
Fields:
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
name = _messages.StringField(1, required=True)
class IamProjectsServiceAccountsKeysCreateRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysCreateRequest object.
Fields:
createServiceAccountKeyRequest: A CreateServiceAccountKeyRequest resource
to be passed as the request body.
name: Required. The resource name of the service account. Use one of the
following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
createServiceAccountKeyRequest = _messages.MessageField('CreateServiceAccountKeyRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsKeysDeleteRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysDeleteRequest object.
Fields:
name: Required. The resource name of the service account key. Use one of
the following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an
alternative, you can use the `-` wildcard character instead of the
project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}`
* `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible,
avoid using the `-` wildcard character, because it can cause response
messages to contain misleading error codes. For example, if you try to
access the service account key
`projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does
not exist, the response contains an HTTP `403 Forbidden` error instead
of a `404 Not Found` error.
"""
name = _messages.StringField(1, required=True)
class IamProjectsServiceAccountsKeysDisableRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysDisableRequest object.
Fields:
disableServiceAccountKeyRequest: A DisableServiceAccountKeyRequest
resource to be passed as the request body.
name: Required. The resource name of the service account key. Use one of
the following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an
alternative, you can use the `-` wildcard character instead of the
project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}`
* `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible,
avoid using the `-` wildcard character, because it can cause response
messages to contain misleading error codes. For example, if you try to
access the service account key
`projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does
not exist, the response contains an HTTP `403 Forbidden` error instead
of a `404 Not Found` error.
"""
disableServiceAccountKeyRequest = _messages.MessageField('DisableServiceAccountKeyRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsKeysEnableRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysEnableRequest object.
Fields:
enableServiceAccountKeyRequest: A EnableServiceAccountKeyRequest resource
to be passed as the request body.
name: Required. The resource name of the service account key. Use one of
the following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an
alternative, you can use the `-` wildcard character instead of the
project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}`
* `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible,
avoid using the `-` wildcard character, because it can cause response
messages to contain misleading error codes. For example, if you try to
access the service account key
`projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does
not exist, the response contains an HTTP `403 Forbidden` error instead
of a `404 Not Found` error.
"""
enableServiceAccountKeyRequest = _messages.MessageField('EnableServiceAccountKeyRequest', 1)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsKeysGetRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysGetRequest object.
Enums:
PublicKeyTypeValueValuesEnum: Optional. The output format of the public
key. The default is `TYPE_NONE`, which means that the public key is not
returned.
Fields:
name: Required. The resource name of the service account key. Use one of
the following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an
alternative, you can use the `-` wildcard character instead of the
project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}`
* `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible,
avoid using the `-` wildcard character, because it can cause response
messages to contain misleading error codes. For example, if you try to
access the service account key
`projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does
not exist, the response contains an HTTP `403 Forbidden` error instead
of a `404 Not Found` error.
publicKeyType: Optional. The output format of the public key. The default
is `TYPE_NONE`, which means that the public key is not returned.
"""
class PublicKeyTypeValueValuesEnum(_messages.Enum):
r"""Optional. The output format of the public key. The default is
`TYPE_NONE`, which means that the public key is not returned.
Values:
TYPE_NONE: Do not return the public key.
TYPE_X509_PEM_FILE: X509 PEM format.
TYPE_RAW_PUBLIC_KEY: Raw public key.
"""
TYPE_NONE = 0
TYPE_X509_PEM_FILE = 1
TYPE_RAW_PUBLIC_KEY = 2
name = _messages.StringField(1, required=True)
publicKeyType = _messages.EnumField('PublicKeyTypeValueValuesEnum', 2)
class IamProjectsServiceAccountsKeysListRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysListRequest object.
Enums:
KeyTypesValueValuesEnum: Filters the types of keys the user wants to
include in the list response. Duplicate key types are not allowed. If no
key type is provided, all keys are returned.
Fields:
keyTypes: Filters the types of keys the user wants to include in the list
response. Duplicate key types are not allowed. If no key type is
provided, all keys are returned.
name: Required. The resource name of the service account. Use one of the
following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
"""
class KeyTypesValueValuesEnum(_messages.Enum):
r"""Filters the types of keys the user wants to include in the list
response. Duplicate key types are not allowed. If no key type is provided,
all keys are returned.
Values:
KEY_TYPE_UNSPECIFIED: Unspecified key type. The presence of this in the
message will immediately result in an error.
USER_MANAGED: User-managed keys (managed and rotated by the user).
SYSTEM_MANAGED: System-managed keys (managed and rotated by Google).
"""
KEY_TYPE_UNSPECIFIED = 0
USER_MANAGED = 1
SYSTEM_MANAGED = 2
keyTypes = _messages.EnumField('KeyTypesValueValuesEnum', 1, repeated=True)
name = _messages.StringField(2, required=True)
class IamProjectsServiceAccountsKeysUploadRequest(_messages.Message):
r"""A IamProjectsServiceAccountsKeysUploadRequest object.
Fields:
name: The resource name of the service account key. Use one of the
following formats: *
`projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
uploadServiceAccountKeyRequest: A UploadServiceAccountKeyRequest resource
to be passed as the request body.
"""
name = _messages.StringField(1, required=True)
uploadServiceAccountKeyRequest = _messages.MessageField('UploadServiceAccountKeyRequest', 2)
class IamProjectsServiceAccountsListRequest(_messages.Message):
r"""A IamProjectsServiceAccountsListRequest object.
Fields:
name: Required. The resource name of the project associated with the
service accounts, such as `projects/my-project-123`.
pageSize: Optional limit on the number of service accounts to include in
the response. Further accounts can subsequently be obtained by including
the ListServiceAccountsResponse.next_page_token in a subsequent request.
The default is 20, and the maximum is 100.
pageToken: Optional pagination token returned in an earlier
ListServiceAccountsResponse.next_page_token.
"""
name = _messages.StringField(1, required=True)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
class IamProjectsServiceAccountsPatchRequest(_messages.Message):
r"""A IamProjectsServiceAccountsPatchRequest object.
Fields:
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
patchServiceAccountRequest: A PatchServiceAccountRequest resource to be
passed as the request body.
"""
name = _messages.StringField(1, required=True)
patchServiceAccountRequest = _messages.MessageField('PatchServiceAccountRequest', 2)
class IamProjectsServiceAccountsSetIamPolicyRequest(_messages.Message):
r"""A IamProjectsServiceAccountsSetIamPolicyRequest object.
Fields:
resource: REQUIRED: The resource for which the policy is being specified.
See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the
request body.
"""
resource = _messages.StringField(1, required=True)
setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2)
class IamProjectsServiceAccountsSignBlobRequest(_messages.Message):
r"""A IamProjectsServiceAccountsSignBlobRequest object.
Fields:
name: Required. Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The
resource name of the service account. Use one of the following formats:
* `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
signBlobRequest: A SignBlobRequest resource to be passed as the request
body.
"""
name = _messages.StringField(1, required=True)
signBlobRequest = _messages.MessageField('SignBlobRequest', 2)
class IamProjectsServiceAccountsSignJwtRequest(_messages.Message):
r"""A IamProjectsServiceAccountsSignJwtRequest object.
Fields:
name: Required. Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The
resource name of the service account. Use one of the following formats:
* `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
signJwtRequest: A SignJwtRequest resource to be passed as the request
body.
"""
name = _messages.StringField(1, required=True)
signJwtRequest = _messages.MessageField('SignJwtRequest', 2)
class IamProjectsServiceAccountsTestIamPermissionsRequest(_messages.Message):
r"""A IamProjectsServiceAccountsTestIamPermissionsRequest object.
Fields:
resource: REQUIRED: The resource for which the policy detail is being
requested. See [Resource
names](https://cloud.google.com/apis/design/resource_names) for the
appropriate value for this field.
testIamPermissionsRequest: A TestIamPermissionsRequest resource to be
passed as the request body.
"""
resource = _messages.StringField(1, required=True)
testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2)
class IamProjectsServiceAccountsUndeleteRequest(_messages.Message):
r"""A IamProjectsServiceAccountsUndeleteRequest object.
Fields:
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
undeleteServiceAccountRequest: A UndeleteServiceAccountRequest resource to
be passed as the request body.
"""
name = _messages.StringField(1, required=True)
undeleteServiceAccountRequest = _messages.MessageField('UndeleteServiceAccountRequest', 2)
class IamRolesGetRequest(_messages.Message):
r"""A IamRolesGetRequest object.
Fields:
name: The `name` parameter's value depends on the target resource for the
request, namely
[roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro
jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role
s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/
v1/organizations.roles). Each resource type's `name` value format is
described below: * [roles.get](https://cloud.google.com/iam/docs/referen
ce/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results
from all [predefined
roles](https://cloud.google.com/iam/docs/understanding-
roles#predefined_roles) in IAM. Example request URL:
`https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get]
(https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get)
: `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns
only [custom roles](https://cloud.google.com/iam/docs/understanding-
custom-roles) that have been created at the project level. Example
request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/
{CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/i
am/docs/reference/rest/v1/organizations.roles/get):
`organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
returns only [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles)
that have been created at the organization level. Example request URL: `
https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS
TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a
complete project ID or organization ID.
"""
name = _messages.StringField(1, required=True)
class IamRolesListRequest(_messages.Message):
r"""A IamRolesListRequest object.
Enums:
ViewValueValuesEnum: Optional view for the returned Role objects. When
`FULL` is specified, the `includedPermissions` field is returned, which
includes a list of all permissions in the role. The default value is
`BASIC`, which does not return the `includedPermissions` field.
Fields:
pageSize: Optional limit on the number of roles to include in the
response. The default is 300, and the maximum is 1,000.
pageToken: Optional pagination token returned in an earlier
ListRolesResponse.
parent: The `parent` parameter's value depends on the target resource for
the request, namely
[roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro
jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role
s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/
v1/organizations.roles). Each resource type's `parent` value format is
described below: * [roles.list](https://cloud.google.com/iam/docs/refere
nce/rest/v1/roles/list): An empty string. This method doesn't require a
resource; it simply returns all [predefined
roles](https://cloud.google.com/iam/docs/understanding-
roles#predefined_roles) in IAM. Example request URL:
`https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cl
oud.google.com/iam/docs/reference/rest/v1/projects.roles/list):
`projects/{PROJECT_ID}`. This method lists all project-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat
ions.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/org
anizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method
lists all organization-level [custom
roles](https://cloud.google.com/iam/docs/understanding-custom-roles).
Example request URL:
`https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
Note: Wildcard (*) values are invalid; you must specify a complete
project ID or organization ID.
showDeleted: Include Roles that have been deleted.
view: Optional view for the returned Role objects. When `FULL` is
specified, the `includedPermissions` field is returned, which includes a
list of all permissions in the role. The default value is `BASIC`, which
does not return the `includedPermissions` field.
"""
class ViewValueValuesEnum(_messages.Enum):
r"""Optional view for the returned Role objects. When `FULL` is specified,
the `includedPermissions` field is returned, which includes a list of all
permissions in the role. The default value is `BASIC`, which does not
return the `includedPermissions` field.
Values:
BASIC: Omits the `included_permissions` field. This is the default
value.
FULL: Returns all fields.
"""
BASIC = 0
FULL = 1
pageSize = _messages.IntegerField(1, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(2)
parent = _messages.StringField(3)
showDeleted = _messages.BooleanField(4)
view = _messages.EnumField('ViewValueValuesEnum', 5)
class IdentityAssignment(_messages.Message):
r"""Defines how to assign an identity to a workload. At least one workload
selector and at least one identity assignment method must be defined.
Fields:
allowIdentitySelfSelection: Optional. Identity assignment method that
authorizes matched workloads to self select an identity within the
parent's scope (e.g. within the namespace when the WorkloadSource is
defined on a Namespace).
singleAttributeSelectors: Optional. Workload selector that matches
workloads based on their attested attributes.
"""
allowIdentitySelfSelection = _messages.BooleanField(1)
singleAttributeSelectors = _messages.MessageField('SingleAttributeSelector', 2, repeated=True)
class InlineCertificateIssuanceConfig(_messages.Message):
r"""Represents configuration for generating mutual TLS (mTLS) certificates
for the identities within this pool.
Enums:
KeyAlgorithmValueValuesEnum: Optional. Key algorithm to use when
generating the key pair. This key pair will be used to create the
certificate. If not specified, this will default to ECDSA_P256.
Messages:
CaPoolsValue: Optional. A required mapping of a Google Cloud region to the
CA pool resource located in that region. The CA pool is used for
certificate issuance, adhering to the following constraints: * Key
format: A supported cloud region name equivalent to the location
identifier in the corresponding map entry's value. * Value format: A
valid CA pool resource path format like:
"projects/{project}/locations/{location}/caPools/{ca_pool}" * Region
Matching: Workloads are ONLY issued certificates from CA pools within
the same region. Also the CA pool region (in value) must match the
workload's region (key).
Fields:
caPools: Optional. A required mapping of a Google Cloud region to the CA
pool resource located in that region. The CA pool is used for
certificate issuance, adhering to the following constraints: * Key
format: A supported cloud region name equivalent to the location
identifier in the corresponding map entry's value. * Value format: A
valid CA pool resource path format like:
"projects/{project}/locations/{location}/caPools/{ca_pool}" * Region
Matching: Workloads are ONLY issued certificates from CA pools within
the same region. Also the CA pool region (in value) must match the
workload's region (key).
keyAlgorithm: Optional. Key algorithm to use when generating the key pair.
This key pair will be used to create the certificate. If not specified,
this will default to ECDSA_P256.
lifetime: Optional. Lifetime of the workload certificates issued by the CA
pool. Must be between 24 hours and 30 days. If not specified, this will
be defaulted to 24 hours.
rotationWindowPercentage: Optional. Rotation window percentage, the
percentage of remaining lifetime after which certificate rotation is
initiated. Must be between 50 and 80. If no value is specified, rotation
window percentage is defaulted to 50.
useDefaultSharedCa: Optional. If set to true, the trust domain will
utilize the GCP-provisioned default CA. A default CA in the same region
as the workload will be selected to issue the certificate. Enabling this
will clear any existing `ca_pools` configuration to provision the
certificates. NOTE: This field is mutually exclusive with `ca_pools`. If
this flag is enabled, certificates will be automatically provisioned
from the default shared CAs. This flag should not be set if you want to
use your own CA pools to provision the certificates.
"""
class KeyAlgorithmValueValuesEnum(_messages.Enum):
r"""Optional. Key algorithm to use when generating the key pair. This key
pair will be used to create the certificate. If not specified, this will
default to ECDSA_P256.
Values:
KEY_ALGORITHM_UNSPECIFIED: Unspecified key algorithm. Defaults to
ECDSA_P256.
RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384.
"""
KEY_ALGORITHM_UNSPECIFIED = 0
RSA_2048 = 1
RSA_3072 = 2
RSA_4096 = 3
ECDSA_P256 = 4
ECDSA_P384 = 5
@encoding.MapUnrecognizedFields('additionalProperties')
class CaPoolsValue(_messages.Message):
r"""Optional. A required mapping of a Google Cloud region to the CA pool
resource located in that region. The CA pool is used for certificate
issuance, adhering to the following constraints: * Key format: A supported
cloud region name equivalent to the location identifier in the
corresponding map entry's value. * Value format: A valid CA pool resource
path format like:
"projects/{project}/locations/{location}/caPools/{ca_pool}" * Region
Matching: Workloads are ONLY issued certificates from CA pools within the
same region. Also the CA pool region (in value) must match the workload's
region (key).
Messages:
AdditionalProperty: An additional property for a CaPoolsValue object.
Fields:
additionalProperties: Additional properties of type CaPoolsValue
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a CaPoolsValue object.
Fields:
key: Name of the additional property.
value: A string attribute.
"""
key = _messages.StringField(1)
value = _messages.StringField(2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
caPools = _messages.MessageField('CaPoolsValue', 1)
keyAlgorithm = _messages.EnumField('KeyAlgorithmValueValuesEnum', 2)
lifetime = _messages.StringField(3)
rotationWindowPercentage = _messages.IntegerField(4, variant=_messages.Variant.INT32)
useDefaultSharedCa = _messages.BooleanField(5)
class InlineTrustConfig(_messages.Message):
r"""Defines configuration for extending trust to additional trust domains.
By establishing trust with another domain, the current domain will recognize
and accept certificates issued by entities within the trusted domains. Note
that a trust domain automatically trusts itself, eliminating the need for
explicit configuration.
Messages:
AdditionalTrustBundlesValue: Optional. Maps specific trust domains (e.g.,
"example.com") to their corresponding TrustStore, which contain the
trusted root certificates for that domain. There can be a maximum of 10
trust domain entries in this map. Note that a trust domain automatically
trusts itself and don't need to be specified here. If however, this
WorkloadIdentityPool's trust domain contains any trust anchors in the
additional_trust_bundles map, those trust anchors will be *appended to*
the trust bundle automatically derived from your
InlineCertificateIssuanceConfig's ca_pools.
Fields:
additionalTrustBundles: Optional. Maps specific trust domains (e.g.,
"example.com") to their corresponding TrustStore, which contain the
trusted root certificates for that domain. There can be a maximum of 10
trust domain entries in this map. Note that a trust domain automatically
trusts itself and don't need to be specified here. If however, this
WorkloadIdentityPool's trust domain contains any trust anchors in the
additional_trust_bundles map, those trust anchors will be *appended to*
the trust bundle automatically derived from your
InlineCertificateIssuanceConfig's ca_pools.
"""
@encoding.MapUnrecognizedFields('additionalProperties')
class AdditionalTrustBundlesValue(_messages.Message):
r"""Optional. Maps specific trust domains (e.g., "example.com") to their
corresponding TrustStore, which contain the trusted root certificates for
that domain. There can be a maximum of 10 trust domain entries in this
map. Note that a trust domain automatically trusts itself and don't need
to be specified here. If however, this WorkloadIdentityPool's trust domain
contains any trust anchors in the additional_trust_bundles map, those
trust anchors will be *appended to* the trust bundle automatically derived
from your InlineCertificateIssuanceConfig's ca_pools.
Messages:
AdditionalProperty: An additional property for a
AdditionalTrustBundlesValue object.
Fields:
additionalProperties: Additional properties of type
AdditionalTrustBundlesValue
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a AdditionalTrustBundlesValue object.
Fields:
key: Name of the additional property.
value: A TrustStore attribute.
"""
key = _messages.StringField(1)
value = _messages.MessageField('TrustStore', 2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
additionalTrustBundles = _messages.MessageField('AdditionalTrustBundlesValue', 1)
class IntermediateCA(_messages.Message):
r"""Intermediate CA certificates used for building the trust chain to trust
anchor
Fields:
pemCertificate: PEM certificate of the PKI used for validation. Must only
contain one ca certificate.
"""
pemCertificate = _messages.StringField(1)
class KeyData(_messages.Message):
r"""Represents a public key data along with its format.
Enums:
FormatValueValuesEnum: Output only. The format of the key.
KeySpecValueValuesEnum: Required. The specifications for the key.
Fields:
format: Output only. The format of the key.
key: Output only. The key data. The format of the key is represented by
the format field.
keySpec: Required. The specifications for the key.
notAfterTime: Output only. Latest timestamp when this key is valid.
Attempts to use this key after this time will fail. Only present if the
key data represents a X.509 certificate.
notBeforeTime: Output only. Earliest timestamp when this key is valid.
Attempts to use this key before this time will fail. Only present if the
key data represents a X.509 certificate.
"""
class FormatValueValuesEnum(_messages.Enum):
r"""Output only. The format of the key.
Values:
KEY_FORMAT_UNSPECIFIED: No format has been specified. This is an invalid
format and must not be used.
RSA_X509_PEM: A RSA public key wrapped in an X.509v3 certificate
([RFC5280] ( https://www.ietf.org/rfc/rfc5280.txt)), encoded in
base64, and wrapped in [public certificate
label](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1).
"""
KEY_FORMAT_UNSPECIFIED = 0
RSA_X509_PEM = 1
class KeySpecValueValuesEnum(_messages.Enum):
r"""Required. The specifications for the key.
Values:
KEY_SPEC_UNSPECIFIED: No key specification specified.
RSA_2048: A 2048 bit RSA key.
RSA_3072: A 3072 bit RSA key.
RSA_4096: A 4096 bit RSA key.
"""
KEY_SPEC_UNSPECIFIED = 0
RSA_2048 = 1
RSA_3072 = 2
RSA_4096 = 3
format = _messages.EnumField('FormatValueValuesEnum', 1)
key = _messages.StringField(2)
keySpec = _messages.EnumField('KeySpecValueValuesEnum', 3)
notAfterTime = _messages.StringField(4)
notBeforeTime = _messages.StringField(5)
class LintPolicyRequest(_messages.Message):
r"""The request to lint an IAM policy object.
Fields:
condition: google.iam.v1.Binding.condition object to be linted.
fullResourceName: The full resource name of the policy this lint request
is about. The name follows the Google Cloud format for full resource
names. For example, a Google Cloud project with ID `my-project` will be
named `//cloudresourcemanager.googleapis.com/projects/my-project`. The
resource name is not used to read a policy from IAM. Only the data in
the request object is linted.
"""
condition = _messages.MessageField('Expr', 1)
fullResourceName = _messages.StringField(2)
class LintPolicyResponse(_messages.Message):
r"""The response of a lint operation. An empty response indicates the
operation was able to fully execute and no lint issue was found.
Fields:
lintResults: List of lint results sorted by `severity` in descending
order.
"""
lintResults = _messages.MessageField('LintResult', 1, repeated=True)
class LintResult(_messages.Message):
r"""Structured response of a single validation unit.
Enums:
LevelValueValuesEnum: The validation unit level.
SeverityValueValuesEnum: The validation unit severity.
Fields:
debugMessage: Human readable debug message associated with the issue.
fieldName: The name of the field for which this lint result is about. For
nested messages `field_name` consists of names of the embedded fields
separated by period character. The top-level qualifier is the input
object to lint in the request. For example, the `field_name` value
`condition.expression` identifies a lint result for the `expression`
field of the provided condition.
level: The validation unit level.
locationOffset: 0-based character position of problematic construct within
the object identified by `field_name`. Currently, this is populated only
for condition expression.
severity: The validation unit severity.
validationUnitName: The validation unit name, for instance
"lintValidationUnits/ConditionComplexityCheck".
"""
class LevelValueValuesEnum(_messages.Enum):
r"""The validation unit level.
Values:
LEVEL_UNSPECIFIED: Level is unspecified.
CONDITION: A validation unit which operates on an individual condition
within a binding.
"""
LEVEL_UNSPECIFIED = 0
CONDITION = 1
class SeverityValueValuesEnum(_messages.Enum):
r"""The validation unit severity.
Values:
SEVERITY_UNSPECIFIED: Severity is unspecified.
ERROR: A validation unit returns an error only for critical issues. If
an attempt is made to set the problematic policy without rectifying
the critical issue, it causes the `setPolicy` operation to fail.
WARNING: Any issue which is severe enough but does not cause an error.
For example, suspicious constructs in the input object will not
necessarily fail `setPolicy`, but there is a high likelihood that they
won't behave as expected during policy evaluation in `checkPolicy`.
This includes the following common scenarios: - Unsatisfiable
condition: Expired timestamp in date/time condition. - Ineffective
condition: Condition on a pair which is granted unconditionally in
another binding of the same policy.
NOTICE: Reserved for the issues that are not severe as
`ERROR`/`WARNING`, but need special handling. For instance, messages
about skipped validation units are issued as `NOTICE`.
INFO: Any informative statement which is not severe enough to raise
`ERROR`/`WARNING`/`NOTICE`, like auto-correction recommendations on
the input content. Note that current version of the linter does not
utilize `INFO`.
DEPRECATED: Deprecated severity level.
"""
SEVERITY_UNSPECIFIED = 0
ERROR = 1
WARNING = 2
NOTICE = 3
INFO = 4
DEPRECATED = 5
debugMessage = _messages.StringField(1)
fieldName = _messages.StringField(2)
level = _messages.EnumField('LevelValueValuesEnum', 3)
locationOffset = _messages.IntegerField(4, variant=_messages.Variant.INT32)
severity = _messages.EnumField('SeverityValueValuesEnum', 5)
validationUnitName = _messages.StringField(6)
class ListAttestationRulesResponse(_messages.Message):
r"""Response message for ListAttestationRules.
Fields:
attestationRules: A list of AttestationRules.
nextPageToken: Optional. A token, which can be sent as `page_token` to
retrieve the next page. If this field is omitted, there are no
subsequent pages.
"""
attestationRules = _messages.MessageField('AttestationRule', 1, repeated=True)
nextPageToken = _messages.StringField(2)
class ListOauthClientCredentialsResponse(_messages.Message):
r"""Response message for ListOauthClientCredentials.
Fields:
oauthClientCredentials: A list of OauthClientCredentials.
"""
oauthClientCredentials = _messages.MessageField('OauthClientCredential', 1, repeated=True)
class ListOauthClientsResponse(_messages.Message):
r"""Response message for ListOauthClients.
Fields:
nextPageToken: Optional. A token, which can be sent as `page_token` to
retrieve the next page. If this field is omitted, there are no
subsequent pages.
oauthClients: A list of OauthClients.
"""
nextPageToken = _messages.StringField(1)
oauthClients = _messages.MessageField('OauthClient', 2, repeated=True)
class ListRolesResponse(_messages.Message):
r"""The response containing the roles defined under a resource.
Fields:
nextPageToken: To retrieve the next page of results, set
`ListRolesRequest.page_token` to this value.
roles: The Roles defined on this resource.
"""
nextPageToken = _messages.StringField(1)
roles = _messages.MessageField('Role', 2, repeated=True)
class ListServiceAccountIdentityBindingsResponse(_messages.Message):
r"""The service account identity bindings list response.
Fields:
identityBinding: The identity bindings trusted to assert the service
account.
"""
identityBinding = _messages.MessageField('ServiceAccountIdentityBinding', 1, repeated=True)
class ListServiceAccountKeysResponse(_messages.Message):
r"""The service account keys list response.
Fields:
keys: The public keys for the service account.
"""
keys = _messages.MessageField('ServiceAccountKey', 1, repeated=True)
class ListServiceAccountsResponse(_messages.Message):
r"""The service account list response.
Fields:
accounts: The list of matching service accounts.
nextPageToken: To retrieve the next page of results, set
ListServiceAccountsRequest.page_token to this value.
"""
accounts = _messages.MessageField('ServiceAccount', 1, repeated=True)
nextPageToken = _messages.StringField(2)
class ListWorkforcePoolInstalledAppsResponse(_messages.Message):
r"""Response message for ListWorkforcePoolInstalledApps.
Fields:
nextPageToken: Optional. A token, which can be sent as `page_token` to
retrieve the next page. If this field is omitted, there are no
subsequent pages.
workforcePoolInstalledApps: Output only. A list of workforce pool
installed apps.
"""
nextPageToken = _messages.StringField(1)
workforcePoolInstalledApps = _messages.MessageField('WorkforcePoolInstalledApp', 2, repeated=True)
class ListWorkforcePoolProviderKeysResponse(_messages.Message):
r"""Response message for ListWorkforcePoolProviderKeys.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workforcePoolProviderKeys: A list of WorkforcePoolProviderKeys.
"""
nextPageToken = _messages.StringField(1)
workforcePoolProviderKeys = _messages.MessageField('WorkforcePoolProviderKey', 2, repeated=True)
class ListWorkforcePoolProviderScimTenantsResponse(_messages.Message):
r"""Response message for ListWorkforcePoolProviderScimTenants.
Fields:
nextPageToken: Optional. A token, which can be sent as `page_token` to
retrieve the next page. If this field is omitted, there are no
subsequent pages.
workforcePoolProviderScimTenants: Output only. A list of scim tenants.
"""
nextPageToken = _messages.StringField(1)
workforcePoolProviderScimTenants = _messages.MessageField('WorkforcePoolProviderScimTenant', 2, repeated=True)
class ListWorkforcePoolProviderScimTokensResponse(_messages.Message):
r"""Response message for ListWorkforcePoolProviderScimTokens.
Fields:
nextPageToken: Optional. A token, which can be sent as `page_token` to
retrieve the next page. If this field is omitted, there are no
subsequent pages.
workforcePoolProviderScimTokens: Output only. A list of scim tokens.
"""
nextPageToken = _messages.StringField(1)
workforcePoolProviderScimTokens = _messages.MessageField('WorkforcePoolProviderScimToken', 2, repeated=True)
class ListWorkforcePoolProvidersResponse(_messages.Message):
r"""Response message for ListWorkforcePoolProviders.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workforcePoolProviders: A list of providers.
"""
nextPageToken = _messages.StringField(1)
workforcePoolProviders = _messages.MessageField('WorkforcePoolProvider', 2, repeated=True)
class ListWorkforcePoolsResponse(_messages.Message):
r"""Response message for ListWorkforcePools.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workforcePools: A list of pools.
"""
nextPageToken = _messages.StringField(1)
workforcePools = _messages.MessageField('WorkforcePool', 2, repeated=True)
class ListWorkloadIdentityPoolManagedIdentitiesResponse(_messages.Message):
r"""Response message for ListWorkloadIdentityPoolManagedIdentities.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workloadIdentityPoolManagedIdentities: A list of managed identities.
"""
nextPageToken = _messages.StringField(1)
workloadIdentityPoolManagedIdentities = _messages.MessageField('WorkloadIdentityPoolManagedIdentity', 2, repeated=True)
class ListWorkloadIdentityPoolNamespacesResponse(_messages.Message):
r"""Response message for ListWorkloadIdentityPoolNamespaces.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workloadIdentityPoolNamespaces: A list of namespaces.
"""
nextPageToken = _messages.StringField(1)
workloadIdentityPoolNamespaces = _messages.MessageField('WorkloadIdentityPoolNamespace', 2, repeated=True)
class ListWorkloadIdentityPoolProviderKeysResponse(_messages.Message):
r"""Response message for ListWorkloadIdentityPoolProviderKeys.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workloadIdentityPoolProviderKeys: A list of
WorkloadIdentityPoolProviderKey
"""
nextPageToken = _messages.StringField(1)
workloadIdentityPoolProviderKeys = _messages.MessageField('WorkloadIdentityPoolProviderKey', 2, repeated=True)
class ListWorkloadIdentityPoolProvidersResponse(_messages.Message):
r"""Response message for ListWorkloadIdentityPoolProviders.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workloadIdentityPoolProviders: A list of providers.
"""
nextPageToken = _messages.StringField(1)
workloadIdentityPoolProviders = _messages.MessageField('WorkloadIdentityPoolProvider', 2, repeated=True)
class ListWorkloadIdentityPoolsResponse(_messages.Message):
r"""Response message for ListWorkloadIdentityPools.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workloadIdentityPools: A list of pools.
"""
nextPageToken = _messages.StringField(1)
workloadIdentityPools = _messages.MessageField('WorkloadIdentityPool', 2, repeated=True)
class ListWorkloadSourcesResponse(_messages.Message):
r"""Response message for ListWorkloadSources.
Fields:
nextPageToken: A token, which can be sent as `page_token` to retrieve the
next page. If this field is omitted, there are no subsequent pages.
workloadSources: A list of workload sources.
"""
nextPageToken = _messages.StringField(1)
workloadSources = _messages.MessageField('WorkloadSource', 2, repeated=True)
class OauthClient(_messages.Message):
r"""Represents an OauthClient. Used to access Google Cloud resources on
behalf of a Workforce Identity Federation user by using OAuth 2.0 Protocol
to obtain an access token from Google Cloud.
Enums:
AllowedGrantTypesValueListEntryValuesEnum:
ClientTypeValueValuesEnum: Immutable. The type of OauthClient. Either
public or private. For private clients, the client secret can be managed
using the dedicated OauthClientCredential resource.
StateValueValuesEnum: Output only. The state of the OauthClient.
Fields:
allowedGrantTypes: Required. The list of OAuth grant types is allowed for
the OauthClient.
allowedRedirectUris: Required. The list of redirect uris that is allowed
to redirect back when authorization process is completed.
allowedScopes: Required. The list of scopes that the OauthClient is
allowed to request during OAuth flows. The following scopes are
supported: * `https://www.googleapis.com/auth/cloud-platform`: See,
edit, configure, and delete your Google Cloud data and see the email
address for your Google Account. * `openid`: The OAuth client can
associate you with your personal information on Google Cloud. * `email`:
The OAuth client can read a federated identity's email address. *
`groups`: The OAuth client can read a federated identity's groups.
clientId: Output only. The system-generated OauthClient id.
clientType: Immutable. The type of OauthClient. Either public or private.
For private clients, the client secret can be managed using the
dedicated OauthClientCredential resource.
description: Optional. A user-specified description of the OauthClient.
Cannot exceed 256 characters.
disabled: Optional. Whether the OauthClient is disabled. You cannot use a
disabled OAuth client.
displayName: Optional. A user-specified display name of the OauthClient.
Cannot exceed 32 characters.
expireTime: Output only. Time after which the OauthClient will be
permanently purged and cannot be recovered.
name: Immutable. Identifier. The resource name of the OauthClient. Format:
`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
state: Output only. The state of the OauthClient.
"""
class AllowedGrantTypesValueListEntryValuesEnum(_messages.Enum):
r"""AllowedGrantTypesValueListEntryValuesEnum enum type.
Values:
GRANT_TYPE_UNSPECIFIED: Should not be used.
AUTHORIZATION_CODE_GRANT: Authorization code grant.
REFRESH_TOKEN_GRANT: Refresh token grant.
"""
GRANT_TYPE_UNSPECIFIED = 0
AUTHORIZATION_CODE_GRANT = 1
REFRESH_TOKEN_GRANT = 2
class ClientTypeValueValuesEnum(_messages.Enum):
r"""Immutable. The type of OauthClient. Either public or private. For
private clients, the client secret can be managed using the dedicated
OauthClientCredential resource.
Values:
CLIENT_TYPE_UNSPECIFIED: Should not be used.
PUBLIC_CLIENT: Public client has no secret.
CONFIDENTIAL_CLIENT: Private client.
"""
CLIENT_TYPE_UNSPECIFIED = 0
PUBLIC_CLIENT = 1
CONFIDENTIAL_CLIENT = 2
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the OauthClient.
Values:
STATE_UNSPECIFIED: Default value. This value is unused.
ACTIVE: The OauthClient is active.
DELETED: The OauthClient is soft-deleted. Soft-deleted OauthClient is
permanently deleted after approximately 30 days unless restored via
`UndeleteOauthClient`.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
allowedGrantTypes = _messages.EnumField('AllowedGrantTypesValueListEntryValuesEnum', 1, repeated=True)
allowedRedirectUris = _messages.StringField(2, repeated=True)
allowedScopes = _messages.StringField(3, repeated=True)
clientId = _messages.StringField(4)
clientType = _messages.EnumField('ClientTypeValueValuesEnum', 5)
description = _messages.StringField(6)
disabled = _messages.BooleanField(7)
displayName = _messages.StringField(8)
expireTime = _messages.StringField(9)
name = _messages.StringField(10)
state = _messages.EnumField('StateValueValuesEnum', 11)
class OauthClientCredential(_messages.Message):
r"""Represents an OauthClientCredential. Used to authenticate an OauthClient
while accessing Google Cloud resources on behalf of a user by using OAuth
2.0 Protocol.
Fields:
clientSecret: Output only. The system-generated OAuth client secret. The
client secret must be stored securely. If the client secret is leaked,
you must delete and re-create the client credential. To learn more, see
[OAuth client and credential security risks and
mitigations](https://cloud.google.com/iam/docs/workforce-oauth-
app#security)
createTime: Output only. The timestamp when the OauthClientCredential was
created.
disabled: Optional. Whether the OauthClientCredential is disabled. You
cannot use a disabled OauthClientCredential.
displayName: Optional. A user-specified display name of the
OauthClientCredential. Cannot exceed 32 characters.
name: Immutable. Identifier. The resource name of the
OauthClientCredential. Format: `projects/{project}/locations/{location}/
oauthClients/{oauth_client}/credentials/{credential}`
updateTime: Output only. The timestamp for the last update of the
OauthClientCredential. If no updates have been made, the creation time
will serve as the designated value.
"""
clientSecret = _messages.StringField(1)
createTime = _messages.StringField(2)
disabled = _messages.BooleanField(3)
displayName = _messages.StringField(4)
name = _messages.StringField(5)
updateTime = _messages.StringField(6)
class Oidc(_messages.Message):
r"""Represents an OpenId Connect 1.0 identity provider.
Fields:
allowedAudiences: Optional. Acceptable values for the `aud` field
(audience) in the OIDC token. Token exchange requests are rejected if
the token audience does not match one of the configured values. Each
audience may be at most 256 characters. A maximum of 10 audiences may be
configured. If this list is empty, the OIDC token audience must be equal
to the full canonical resource name of the WorkloadIdentityPoolProvider,
with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/
projects//locations//workloadIdentityPools//providers/ https://iam.googl
eapis.com/projects//locations//workloadIdentityPools//providers/ ```
issuerUri: Required. The OIDC issuer URL. Must be an HTTPS endpoint. Per
OpenID Connect Discovery 1.0 spec, the OIDC issuer URL is used to locate
the provider's public keys (via `jwks_uri`) for verifying tokens like
the OIDC ID token. These public key types must be 'EC' or 'RSA'.
jwksJson: Optional. OIDC JWKs in JSON String format. For details on the
definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not
set, the `jwks_uri` from the discovery document(fetched from the .well-
known path of the `issuer_uri`) will be used. Currently, RSA and EC
asymmetric keys are supported. The JWK must use following format and
include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg":
"", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv":
"" } ] }
"""
allowedAudiences = _messages.StringField(1, repeated=True)
issuerUri = _messages.StringField(2)
jwksJson = _messages.StringField(3)
class Operation(_messages.Message):
r"""This resource represents a long-running operation that is the result of
a network API call.
Messages:
MetadataValue: Service-specific metadata associated with the operation. It
typically contains progress information and common metadata such as
create time. Some services might not provide such metadata. Any method
that returns a long-running operation should document the metadata type,
if any.
ResponseValue: The normal, successful response of the operation. If the
original method returns no data on success, such as `Delete`, the
response is `google.protobuf.Empty`. If the original method is standard
`Get`/`Create`/`Update`, the response should be the resource. For other
methods, the response should have the type `XxxResponse`, where `Xxx` is
the original method name. For example, if the original method name is
`TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.
Fields:
done: If the value is `false`, it means the operation is still in
progress. If `true`, the operation is completed, and either `error` or
`response` is available.
error: The error result of the operation in case of failure or
cancellation.
metadata: Service-specific metadata associated with the operation. It
typically contains progress information and common metadata such as
create time. Some services might not provide such metadata. Any method
that returns a long-running operation should document the metadata type,
if any.
name: The server-assigned name, which is only unique within the same
service that originally returns it. If you use the default HTTP mapping,
the `name` should be a resource name ending with
`operations/{unique_id}`.
response: The normal, successful response of the operation. If the
original method returns no data on success, such as `Delete`, the
response is `google.protobuf.Empty`. If the original method is standard
`Get`/`Create`/`Update`, the response should be the resource. For other
methods, the response should have the type `XxxResponse`, where `Xxx` is
the original method name. For example, if the original method name is
`TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.
"""
@encoding.MapUnrecognizedFields('additionalProperties')
class MetadataValue(_messages.Message):
r"""Service-specific metadata associated with the operation. It typically
contains progress information and common metadata such as create time.
Some services might not provide such metadata. Any method that returns a
long-running operation should document the metadata type, if any.
Messages:
AdditionalProperty: An additional property for a MetadataValue object.
Fields:
additionalProperties: Properties of the object. Contains field @type
with type URL.
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a MetadataValue object.
Fields:
key: Name of the additional property.
value: A extra_types.JsonValue attribute.
"""
key = _messages.StringField(1)
value = _messages.MessageField('extra_types.JsonValue', 2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
@encoding.MapUnrecognizedFields('additionalProperties')
class ResponseValue(_messages.Message):
r"""The normal, successful response of the operation. If the original
method returns no data on success, such as `Delete`, the response is
`google.protobuf.Empty`. If the original method is standard
`Get`/`Create`/`Update`, the response should be the resource. For other
methods, the response should have the type `XxxResponse`, where `Xxx` is
the original method name. For example, if the original method name is
`TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.
Messages:
AdditionalProperty: An additional property for a ResponseValue object.
Fields:
additionalProperties: Properties of the object. Contains field @type
with type URL.
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a ResponseValue object.
Fields:
key: Name of the additional property.
value: A extra_types.JsonValue attribute.
"""
key = _messages.StringField(1)
value = _messages.MessageField('extra_types.JsonValue', 2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
done = _messages.BooleanField(1)
error = _messages.MessageField('Status', 2)
metadata = _messages.MessageField('MetadataValue', 3)
name = _messages.StringField(4)
response = _messages.MessageField('ResponseValue', 5)
class OperationMetadata(_messages.Message):
r"""Represents the metadata of the long-running operation.
Fields:
apiVersion: Output only. API version used to start the operation.
cancelRequested: Output only. Identifies whether the user has requested
cancellation of the operation. Operations that have been cancelled
successfully have google.longrunning.Operation.error value with a
google.rpc.Status.code of `1`, corresponding to `Code.CANCELLED`.
createTime: Output only. The time the operation was created.
endTime: Output only. The time the operation finished running.
statusDetail: Output only. Human-readable status of the operation, if any.
target: Output only. Server-defined resource path for the target of the
operation.
verb: Output only. Name of the verb executed by the operation.
"""
apiVersion = _messages.StringField(1)
cancelRequested = _messages.BooleanField(2)
createTime = _messages.StringField(3)
endTime = _messages.StringField(4)
statusDetail = _messages.StringField(5)
target = _messages.StringField(6)
verb = _messages.StringField(7)
class OwnerService(_messages.Message):
r"""The Google Cloud service that owns this namespace.
Fields:
principalSubject: Required. The service agent principal subject, e.g.
"serviceAccount:service-1234@gcp-sa-gkehub.iam.gserviceaccount.com".
"""
principalSubject = _messages.StringField(1)
class PatchServiceAccountRequest(_messages.Message):
r"""The service account patch request. You can patch only the `display_name`
and `description` fields. You must use the `update_mask` field to specify
which of these fields you want to patch. Only the fields specified in the
request are guaranteed to be returned in the response. Other fields may be
empty in the response.
Fields:
serviceAccount: A ServiceAccount attribute.
updateMask: A string attribute.
"""
serviceAccount = _messages.MessageField('ServiceAccount', 1)
updateMask = _messages.StringField(2)
class Permission(_messages.Message):
r"""A permission which can be included by a role.
Enums:
CustomRolesSupportLevelValueValuesEnum: The current custom role support
level.
StageValueValuesEnum: The current launch stage of the permission.
Fields:
apiDisabled: The service API associated with the permission is not
enabled.
customRolesSupportLevel: The current custom role support level.
description: A brief description of what this Permission is used for.
name: The name of this Permission.
onlyInPredefinedRoles: A boolean attribute.
primaryPermission: The preferred name for this permission. If present,
then this permission is an alias of, and equivalent to, the listed
primary_permission.
stage: The current launch stage of the permission.
title: The title of this Permission.
"""
class CustomRolesSupportLevelValueValuesEnum(_messages.Enum):
r"""The current custom role support level.
Values:
SUPPORTED: Default state. Permission is fully supported for custom role
use.
TESTING: Permission is being tested to check custom role compatibility.
NOT_SUPPORTED: Permission is not supported for custom role use.
"""
SUPPORTED = 0
TESTING = 1
NOT_SUPPORTED = 2
class StageValueValuesEnum(_messages.Enum):
r"""The current launch stage of the permission.
Values:
ALPHA: The permission is currently in an alpha phase.
BETA: The permission is currently in a beta phase.
GA: The permission is generally available.
DEPRECATED: The permission is being deprecated.
"""
ALPHA = 0
BETA = 1
GA = 2
DEPRECATED = 3
apiDisabled = _messages.BooleanField(1)
customRolesSupportLevel = _messages.EnumField('CustomRolesSupportLevelValueValuesEnum', 2)
description = _messages.StringField(3)
name = _messages.StringField(4)
onlyInPredefinedRoles = _messages.BooleanField(5)
primaryPermission = _messages.StringField(6)
stage = _messages.EnumField('StageValueValuesEnum', 7)
title = _messages.StringField(8)
class PermissionDelta(_messages.Message):
r"""A PermissionDelta message to record the added_permissions and
removed_permissions inside a role.
Fields:
addedPermissions: Added permissions.
removedPermissions: Removed permissions.
"""
addedPermissions = _messages.StringField(1, repeated=True)
removedPermissions = _messages.StringField(2, repeated=True)
class Policy(_messages.Message):
r"""An Identity and Access Management (IAM) policy, which specifies access
controls for Google Cloud resources. A `Policy` is a collection of
`bindings`. A `binding` binds one or more `members`, or principals, to a
single `role`. Principals can be user accounts, service accounts, Google
groups, and domains (such as G Suite). A `role` is a named list of
permissions; each `role` can be an IAM predefined role or a user-created
custom role. For some types of Google Cloud resources, a `binding` can also
specify a `condition`, which is a logical expression that allows access to a
resource only if the expression evaluates to `true`. A condition can add
constraints based on attributes of the request, the resource, or both. To
learn which resources support conditions in their IAM policies, see the [IAM
documentation](https://cloud.google.com/iam/help/conditions/resource-
policies). **JSON example:** ``` { "bindings": [ { "role":
"roles/resourcemanager.organizationAdmin", "members": [
"user:mike@example.com", "group:admins@example.com", "domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role":
"roles/resourcemanager.organizationViewer", "members": [
"user:eve@example.com" ], "condition": { "title": "expirable access",
"description": "Does not grant access after Sep 2020", "expression":
"request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag":
"BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: -
members: - user:mike@example.com - group:admins@example.com -
domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin - members: -
user:eve@example.com role: roles/resourcemanager.organizationViewer
condition: title: expirable access description: Does not grant access after
Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features,
see the [IAM documentation](https://cloud.google.com/iam/docs/).
Fields:
auditConfigs: Specifies cloud audit logging configuration for this policy.
bindings: Associates a list of `members`, or principals, with a `role`.
Optionally, may specify a `condition` that determines how and when the
`bindings` are applied. Each of the `bindings` must contain at least one
principal. The `bindings` in a `Policy` can refer to up to 1,500
principals; up to 250 of these principals can be Google groups. Each
occurrence of a principal counts towards these limits. For example, if
the `bindings` grant 50 different roles to `user:alice@example.com`, and
not to any other principal, then you can add another 1,450 principals to
the `bindings` in the `Policy`.
etag: `etag` is used for optimistic concurrency control as a way to help
prevent simultaneous updates of a policy from overwriting each other. It
is strongly suggested that systems make use of the `etag` in the read-
modify-write cycle to perform policy updates in order to avoid race
conditions: An `etag` is returned in the response to `getIamPolicy`, and
systems are expected to put that etag in the request to `setIamPolicy`
to ensure that their change will be applied to the same version of the
policy. **Important:** If you use IAM Conditions, you must include the
`etag` field whenever you call `setIamPolicy`. If you omit this field,
then IAM allows you to overwrite a version `3` policy with a version `1`
policy, and all of the conditions in the version `3` policy are lost.
version: Specifies the format of the policy. Valid values are `0`, `1`,
and `3`. Requests that specify an invalid value are rejected. Any
operation that affects conditional role bindings must specify version
`3`. This requirement applies to the following operations: * Getting a
policy that includes a conditional role binding * Adding a conditional
role binding to a policy * Changing a conditional role binding in a
policy * Removing any role binding, with or without a condition, from a
policy that includes conditions **Important:** If you use IAM
Conditions, you must include the `etag` field whenever you call
`setIamPolicy`. If you omit this field, then IAM allows you to overwrite
a version `3` policy with a version `1` policy, and all of the
conditions in the version `3` policy are lost. If a policy does not
include any conditions, operations on that policy may specify any valid
version or leave the field unset. To learn which resources support
conditions in their IAM policies, see the [IAM
documentation](https://cloud.google.com/iam/help/conditions/resource-
policies).
"""
auditConfigs = _messages.MessageField('AuditConfig', 1, repeated=True)
bindings = _messages.MessageField('Binding', 2, repeated=True)
etag = _messages.BytesField(3)
version = _messages.IntegerField(4, variant=_messages.Variant.INT32)
class PolicyDelta(_messages.Message):
r"""The difference delta between two policies.
Fields:
bindingDeltas: The delta for Bindings between two policies.
"""
bindingDeltas = _messages.MessageField('BindingDelta', 1, repeated=True)
class QueryAuditableServicesRequest(_messages.Message):
r"""A request to get the list of auditable services for a resource.
Fields:
fullResourceName: Required. The full resource name to query from the list
of auditable services. The name follows the Google Cloud Platform
resource format. For example, a Cloud Platform project with id `my-
project` will be named
`//cloudresourcemanager.googleapis.com/projects/my-project`.
"""
fullResourceName = _messages.StringField(1)
class QueryAuditableServicesResponse(_messages.Message):
r"""A response containing a list of auditable services for a resource.
Fields:
services: The auditable services for a resource.
"""
services = _messages.MessageField('AuditableService', 1, repeated=True)
class QueryGrantableRolesRequest(_messages.Message):
r"""The grantable role query request.
Enums:
ViewValueValuesEnum:
Fields:
fullResourceName: Required. Required. The full resource name to query from
the list of grantable roles. The name follows the Google Cloud Platform
resource format. For example, a Cloud Platform project with id `my-
project` will be named
`//cloudresourcemanager.googleapis.com/projects/my-project`.
pageSize: Optional limit on the number of roles to include in the
response. The default is 300, and the maximum is 2,000.
pageToken: Optional pagination token returned in an earlier
QueryGrantableRolesResponse.
view: A ViewValueValuesEnum attribute.
"""
class ViewValueValuesEnum(_messages.Enum):
r"""ViewValueValuesEnum enum type.
Values:
BASIC: Omits the `included_permissions` field. This is the default
value.
FULL: Returns all fields.
"""
BASIC = 0
FULL = 1
fullResourceName = _messages.StringField(1)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
view = _messages.EnumField('ViewValueValuesEnum', 4)
class QueryGrantableRolesResponse(_messages.Message):
r"""The grantable role query response.
Fields:
nextPageToken: To retrieve the next page of results, set
`QueryGrantableRolesRequest.page_token` to this value.
roles: The list of matching roles.
"""
nextPageToken = _messages.StringField(1)
roles = _messages.MessageField('Role', 2, repeated=True)
class QueryTestablePermissionsRequest(_messages.Message):
r"""A request to get permissions which can be tested on a resource.
Fields:
fullResourceName: Required. The full resource name to query from the list
of testable permissions. The name follows the Google Cloud Platform
resource format. For example, a Cloud Platform project with id `my-
project` will be named
`//cloudresourcemanager.googleapis.com/projects/my-project`.
pageSize: Optional limit on the number of permissions to include in the
response. The default is 100, and the maximum is 1,000.
pageToken: Optional pagination token returned in an earlier
QueryTestablePermissionsRequest.
"""
fullResourceName = _messages.StringField(1)
pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
pageToken = _messages.StringField(3)
class QueryTestablePermissionsResponse(_messages.Message):
r"""The response containing permissions which can be tested on a resource.
Fields:
nextPageToken: To retrieve the next page of results, set
`QueryTestableRolesRequest.page_token` to this value.
permissions: The Permissions testable on the requested resource.
"""
nextPageToken = _messages.StringField(1)
permissions = _messages.MessageField('Permission', 2, repeated=True)
class ReconciliationOperationMetadata(_messages.Message):
r"""Operation metadata returned by the CLH during resource state
reconciliation.
Enums:
ExclusiveActionValueValuesEnum: Excluisive action returned by the CLH.
Fields:
deleteResource: DEPRECATED. Use exclusive_action instead.
exclusiveAction: Excluisive action returned by the CLH.
"""
class ExclusiveActionValueValuesEnum(_messages.Enum):
r"""Excluisive action returned by the CLH.
Values:
UNKNOWN_REPAIR_ACTION: Unknown repair action.
DELETE: The resource has to be deleted. When using this bit, the CLH
should fail the operation. DEPRECATED. Instead use DELETE_RESOURCE
OperationSignal in SideChannel.
RETRY: This resource could not be repaired but the repair should be
tried again at a later time. This can happen if there is a dependency
that needs to be resolved first- e.g. if a parent resource must be
repaired before a child resource.
"""
UNKNOWN_REPAIR_ACTION = 0
DELETE = 1
RETRY = 2
deleteResource = _messages.BooleanField(1)
exclusiveAction = _messages.EnumField('ExclusiveActionValueValuesEnum', 2)
class RemoveAttestationRuleRequest(_messages.Message):
r"""Request message for RemoveAttestationRule.
Fields:
attestationRule: Required. The attestation rule to be removed.
"""
attestationRule = _messages.MessageField('AttestationRule', 1)
class Role(_messages.Message):
r"""A role in the Identity and Access Management API.
Enums:
StageValueValuesEnum: The current launch stage of the role. If the `ALPHA`
launch stage has been selected for a role, the `stage` field will not be
included in the returned definition for the role.
Fields:
deleted: The current deleted state of the role. This field is read only.
It will be ignored in calls to CreateRole and UpdateRole.
description: Optional. A human-readable description for the role.
etag: Used to perform a consistent read-modify-write.
includedPermissions: The names of the permissions this role grants when
bound in an IAM policy.
name: The name of the role. When `Role` is used in `CreateRole`, the role
name must not be set. When `Role` is used in output and other input such
as `UpdateRole`, the role name is the complete path. For example,
`roles/logging.viewer` for predefined roles,
`organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level
custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level
custom roles.
stage: The current launch stage of the role. If the `ALPHA` launch stage
has been selected for a role, the `stage` field will not be included in
the returned definition for the role.
title: Optional. A human-readable title for the role. Typically this is
limited to 100 UTF-8 bytes.
"""
class StageValueValuesEnum(_messages.Enum):
r"""The current launch stage of the role. If the `ALPHA` launch stage has
been selected for a role, the `stage` field will not be included in the
returned definition for the role.
Values:
ALPHA: The user has indicated this role is currently in an Alpha phase.
If this launch stage is selected, the `stage` field will not be
included when requesting the definition for a given role.
BETA: The user has indicated this role is currently in a Beta phase.
GA: The user has indicated this role is generally available.
DEPRECATED: The user has indicated this role is being deprecated.
DISABLED: This role is disabled and will not contribute permissions to
any principals it is granted to in policies.
EAP: The user has indicated this role is currently in an EAP phase.
"""
ALPHA = 0
BETA = 1
GA = 2
DEPRECATED = 3
DISABLED = 4
EAP = 5
deleted = _messages.BooleanField(1)
description = _messages.StringField(2)
etag = _messages.BytesField(3)
includedPermissions = _messages.StringField(4, repeated=True)
name = _messages.StringField(5)
stage = _messages.EnumField('StageValueValuesEnum', 6)
title = _messages.StringField(7)
class Saml(_messages.Message):
r"""Represents an SAML 2.0 identity provider.
Fields:
idpMetadataXml: Required. SAML identity provider (IdP) configuration
metadata XML doc. The XML document must comply with the [SAML 2.0
specification](https://docs.oasis-open.org/security/saml/v2.0/saml-
metadata-2.0-os.pdf). The maximum size of an acceptable XML document is
128K characters. The SAML metadata XML document must satisfy the
following constraints: * Must contain an IdP Entity ID. * Must contain
at least one non-expired signing certificate. * For each signing
certificate, the expiration must be: * From no more than 7 days in the
future. * To no more than 25 years in the future. * Up to three IdP
signing keys are allowed. When updating the provider's metadata XML, at
least one non-expired signing key must overlap with the existing
metadata. This requirement is skipped if there are no non-expired
signing keys present in the existing metadata.
"""
idpMetadataXml = _messages.StringField(1)
class ServiceAccount(_messages.Message):
r"""An IAM service account. A service account is an account for an
application or a virtual machine (VM) instance, not a person. You can use a
service account to call Google APIs. To learn more, read the [overview of
service accounts](https://cloud.google.com/iam/help/service-
accounts/overview). When you create a service account, you specify the
project ID that owns the service account, as well as a name that must be
unique within the project. IAM uses these values to create an email address
that identifies the service account. //
Fields:
description: Optional. A user-specified, human-readable description of the
service account. The maximum length is 256 UTF-8 bytes.
disabled: Output only. Whether the service account is disabled.
displayName: Optional. A user-specified, human-readable name for the
service account. The maximum length is 100 UTF-8 bytes.
email: Output only. The email address of the service account.
etag: Deprecated. Do not use.
name: The resource name of the service account. Use one of the following
formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative,
you can use the `-` wildcard character instead of the project ID: *
`projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
`projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the
`-` wildcard character, because it can cause response messages to
contain misleading error codes. For example, if you try to access the
service account `projects/-/serviceAccounts/fake@example.com`, which
does not exist, the response contains an HTTP `403 Forbidden` error
instead of a `404 Not Found` error.
oauth2ClientId: Output only. The OAuth 2.0 client ID for the service
account.
projectId: Output only. The ID of the project that owns the service
account.
uniqueId: Output only. The unique, stable numeric ID for the service
account. Each service account retains its unique ID even if you delete
the service account. For example, if you delete a service account, then
create a new service account with the same name, the new service account
has a different unique ID than the deleted service account.
"""
description = _messages.StringField(1)
disabled = _messages.BooleanField(2)
displayName = _messages.StringField(3)
email = _messages.StringField(4)
etag = _messages.BytesField(5)
name = _messages.StringField(6)
oauth2ClientId = _messages.StringField(7)
projectId = _messages.StringField(8)
uniqueId = _messages.StringField(9)
class ServiceAccountIdentityBinding(_messages.Message):
r"""Represents a service account identity provider reference. A service
account has at most one identity binding for the EAP. This is an alternative
to service account keys and enables the service account to be configured to
trust an external IDP through the provided identity binding.
Fields:
acceptanceFilter: A CEL expression that is evaluated to determine whether
a credential should be accepted. To accept any credential, specify
"true". See: https://github.com/google/cel-spec . This field supports a
subset of the CEL functionality to select fields and evaluate boolean
expressions based on the input (no functions or arithmetics). The values
for input claims are available using `inclaim.attribute_name` or
`inclaim[\"attribute_name\"]`. The values for output attributes
calculated by the translator are available using
`outclaim.attribute_name` or `outclaim[\"attribute_name\"]`.
cel: A set of output attributes and corresponding input attribute
expressions.
name: The resource name of the service account identity binding in the
following format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/identi
tyBindings/{BINDING}`.
oidc: OIDC with discovery.
"""
acceptanceFilter = _messages.StringField(1)
cel = _messages.MessageField('AttributeTranslatorCEL', 2)
name = _messages.StringField(3)
oidc = _messages.MessageField('IDPReferenceOIDC', 4)
class ServiceAccountKey(_messages.Message):
r"""Represents a service account key. A service account has two sets of key-
pairs: user-managed, and system-managed. User-managed key-pairs can be
created and deleted by users. Users are responsible for rotating these keys
periodically to ensure security of their service accounts. Users retain the
private key of these key-pairs, and Google retains ONLY the public key.
System-managed keys are automatically rotated by Google, and are used for
signing for a maximum of two weeks. The rotation process is probabilistic,
and usage of the new key will gradually ramp up and down over the key's
lifetime. If you cache the public key set for a service account, we
recommend that you update the cache every 15 minutes. User-managed keys can
be added and removed at any time, so it is important to update the cache
frequently. For Google-managed keys, Google will publish a key at least 6
hours before it is first used for signing and will keep publishing it for at
least 6 hours after it was last used for signing. Public keys for all
service accounts are also published at the OAuth2 Service Account API.
Enums:
DisableReasonValueValuesEnum: Output only. optional. If the key is
disabled, it may have a DisableReason describing why it was disabled.
KeyAlgorithmValueValuesEnum: Specifies the algorithm (and possibly key
size) for the key.
KeyOriginValueValuesEnum: The key origin.
KeyTypeValueValuesEnum: The key type.
PrivateKeyTypeValueValuesEnum: The output format for the private key. Only
provided in `CreateServiceAccountKey` responses, not in
`GetServiceAccountKey` or `ListServiceAccountKey` responses. Google
never exposes system-managed private keys, and never retains user-
managed private keys.
Fields:
disableReason: Output only. optional. If the key is disabled, it may have
a DisableReason describing why it was disabled.
disabled: The key status.
extendedStatus: Output only. Extended Status provides permanent
information about a service account key. For example, if this key was
detected as exposed or compromised, that information will remain for the
lifetime of the key in the extended_status.
keyAlgorithm: Specifies the algorithm (and possibly key size) for the key.
keyOrigin: The key origin.
keyType: The key type.
name: The resource name of the service account key in the following format
`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
privateKeyData: The private key data. Only provided in
`CreateServiceAccountKey` responses. Make sure to keep the private key
data secure because it allows for the assertion of the service account
identity. When base64 decoded, the private key data can be used to
authenticate with Google API client libraries and with gcloud auth
activate-service-account.
privateKeyType: The output format for the private key. Only provided in
`CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or
`ListServiceAccountKey` responses. Google never exposes system-managed
private keys, and never retains user-managed private keys.
publicKeyData: The public key data. Only provided in
`GetServiceAccountKey` responses.
validAfterTime: The key can be used after this timestamp.
validBeforeTime: The key can be used before this timestamp. For system-
managed key pairs, this timestamp is the end time for the private key
signing operation. The public key could still be used for verification
for a few hours after this time.
"""
class DisableReasonValueValuesEnum(_messages.Enum):
r"""Output only. optional. If the key is disabled, it may have a
DisableReason describing why it was disabled.
Values:
SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED: Unspecified disable
reason
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED: Disabled by the user
SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED: Google detected this Service
Account external key's private key data as exposed, typically in a
public repository on GitHub or similar.
SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED: This service
account external key was detected as compromised and used by an
attacker.
"""
SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED = 0
SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED = 1
SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED = 2
SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED = 3
class KeyAlgorithmValueValuesEnum(_messages.Enum):
r"""Specifies the algorithm (and possibly key size) for the key.
Values:
KEY_ALG_UNSPECIFIED: An unspecified key algorithm.
KEY_ALG_RSA_1024: 1k RSA Key.
KEY_ALG_RSA_2048: 2k RSA Key.
"""
KEY_ALG_UNSPECIFIED = 0
KEY_ALG_RSA_1024 = 1
KEY_ALG_RSA_2048 = 2
class KeyOriginValueValuesEnum(_messages.Enum):
r"""The key origin.
Values:
ORIGIN_UNSPECIFIED: Unspecified key origin.
USER_PROVIDED: Key is provided by user.
GOOGLE_PROVIDED: Key is provided by Google.
"""
ORIGIN_UNSPECIFIED = 0
USER_PROVIDED = 1
GOOGLE_PROVIDED = 2
class KeyTypeValueValuesEnum(_messages.Enum):
r"""The key type.
Values:
KEY_TYPE_UNSPECIFIED: Unspecified key type. The presence of this in the
message will immediately result in an error.
USER_MANAGED: User-managed keys (managed and rotated by the user).
SYSTEM_MANAGED: System-managed keys (managed and rotated by Google).
"""
KEY_TYPE_UNSPECIFIED = 0
USER_MANAGED = 1
SYSTEM_MANAGED = 2
class PrivateKeyTypeValueValuesEnum(_messages.Enum):
r"""The output format for the private key. Only provided in
`CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or
`ListServiceAccountKey` responses. Google never exposes system-managed
private keys, and never retains user-managed private keys.
Values:
TYPE_UNSPECIFIED: Unspecified. Equivalent to
`TYPE_GOOGLE_CREDENTIALS_FILE`.
TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is
`notasecret`. For more information, see
https://tools.ietf.org/html/rfc7292.
TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format.
"""
TYPE_UNSPECIFIED = 0
TYPE_PKCS12_FILE = 1
TYPE_GOOGLE_CREDENTIALS_FILE = 2
disableReason = _messages.EnumField('DisableReasonValueValuesEnum', 1)
disabled = _messages.BooleanField(2)
extendedStatus = _messages.MessageField('ExtendedStatus', 3, repeated=True)
keyAlgorithm = _messages.EnumField('KeyAlgorithmValueValuesEnum', 4)
keyOrigin = _messages.EnumField('KeyOriginValueValuesEnum', 5)
keyType = _messages.EnumField('KeyTypeValueValuesEnum', 6)
name = _messages.StringField(7)
privateKeyData = _messages.BytesField(8)
privateKeyType = _messages.EnumField('PrivateKeyTypeValueValuesEnum', 9)
publicKeyData = _messages.BytesField(10)
validAfterTime = _messages.StringField(11)
validBeforeTime = _messages.StringField(12)
class ServiceConfig(_messages.Message):
r"""Configuration for a service.
Fields:
domain: Optional. Domain name of the service. Example:
console.cloud.google
"""
domain = _messages.StringField(1)
class SetAttestationRulesRequest(_messages.Message):
r"""Request message for SetAttestationRules.
Fields:
attestationRules: Required. The attestation rules to be set. At most 50
attestation rules can be set.
"""
attestationRules = _messages.MessageField('AttestationRule', 1, repeated=True)
class SetIamPolicyRequest(_messages.Message):
r"""Request message for `SetIamPolicy` method.
Fields:
policy: REQUIRED: The complete policy to be applied to the `resource`. The
size of the policy is limited to a few 10s of KB. An empty policy is a
valid policy but certain Google Cloud services (such as Projects) might
reject them.
updateMask: OPTIONAL: A FieldMask specifying which fields of the policy to
modify. Only the fields in the mask will be modified. If no mask is
provided, the following default mask is used: `paths: "bindings, etag"`
"""
policy = _messages.MessageField('Policy', 1)
updateMask = _messages.StringField(2)
class SignBlobRequest(_messages.Message):
r"""Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The service
account sign blob request.
Fields:
bytesToSign: Required. Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The
bytes to sign.
"""
bytesToSign = _messages.BytesField(1)
class SignBlobResponse(_messages.Message):
r"""Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The service
account sign blob response.
Fields:
keyId: Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The id
of the key used to sign the blob.
signature: Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The
signed blob.
"""
keyId = _messages.StringField(1)
signature = _messages.BytesField(2)
class SignJwtRequest(_messages.Message):
r"""Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The service
account sign JWT request.
Fields:
payload: Required. Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The JWT
payload to sign. Must be a serialized JSON object that contains a JWT
Claims Set. For example: `{"sub": "user@example.com", "iat": 313435}` If
the JWT Claims Set contains an expiration time (`exp`) claim, it must be
an integer timestamp that is not in the past and no more than 12 hours
in the future. If the JWT Claims Set does not contain an expiration time
(`exp`) claim, this claim is added automatically, with a timestamp that
is 1 hour in the future.
"""
payload = _messages.StringField(1)
class SignJwtResponse(_messages.Message):
r"""Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The service
account sign JWT response.
Fields:
keyId: Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The id
of the key used to sign the JWT.
signedJwt: Deprecated. [Migrate to Service Account Credentials
API](https://cloud.google.com/iam/help/credentials/migrate-api). The
signed JWT.
"""
keyId = _messages.StringField(1)
signedJwt = _messages.StringField(2)
class SingleAttributeSelector(_messages.Message):
r"""Matches a single attribute.
Fields:
attribute: Required. The attribute key that will be matched. The following
attributes are supported: - `attached_service_account` matches workloads
with the references Google Cloud service account attached. The service
account should be referenced using its either its email address
(example: `service-account-id@project-id.iam.gserviceaccount.com`) or
unique ID (example: `123456789012345678901`). Service account email
addresses can be reused over time. You should use the service account's
unique ID if you don't want to match a service account that is deleted,
and then a new service account is created with the same name.
value: Required. The value that should exactly match the attribute of the
workload.
"""
attribute = _messages.StringField(1)
value = _messages.StringField(2)
class StandardQueryParameters(_messages.Message):
r"""Query parameters accepted by all methods.
Enums:
FXgafvValueValuesEnum: V1 error format.
AltValueValuesEnum: Data format for response.
Fields:
f__xgafv: V1 error format.
access_token: OAuth access token.
alt: Data format for response.
callback: JSONP
fields: Selector specifying which fields to include in a partial response.
key: API key. Your API key identifies your project and provides you with
API access, quota, and reports. Required unless you provide an OAuth 2.0
token.
oauth_token: OAuth 2.0 token for the current user.
prettyPrint: Returns response with indentations and line breaks.
quotaUser: Available to use for quota purposes for server-side
applications. Can be any arbitrary string assigned to a user, but should
not exceed 40 characters.
trace: A tracing token of the form "token:<tokenid>" to include in api
requests.
uploadType: Legacy upload protocol for media (e.g. "media", "multipart").
upload_protocol: Upload protocol for media (e.g. "raw", "multipart").
"""
class AltValueValuesEnum(_messages.Enum):
r"""Data format for response.
Values:
json: Responses with Content-Type of application/json
media: Media download with context-dependent Content-Type
proto: Responses with Content-Type of application/x-protobuf
"""
json = 0
media = 1
proto = 2
class FXgafvValueValuesEnum(_messages.Enum):
r"""V1 error format.
Values:
_1: v1 error format
_2: v2 error format
"""
_1 = 0
_2 = 1
f__xgafv = _messages.EnumField('FXgafvValueValuesEnum', 1)
access_token = _messages.StringField(2)
alt = _messages.EnumField('AltValueValuesEnum', 3, default='json')
callback = _messages.StringField(4)
fields = _messages.StringField(5)
key = _messages.StringField(6)
oauth_token = _messages.StringField(7)
prettyPrint = _messages.BooleanField(8, default=True)
quotaUser = _messages.StringField(9)
trace = _messages.StringField(10)
uploadType = _messages.StringField(11)
upload_protocol = _messages.StringField(12)
class Status(_messages.Message):
r"""The `Status` type defines a logical error model that is suitable for
different programming environments, including REST APIs and RPC APIs. It is
used by [gRPC](https://github.com/grpc). Each `Status` message contains
three pieces of data: error code, error message, and error details. You can
find out more about this error model and how to work with it in the [API
Design Guide](https://cloud.google.com/apis/design/errors).
Messages:
DetailsValueListEntry: A DetailsValueListEntry object.
Fields:
code: The status code, which should be an enum value of google.rpc.Code.
details: A list of messages that carry the error details. There is a
common set of message types for APIs to use.
message: A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
google.rpc.Status.details field, or localized by the client.
"""
@encoding.MapUnrecognizedFields('additionalProperties')
class DetailsValueListEntry(_messages.Message):
r"""A DetailsValueListEntry object.
Messages:
AdditionalProperty: An additional property for a DetailsValueListEntry
object.
Fields:
additionalProperties: Properties of the object. Contains field @type
with type URL.
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a DetailsValueListEntry object.
Fields:
key: Name of the additional property.
value: A extra_types.JsonValue attribute.
"""
key = _messages.StringField(1)
value = _messages.MessageField('extra_types.JsonValue', 2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
code = _messages.IntegerField(1, variant=_messages.Variant.INT32)
details = _messages.MessageField('DetailsValueListEntry', 2, repeated=True)
message = _messages.StringField(3)
class TestIamPermissionsRequest(_messages.Message):
r"""Request message for `TestIamPermissions` method.
Fields:
permissions: The set of permissions to check for the `resource`.
Permissions with wildcards (such as `*` or `storage.*`) are not allowed.
For more information see [IAM
Overview](https://cloud.google.com/iam/docs/overview#permissions).
"""
permissions = _messages.StringField(1, repeated=True)
class TestIamPermissionsResponse(_messages.Message):
r"""Response message for `TestIamPermissions` method.
Fields:
permissions: A subset of `TestPermissionsRequest.permissions` that the
caller is allowed.
"""
permissions = _messages.StringField(1, repeated=True)
class TrustAnchor(_messages.Message):
r"""Represents a root of trust.
Fields:
pemCertificate: PEM certificate of the PKI used for validation. Must only
contain one ca certificate(either root or intermediate cert).
"""
pemCertificate = _messages.StringField(1)
class TrustStore(_messages.Message):
r"""Trust store that contains trust anchors and optional intermediate CAs
used in PKI to build a trust chain(trust hierarchy) and verify a client's
identity.
Fields:
intermediateCas: Optional. Set of intermediate CA certificates used for
building the trust chain to the trust anchor. Important: Intermediate
CAs are only supported for X.509 federation.
trustAnchors: Required. List of trust anchors to be used while performing
validation against a given TrustStore. The incoming end entity's
certificate must be in the trust chain of one of the trust anchors here.
trustDefaultSharedCa: Optional. If set to True, the trust bundle will
include the private ca managed identity regional root public
certificates. Important: `trust_default_shared_ca` is only supported for
managed identity trust domain resource.
"""
intermediateCas = _messages.MessageField('IntermediateCA', 1, repeated=True)
trustAnchors = _messages.MessageField('TrustAnchor', 2, repeated=True)
trustDefaultSharedCa = _messages.BooleanField(3)
class UndeleteOauthClientRequest(_messages.Message):
r"""Request message for UndeleteOauthClient.
Fields:
validateOnly: Optional. If set, validate the request and preview the
response, but do not actually post it.
"""
validateOnly = _messages.BooleanField(1)
class UndeleteRoleRequest(_messages.Message):
r"""The request to undelete an existing role.
Fields:
etag: Used to perform a consistent read-modify-write.
"""
etag = _messages.BytesField(1)
class UndeleteServiceAccountRequest(_messages.Message):
r"""The service account undelete request."""
class UndeleteServiceAccountResponse(_messages.Message):
r"""A UndeleteServiceAccountResponse object.
Fields:
restoredAccount: Metadata for the restored service account.
"""
restoredAccount = _messages.MessageField('ServiceAccount', 1)
class UndeleteWorkforcePoolInstalledAppRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePoolInstalledApp.
Fields:
validateOnly: Optional. If set, validate the request and preview the
response, but do not actually post it.
"""
validateOnly = _messages.BooleanField(1)
class UndeleteWorkforcePoolProviderKeyRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePoolProviderKey."""
class UndeleteWorkforcePoolProviderRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePoolProvider."""
class UndeleteWorkforcePoolProviderScimTenantRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePoolProviderScimTenant."""
class UndeleteWorkforcePoolProviderScimTokenRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePoolProviderScimToken."""
class UndeleteWorkforcePoolRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePool."""
class UndeleteWorkforcePoolSubjectRequest(_messages.Message):
r"""Request message for UndeleteWorkforcePoolSubject."""
class UndeleteWorkloadIdentityPoolManagedIdentityRequest(_messages.Message):
r"""Request message for UndeleteWorkloadIdentityPoolManagedIdentity."""
class UndeleteWorkloadIdentityPoolNamespaceRequest(_messages.Message):
r"""Request message for UndeleteWorkloadIdentityPoolNamespace."""
class UndeleteWorkloadIdentityPoolProviderKeyRequest(_messages.Message):
r"""Request message for UndeleteWorkloadIdentityPoolProviderKey."""
class UndeleteWorkloadIdentityPoolProviderRequest(_messages.Message):
r"""Request message for UndeleteWorkloadIdentityPoolProvider."""
class UndeleteWorkloadIdentityPoolRequest(_messages.Message):
r"""Request message for UndeleteWorkloadIdentityPool."""
class UploadServiceAccountKeyRequest(_messages.Message):
r"""The service account key upload request.
Fields:
publicKeyData: The public key to associate with the service account. Must
be an RSA public key that is wrapped in an X.509 v3 certificate. Include
the first line, `-----BEGIN CERTIFICATE-----`, and the last line,
`-----END CERTIFICATE-----`.
"""
publicKeyData = _messages.BytesField(1)
class WorkforcePool(_messages.Message):
r"""Represents a collection of external workforces. Provides namespaces for
federated users that can be referenced in IAM policies.
Enums:
StateValueValuesEnum: Output only. The state of the pool.
Fields:
accessRestrictions: Optional. Configure access restrictions on the
workforce pool users. This is an optional field. If specified web sign-
in can be restricted to given set of services or programmatic sign-in
can be disabled for pool users.
description: Optional. A user-specified description of the pool. Cannot
exceed 256 characters.
disabled: Optional. Disables the workforce pool. You cannot use a disabled
pool to exchange tokens, or use existing tokens to access resources. If
the pool is re-enabled, existing tokens grant access again.
displayName: Optional. A user-specified display name of the pool in Google
Cloud Console. Cannot exceed 32 characters.
expireTime: Output only. Time after which the workforce pool will be
permanently purged and cannot be recovered.
name: Identifier. The resource name of the pool. Format:
`locations/{location}/workforcePools/{workforce_pool_id}`
parent: Immutable. The resource name of the parent. Format:
`organizations/{org-id}`.
sessionDuration: Optional. Duration that the Google Cloud access tokens,
console sign-in sessions, and `gcloud` sign-in sessions from this pool
are valid. Must be greater than 15 minutes (900s) and less than 12 hours
(43200s). If `session_duration` is not configured, minted credentials
have a default duration of one hour (3600s). For SAML providers, the
lifetime of the token is the minimum of the `session_duration` and the
`SessionNotOnOrAfter` claim in the SAML assertion.
state: Output only. The state of the pool.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the pool.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently
deleted after approximately 30 days. You can restore a soft-deleted
pool using UndeleteWorkforcePool. You cannot reuse the ID of a soft-
deleted pool until it is permanently deleted. While a pool is deleted,
you cannot use it to exchange tokens, or use existing tokens to access
resources. If the pool is undeleted, existing tokens grant access
again.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
accessRestrictions = _messages.MessageField('AccessRestrictions', 1)
description = _messages.StringField(2)
disabled = _messages.BooleanField(3)
displayName = _messages.StringField(4)
expireTime = _messages.StringField(5)
name = _messages.StringField(6)
parent = _messages.StringField(7)
sessionDuration = _messages.StringField(8)
state = _messages.EnumField('StateValueValuesEnum', 9)
class WorkforcePoolInstalledApp(_messages.Message):
r"""Represents a workforce pool installed app. Used to indicate that a
workforce pool administrator has completed the installation process, thereby
giving consent for the installed app, i.e. OAuth Client, to access workforce
pool users' information and resources.
Enums:
StateValueValuesEnum: Output only. The state of the workforce pool
installed app.
Fields:
appMetadata: Immutable. Metadata for the app.
createTime: Output only. The timestamp when the workforce pool installed
app was created.
deleteTime: Output only. The timestamp that the workforce pool installed
app was soft deleted.
description: Optional. A user-specified description of the workforce pool
installed app. Cannot exceed 256 characters.
displayName: Optional. A user-specified display name of the workforce pool
installed app Cannot exceed 32 characters.
expireTime: Output only. Time after which the workforce pool installed app
will be permanently purged and cannot be recovered.
name: Identifier. The resource name of the workforce pool installed app.
Format: `locations/{location}/workforcePools/{workforce_pool}/installedA
pps/{installed_app}`
state: Output only. The state of the workforce pool installed app.
updateTime: Output only. The timestamp for the last update of the
workforce pool installed app.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the workforce pool installed app.
Values:
STATE_UNSPECIFIED: Default value. This value is unused.
ACTIVE: The workforce pool installed app is active.
DELETED: The workforce pool installed app is soft-deleted. Soft-deleted
workforce pool installed apps are permanently deleted after
approximately 30 days unless restored via
UndeleteWorkforcePoolInstalledApp.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
appMetadata = _messages.MessageField('AppMetadata', 1)
createTime = _messages.StringField(2)
deleteTime = _messages.StringField(3)
description = _messages.StringField(4)
displayName = _messages.StringField(5)
expireTime = _messages.StringField(6)
name = _messages.StringField(7)
state = _messages.EnumField('StateValueValuesEnum', 8)
updateTime = _messages.StringField(9)
class WorkforcePoolProvider(_messages.Message):
r"""A configuration for an external identity provider.
Enums:
ScimUsageValueValuesEnum: Optional. Specifies whether the workforce
identity pool provider uses SCIM-managed groups instead of the
`google.groups` attribute mapping for authorization checks. The
`scim_usage` and `extended_attributes_oauth2_client` fields are mutually
exclusive. A request that enables both fields on the same workforce
identity pool provider will produce an error.
StateValueValuesEnum: Output only. The state of the provider.
Messages:
AttributeMappingValue: Required. Maps attributes from the authentication
credentials issued by an external identity provider to Google Cloud
attributes, such as `subject` and `segment`. Each key must be a string
specifying the Google Cloud IAM attribute to map to. The following keys
are supported: * `google.subject`: The principal IAM is authenticating.
You can reference this value in IAM bindings. This is also the subject
that appears in Cloud Logging logs. This is a required field and the
mapped subject cannot exceed 127 bytes. * `google.groups`: Groups the
authenticating user belongs to. You can grant groups access to resources
using an IAM `principalSet` binding; access applies to all members of
the group. * `google.display_name`: The name of the authenticated user.
This is an optional field and the mapped display name cannot exceed 100
bytes. If not set, `google.subject` will be displayed instead. This
attribute cannot be referenced in IAM bindings. *
`google.profile_photo`: The URL that specifies the authenticated user's
thumbnail photo. This is an optional field. When set, the image will be
visible as the user's profile picture. If not set, a generic user icon
will be displayed instead. This attribute cannot be referenced in IAM
bindings. * `google.posix_username`: The Linux username used by OS
Login. This is an optional field and the mapped POSIX username cannot
exceed 32 characters, The key must match the regex
"^a-zA-Z0-9._{0,31}$". This attribute cannot be referenced in IAM
bindings. You can also provide custom attributes by specifying
`attribute.{custom_attribute}`, where {custom_attribute} is the name of
the custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100
characters, and the key may only contain the characters [a-z0-9_]. You
can reference these attributes in IAM policies to define fine-grained
access for a workforce pool to Google Cloud resources. For example: *
`google.subject`: `principal://iam.googleapis.com/locations/global/workf
orcePools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam
.googleapis.com/locations/global/workforcePools/{pool}/group/{value}` *
`attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locat
ions/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}`
Each value must be a [Common Expression Language]
(https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the
corresponding map key. You can use the `assertion` keyword in the
expression to access a JSON representation of the authentication
credential issued by the provider. The maximum length of an attribute
mapping expression is 2048 characters. When evaluated, the total size of
all mapped attributes must not exceed 4KB. For OIDC providers, you must
supply a custom mapping that includes the `google.subject` attribute.
For example, the following maps the `sub` claim of the incoming
credential to the `subject` attribute on a Google token: ```
{"google.subject": "assertion.sub"} ```
Fields:
attributeCondition: Optional. A [Common Expression
Language](https://opensource.google/projects/cel) expression, in plain
text, to restrict what otherwise valid authentication credentials issued
by the provider should not be accepted. The expression must output a
boolean representing whether to allow the federation. The following
keywords may be referenced in the expressions: * `assertion`: JSON
representing the authentication credential issued by the provider. *
`google`: The Google attributes mapped from the assertion in the
`attribute_mappings`. `google.profile_photo`, `google.display_name` and
`google.posix_username` are not supported. * `attribute`: The custom
attributes mapped from the assertion in the `attribute_mappings`. The
maximum length of the attribute condition expression is 4096 characters.
If unspecified, all valid authentication credentials will be accepted.
The following example shows how to only allow credentials with a mapped
`google.groups` value of `admins`: ``` "'admins' in google.groups" ```
attributeMapping: Required. Maps attributes from the authentication
credentials issued by an external identity provider to Google Cloud
attributes, such as `subject` and `segment`. Each key must be a string
specifying the Google Cloud IAM attribute to map to. The following keys
are supported: * `google.subject`: The principal IAM is authenticating.
You can reference this value in IAM bindings. This is also the subject
that appears in Cloud Logging logs. This is a required field and the
mapped subject cannot exceed 127 bytes. * `google.groups`: Groups the
authenticating user belongs to. You can grant groups access to resources
using an IAM `principalSet` binding; access applies to all members of
the group. * `google.display_name`: The name of the authenticated user.
This is an optional field and the mapped display name cannot exceed 100
bytes. If not set, `google.subject` will be displayed instead. This
attribute cannot be referenced in IAM bindings. *
`google.profile_photo`: The URL that specifies the authenticated user's
thumbnail photo. This is an optional field. When set, the image will be
visible as the user's profile picture. If not set, a generic user icon
will be displayed instead. This attribute cannot be referenced in IAM
bindings. * `google.posix_username`: The Linux username used by OS
Login. This is an optional field and the mapped POSIX username cannot
exceed 32 characters, The key must match the regex
"^a-zA-Z0-9._{0,31}$". This attribute cannot be referenced in IAM
bindings. You can also provide custom attributes by specifying
`attribute.{custom_attribute}`, where {custom_attribute} is the name of
the custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100
characters, and the key may only contain the characters [a-z0-9_]. You
can reference these attributes in IAM policies to define fine-grained
access for a workforce pool to Google Cloud resources. For example: *
`google.subject`: `principal://iam.googleapis.com/locations/global/workf
orcePools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam
.googleapis.com/locations/global/workforcePools/{pool}/group/{value}` *
`attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locat
ions/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}`
Each value must be a [Common Expression Language]
(https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the
corresponding map key. You can use the `assertion` keyword in the
expression to access a JSON representation of the authentication
credential issued by the provider. The maximum length of an attribute
mapping expression is 2048 characters. When evaluated, the total size of
all mapped attributes must not exceed 4KB. For OIDC providers, you must
supply a custom mapping that includes the `google.subject` attribute.
For example, the following maps the `sub` claim of the incoming
credential to the `subject` attribute on a Google token: ```
{"google.subject": "assertion.sub"} ```
attributeSyncInterval: Optional. An interval that determines how often
user attributes are synced from the IdP. Must be between 30 minutes
(1800s) and 12 hours (43200s). This configuration is used only when the
Google Cloud session length policy is configured. When Google Cloud
session length policy is configured and `attribute_sync_interval` is not
configured, attributes are synced after a default interval of 12 hours
(43200 seconds).
description: Optional. A user-specified description of the provider. Cannot
exceed 256 characters.
detailedAuditLogging: Optional. If true, populates additional debug
information in Cloud Audit Logs for this provider. Logged attribute
mappings and values can be found in `sts.googleapis.com` data access
logs. Default value is false.
disabled: Optional. Disables the workforce pool provider. You cannot use a
disabled provider to exchange tokens. However, existing tokens still
grant access.
displayName: Optional. A user-specified display name for the provider.
Cannot exceed 32 characters.
expireTime: Output only. Time after which the workforce identity pool
provider will be permanently purged and cannot be recovered.
extendedAttributesOauth2Client: Optional. The configuration for OAuth 2.0
client used to get the extended group memberships for user identities.
Only the `AZURE_AD_GROUPS_ID` attribute type is supported. Extended
groups supports a subset of Google Cloud services. When the user
accesses these services, extended group memberships override the mapped
`google.groups` attribute. Extended group memberships cannot be used in
attribute mapping or attribute condition expressions. To keep extended
group memberships up to date, extended groups are retrieved when the
user signs in and at regular intervals during the user's active session.
Each user identity in the workforce identity pool must map to a unique
Microsoft Entra ID user.
extraAttributesOauth2Client: Optional. The configuration for OAuth 2.0
client used to get the additional user attributes. This should be used
when users can't get the desired claims in authentication credentials.
Currently this configuration is only supported with OIDC protocol.
name: Identifier. The resource name of the provider. Format: `locations/{l
ocation}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
oidc: An OpenId Connect 1.0 identity provider configuration.
saml: A SAML identity provider configuration.
scimUsage: Optional. Specifies whether the workforce identity pool
provider uses SCIM-managed groups instead of the `google.groups`
attribute mapping for authorization checks. The `scim_usage` and
`extended_attributes_oauth2_client` fields are mutually exclusive. A
request that enables both fields on the same workforce identity pool
provider will produce an error.
state: Output only. The state of the provider.
"""
class ScimUsageValueValuesEnum(_messages.Enum):
r"""Optional. Specifies whether the workforce identity pool provider uses
SCIM-managed groups instead of the `google.groups` attribute mapping for
authorization checks. The `scim_usage` and
`extended_attributes_oauth2_client` fields are mutually exclusive. A
request that enables both fields on the same workforce identity pool
provider will produce an error.
Values:
SCIM_USAGE_UNSPECIFIED: Do not use SCIM data.
ENABLED_FOR_GROUPS: SCIM sync is enabled and SCIM-managed groups are
used for authorization checks.
"""
SCIM_USAGE_UNSPECIFIED = 0
ENABLED_FOR_GROUPS = 1
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the provider.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate
authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are
permanently deleted after approximately 30 days. You can restore a
soft-deleted provider using UndeleteWorkforcePoolProvider.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
@encoding.MapUnrecognizedFields('additionalProperties')
class AttributeMappingValue(_messages.Message):
r"""Required. Maps attributes from the authentication credentials issued
by an external identity provider to Google Cloud attributes, such as
`subject` and `segment`. Each key must be a string specifying the Google
Cloud IAM attribute to map to. The following keys are supported: *
`google.subject`: The principal IAM is authenticating. You can reference
this value in IAM bindings. This is also the subject that appears in Cloud
Logging logs. This is a required field and the mapped subject cannot
exceed 127 bytes. * `google.groups`: Groups the authenticating user
belongs to. You can grant groups access to resources using an IAM
`principalSet` binding; access applies to all members of the group. *
`google.display_name`: The name of the authenticated user. This is an
optional field and the mapped display name cannot exceed 100 bytes. If not
set, `google.subject` will be displayed instead. This attribute cannot be
referenced in IAM bindings. * `google.profile_photo`: The URL that
specifies the authenticated user's thumbnail photo. This is an optional
field. When set, the image will be visible as the user's profile picture.
If not set, a generic user icon will be displayed instead. This attribute
cannot be referenced in IAM bindings. * `google.posix_username`: The Linux
username used by OS Login. This is an optional field and the mapped POSIX
username cannot exceed 32 characters, The key must match the regex
"^a-zA-Z0-9._{0,31}$". This attribute cannot be referenced in IAM
bindings. You can also provide custom attributes by specifying
`attribute.{custom_attribute}`, where {custom_attribute} is the name of
the custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100
characters, and the key may only contain the characters [a-z0-9_]. You can
reference these attributes in IAM policies to define fine-grained access
for a workforce pool to Google Cloud resources. For example: *
`google.subject`: `principal://iam.googleapis.com/locations/global/workfor
cePools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.goo
gleapis.com/locations/global/workforcePools/{pool}/group/{value}` *
`attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locatio
ns/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}` Each
value must be a [Common Expression Language]
(https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the
corresponding map key. You can use the `assertion` keyword in the
expression to access a JSON representation of the authentication
credential issued by the provider. The maximum length of an attribute
mapping expression is 2048 characters. When evaluated, the total size of
all mapped attributes must not exceed 4KB. For OIDC providers, you must
supply a custom mapping that includes the `google.subject` attribute. For
example, the following maps the `sub` claim of the incoming credential to
the `subject` attribute on a Google token: ``` {"google.subject":
"assertion.sub"} ```
Messages:
AdditionalProperty: An additional property for a AttributeMappingValue
object.
Fields:
additionalProperties: Additional properties of type
AttributeMappingValue
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a AttributeMappingValue object.
Fields:
key: Name of the additional property.
value: A string attribute.
"""
key = _messages.StringField(1)
value = _messages.StringField(2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
attributeCondition = _messages.StringField(1)
attributeMapping = _messages.MessageField('AttributeMappingValue', 2)
attributeSyncInterval = _messages.StringField(3)
description = _messages.StringField(4)
detailedAuditLogging = _messages.BooleanField(5)
disabled = _messages.BooleanField(6)
displayName = _messages.StringField(7)
expireTime = _messages.StringField(8)
extendedAttributesOauth2Client = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client', 9)
extraAttributesOauth2Client = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client', 10)
name = _messages.StringField(11)
oidc = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderOidc', 12)
saml = _messages.MessageField('GoogleIamAdminV1WorkforcePoolProviderSaml', 13)
scimUsage = _messages.EnumField('ScimUsageValueValuesEnum', 14)
state = _messages.EnumField('StateValueValuesEnum', 15)
class WorkforcePoolProviderKey(_messages.Message):
r"""Represents a public key configuration for a Workforce Pool Provider. The
key can be configured in your identity provider to encrypt SAML assertions.
Google holds the corresponding private key, which it uses to decrypt
encrypted tokens.
Enums:
StateValueValuesEnum: Output only. The state of the key.
UseValueValuesEnum: Required. The purpose of the key.
Fields:
expireTime: Output only. The time after which the key will be permanently
deleted and cannot be recovered. Note that the key may get purged before
this time if the total limit of keys per provider is exceeded.
keyData: Immutable. Public half of the asymmetric key.
name: Identifier. The resource name of the key. Format: `locations/{locati
on}/workforcePools/{workforce_pool_id}/providers/{provider_id}/keys/{key
_id}`
state: Output only. The state of the key.
use: Required. The purpose of the key.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the key.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The key is active.
DELETED: The key is soft-deleted. Soft-deleted keys are permanently
deleted after approximately 30 days. You can restore a soft-deleted
key using UndeleteWorkforcePoolProviderKey.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
class UseValueValuesEnum(_messages.Enum):
r"""Required. The purpose of the key.
Values:
KEY_USE_UNSPECIFIED: KeyUse unspecified.
ENCRYPTION: The key is used for encryption.
"""
KEY_USE_UNSPECIFIED = 0
ENCRYPTION = 1
expireTime = _messages.StringField(1)
keyData = _messages.MessageField('KeyData', 2)
name = _messages.StringField(3)
state = _messages.EnumField('StateValueValuesEnum', 4)
use = _messages.EnumField('UseValueValuesEnum', 5)
class WorkforcePoolProviderScimTenant(_messages.Message):
r"""Represents a scim tenant. Used for provisioning and managing identity
data (such as Users and Groups) in cross-domain environments.
Enums:
StateValueValuesEnum: Output only. The state of the tenant.
Messages:
ClaimMappingValue: Optional. Maps BYOID claims to SCIM claims.
Fields:
baseUri: Output only. Represents the base URI as defined in [RFC 7644,
Section 1.3](https://datatracker.ietf.org/doc/html/rfc7644#section-1.3).
Clients must use this as the root address for managing resources under
the tenant. Format:
https://iamscim.googleapis.com/{version}/{tenant_id}/
claimMapping: Optional. Maps BYOID claims to SCIM claims.
description: Optional. The user-specified description of the scim tenant.
Cannot exceed 256 characters.
displayName: Optional. The user-specified display name of the scim tenant.
Cannot exceed 32 characters.
name: Identifier. The resource name of the SCIM Tenant. Format:
`locations/{location}/workforcePools/{workforce_pool}/providers/
{workforce_pool_provider}/scimTenants/{scim_tenant}`
purgeTime: Output only. The timestamp when the scim tenant is going to be
purged.
serviceAgent: Output only. Service Agent created by SCIM Tenant API. SCIM
tokens created under this tenant will be attached to this service agent.
state: Output only. The state of the tenant.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the tenant.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The tenant is active and may be used to provision users and
groups.
DELETED: The tenant is soft-deleted. Soft-deleted tenants are
permanently deleted after approximately 30 days.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
@encoding.MapUnrecognizedFields('additionalProperties')
class ClaimMappingValue(_messages.Message):
r"""Optional. Maps BYOID claims to SCIM claims.
Messages:
AdditionalProperty: An additional property for a ClaimMappingValue
object.
Fields:
additionalProperties: Additional properties of type ClaimMappingValue
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a ClaimMappingValue object.
Fields:
key: Name of the additional property.
value: A string attribute.
"""
key = _messages.StringField(1)
value = _messages.StringField(2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
baseUri = _messages.StringField(1)
claimMapping = _messages.MessageField('ClaimMappingValue', 2)
description = _messages.StringField(3)
displayName = _messages.StringField(4)
name = _messages.StringField(5)
purgeTime = _messages.StringField(6)
serviceAgent = _messages.StringField(7)
state = _messages.EnumField('StateValueValuesEnum', 8)
class WorkforcePoolProviderScimToken(_messages.Message):
r"""Represents a token for the WorkforcePoolProviderScimTenant. Used for
authenticating SCIM Provisioning requests.
Enums:
StateValueValuesEnum: Output only. The state of the token.
Fields:
displayName: Optional. The user-specified display name of the scim token.
Cannot exceed 32 characters.
name: Identifier. The resource name of the SCIM Token. Format:
`locations/{location}/workforcePools/{workforce_pool}/providers/
{workforce_pool_provider}/scimTenants/{scim_tenant}/tokens/{token}`
securityToken: Output only. The token string. Provide this to the IdP for
authentication. Will be set only during creation.
state: Output only. The state of the token.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the token.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The tenant is active and may be used to provision users and
groups.
DELETED: The tenant is soft-deleted. Soft-deleted tenants are
permanently deleted after approximately 30 days.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
displayName = _messages.StringField(1)
name = _messages.StringField(2)
securityToken = _messages.StringField(3)
state = _messages.EnumField('StateValueValuesEnum', 4)
class WorkloadIdentityPool(_messages.Message):
r"""Represents a collection of workload identities. You can define IAM
policies to grant these identities access to Google Cloud resources.
Enums:
ModeValueValuesEnum: Immutable. The mode the pool is operating in.
StateValueValuesEnum: Output only. The state of the pool.
Fields:
description: Optional. A description of the pool. Cannot exceed 256
characters.
disabled: Optional. Whether the pool is disabled. You cannot use a
disabled pool to exchange tokens, or use existing tokens to access
resources. If the pool is re-enabled, existing tokens grant access
again.
displayName: Optional. A display name for the pool. Cannot exceed 32
characters.
enableMeshCaCompatibility: Optional. If set to true, - the generated trust
bundle for the workloads in this trust domain will include the Cloud
Service Mesh certificate authority's root CA certificates. - the
certificate chain for the workload in this trust domain will be signed
by the Cloud Service Mesh certificate authority root CA.
expireTime: Output only. Time after which the workload identity pool will
be permanently purged and cannot be recovered.
inlineCertificateIssuanceConfig: Optional. Defines the Certificate
Authority (CA) pool resources and configurations required for issuance
and rotation of mTLS workload certificates.
inlineTrustConfig: Optional. Represents config to add additional trusted
trust domains.
mode: Immutable. The mode the pool is operating in.
name: Output only. The resource name of the pool.
sessionDuration: Overrides the lifespan of access tokens issued when
federating using this pool. If not set, the lifespan of issued access
tokens is computed based on the type of identity provider: - For AWS
providers, the default access token lifespan is equal to 15 minutes. -
For OIDC providers, the default access token lifespan is equal to the
remaining lifespan of the exchanged OIDC ID token, with a maximum limit
of 1 hour. If set, session duration must be between 2 minutes and 12
hours. Organization administrators can further restrict the maximum
allowed session_duration value using the iam-
workloadIdentitySessionDuration Resource Setting.
state: Output only. The state of the pool.
"""
class ModeValueValuesEnum(_messages.Enum):
r"""Immutable. The mode the pool is operating in.
Values:
MODE_UNSPECIFIED: State unspecified. New pools should not use this mode.
Pools with an unspecified mode will operate as if they are in
federation-only mode.
FEDERATION_ONLY: Federation-only mode. Federation-only pools can only be
used for federating external workload identities into Google Cloud.
Unless otherwise noted, no structure or format constraints are applied
to workload identities in a federation-only pool, and you cannot
create any resources within the pool besides providers.
TRUST_DOMAIN: Trust-domain mode. Trust-domain pools can be used to
assign identities to Google Cloud workloads. All identities within a
trust-domain pool must consist of a single namespace and individual
workload identifier. The subject identifier for all identities must
conform to the following format: `ns//sa/`
WorkloadIdentityPoolProviders cannot be created within trust-domain
pools.
"""
MODE_UNSPECIFIED = 0
FEDERATION_ONLY = 1
TRUST_DOMAIN = 2
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the pool.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently
deleted after approximately 30 days. You can restore a soft-deleted
pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a
soft-deleted pool until it is permanently deleted. While a pool is
deleted, you cannot use it to exchange tokens, or use existing tokens
to access resources. If the pool is undeleted, existing tokens grant
access again.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
description = _messages.StringField(1)
disabled = _messages.BooleanField(2)
displayName = _messages.StringField(3)
enableMeshCaCompatibility = _messages.BooleanField(4)
expireTime = _messages.StringField(5)
inlineCertificateIssuanceConfig = _messages.MessageField('InlineCertificateIssuanceConfig', 6)
inlineTrustConfig = _messages.MessageField('InlineTrustConfig', 7)
mode = _messages.EnumField('ModeValueValuesEnum', 8)
name = _messages.StringField(9)
sessionDuration = _messages.StringField(10)
state = _messages.EnumField('StateValueValuesEnum', 11)
class WorkloadIdentityPoolManagedIdentity(_messages.Message):
r"""Represents a managed identity for a workload identity pool namespace.
Enums:
StateValueValuesEnum: Output only. The state of the managed identity.
Fields:
description: Optional. A description of the managed identity. Cannot
exceed 256 characters.
disabled: Optional. Whether the managed identity is disabled. If disabled,
credentials may no longer be issued for the identity, however existing
credentials will still be accepted until they expire.
expireTime: Output only. Time after which the managed identity will be
permanently purged and cannot be recovered.
name: Identifier. The resource name of the managed identity.
state: Output only. The state of the managed identity.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the managed identity.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The managed identity is active.
DELETED: The managed identity is soft-deleted. Soft-deleted managed
identities are permanently deleted after approximately 30 days. You
can restore a soft-deleted managed identity using
UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID
of a soft-deleted managed identity until it is permanently deleted.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
description = _messages.StringField(1)
disabled = _messages.BooleanField(2)
expireTime = _messages.StringField(3)
name = _messages.StringField(4)
state = _messages.EnumField('StateValueValuesEnum', 5)
class WorkloadIdentityPoolNamespace(_messages.Message):
r"""Represents a namespace for a workload identity pool. Namespaces are used
to segment identities within the pool.
Enums:
StateValueValuesEnum: Output only. The state of the namespace.
Fields:
description: Optional. A description of the namespace. Cannot exceed 256
characters.
disabled: Optional. Whether the namespace is disabled. If disabled,
credentials may no longer be issued for identities within this
namespace, however existing credentials will still be accepted until
they expire.
expireTime: Output only. Time after which the namespace will be
permanently purged and cannot be recovered.
name: Output only. The resource name of the namespace.
ownerService: Output only. The Google Cloud service that owns this
namespace.
state: Output only. The state of the namespace.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the namespace.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The namespace is active.
DELETED: The namespace is soft-deleted. Soft-deleted namespaces are
permanently deleted after approximately 30 days. You can restore a
soft-deleted namespace using UndeleteWorkloadIdentityPoolNamespace.
You cannot reuse the ID of a soft-deleted namespace until it is
permanently deleted.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
description = _messages.StringField(1)
disabled = _messages.BooleanField(2)
expireTime = _messages.StringField(3)
name = _messages.StringField(4)
ownerService = _messages.MessageField('OwnerService', 5)
state = _messages.EnumField('StateValueValuesEnum', 6)
class WorkloadIdentityPoolOperationMetadata(_messages.Message):
r"""Metadata for long-running WorkloadIdentityPool operations."""
class WorkloadIdentityPoolProvider(_messages.Message):
r"""A configuration for an external identity provider.
Enums:
StateValueValuesEnum: Output only. The state of the provider.
Messages:
AttributeMappingValue: Optional. Maps attributes from authentication
credentials issued by an external identity provider to Google Cloud
attributes, such as `subject` and `segment`. Each key must be a string
specifying the Google Cloud IAM attribute to map to. The following keys
are supported: * `google.subject`: The principal IAM is authenticating.
You can reference this value in IAM bindings. This is also the subject
that appears in Cloud Logging logs. Cannot exceed 127 bytes. *
`google.groups`: Groups the external identity belongs to. You can grant
groups access to resources using an IAM `principalSet` binding; access
applies to all members of the group. You can also provide custom
attributes by specifying `attribute.{custom_attribute}`, where
`{custom_attribute}` is the name of the custom attribute to be mapped.
You can define a maximum of 50 custom attributes. The maximum length of
a mapped attribute key is 100 characters, and the key may only contain
the characters [a-z0-9_]. You can reference these attributes in IAM
policies to define fine-grained access for a workload to Google Cloud
resources. For example: * `google.subject`: `principal://iam.googleapis.
com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}
/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/
projects/{project}/locations/{location}/workloadIdentityPools/{pool}/gro
up/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.google
apis.com/projects/{project}/locations/{location}/workloadIdentityPools/{
pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common
Expression Language] (https://opensource.google/projects/cel) function
that maps an identity provider credential to the normalized attribute
specified by the corresponding map key. You can use the `assertion`
keyword in the expression to access a JSON representation of the
authentication credential issued by the provider. The maximum length of
an attribute mapping expression is 2048 characters. When evaluated, the
total size of all mapped attributes must not exceed 8KB. For AWS
providers, if no attribute mapping is defined, the following default
mapping applies: ``` { "google.subject":"assertion.arn",
"attribute.aws_role": "assertion.arn.contains('assumed-role')" " ?
assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-
role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " :
assertion.arn", } ``` If any custom attribute mappings are defined, they
must include a mapping to the `google.subject` attribute. For OIDC
providers, you must supply a custom mapping, which must include the
`google.subject` attribute. For example, the following maps the `sub`
claim of the incoming credential to the `subject` attribute on a Google
token: ``` {"google.subject": "assertion.sub"} ```
Fields:
attributeCondition: Optional. [A Common Expression
Language](https://opensource.google/projects/cel) expression, in plain
text, to restrict what otherwise valid authentication credentials issued
by the provider should not be accepted. The expression must output a
boolean representing whether to allow the federation. The following
keywords may be referenced in the expressions: * `assertion`: JSON
representing the authentication credential issued by the provider. *
`google`: The Google attributes mapped from the assertion in the
`attribute_mappings`. * `attribute`: The custom attributes mapped from
the assertion in the `attribute_mappings`. The maximum length of the
attribute condition expression is 4096 characters. If unspecified, all
valid authentication credential are accepted. The following example
shows how to only allow credentials with a mapped `google.groups` value
of `admins`: ``` "'admins' in google.groups" ```
attributeMapping: Optional. Maps attributes from authentication
credentials issued by an external identity provider to Google Cloud
attributes, such as `subject` and `segment`. Each key must be a string
specifying the Google Cloud IAM attribute to map to. The following keys
are supported: * `google.subject`: The principal IAM is authenticating.
You can reference this value in IAM bindings. This is also the subject
that appears in Cloud Logging logs. Cannot exceed 127 bytes. *
`google.groups`: Groups the external identity belongs to. You can grant
groups access to resources using an IAM `principalSet` binding; access
applies to all members of the group. You can also provide custom
attributes by specifying `attribute.{custom_attribute}`, where
`{custom_attribute}` is the name of the custom attribute to be mapped.
You can define a maximum of 50 custom attributes. The maximum length of
a mapped attribute key is 100 characters, and the key may only contain
the characters [a-z0-9_]. You can reference these attributes in IAM
policies to define fine-grained access for a workload to Google Cloud
resources. For example: * `google.subject`: `principal://iam.googleapis.
com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}
/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/
projects/{project}/locations/{location}/workloadIdentityPools/{pool}/gro
up/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.google
apis.com/projects/{project}/locations/{location}/workloadIdentityPools/{
pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common
Expression Language] (https://opensource.google/projects/cel) function
that maps an identity provider credential to the normalized attribute
specified by the corresponding map key. You can use the `assertion`
keyword in the expression to access a JSON representation of the
authentication credential issued by the provider. The maximum length of
an attribute mapping expression is 2048 characters. When evaluated, the
total size of all mapped attributes must not exceed 8KB. For AWS
providers, if no attribute mapping is defined, the following default
mapping applies: ``` { "google.subject":"assertion.arn",
"attribute.aws_role": "assertion.arn.contains('assumed-role')" " ?
assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-
role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " :
assertion.arn", } ``` If any custom attribute mappings are defined, they
must include a mapping to the `google.subject` attribute. For OIDC
providers, you must supply a custom mapping, which must include the
`google.subject` attribute. For example, the following maps the `sub`
claim of the incoming credential to the `subject` attribute on a Google
token: ``` {"google.subject": "assertion.sub"} ```
aws: An Amazon Web Services identity provider.
description: Optional. A description for the provider. Cannot exceed 256
characters.
disabled: Optional. Whether the provider is disabled. You cannot use a
disabled provider to exchange tokens. However, existing tokens still
grant access.
displayName: Optional. A display name for the provider. Cannot exceed 32
characters.
expireTime: Output only. Time after which the workload identity pool
provider will be permanently purged and cannot be recovered.
name: Identifier. The resource name of the provider.
oidc: An OpenId Connect 1.0 identity provider.
saml: An SAML 2.0 identity provider.
state: Output only. The state of the provider.
x509: An X.509-type identity provider.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the provider.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active, and may be used to validate
authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are
permanently deleted after approximately 30 days. You can restore a
soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You
cannot reuse the ID of a soft-deleted provider until it is permanently
deleted.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
@encoding.MapUnrecognizedFields('additionalProperties')
class AttributeMappingValue(_messages.Message):
r"""Optional. Maps attributes from authentication credentials issued by an
external identity provider to Google Cloud attributes, such as `subject`
and `segment`. Each key must be a string specifying the Google Cloud IAM
attribute to map to. The following keys are supported: * `google.subject`:
The principal IAM is authenticating. You can reference this value in IAM
bindings. This is also the subject that appears in Cloud Logging logs.
Cannot exceed 127 bytes. * `google.groups`: Groups the external identity
belongs to. You can grant groups access to resources using an IAM
`principalSet` binding; access applies to all members of the group. You
can also provide custom attributes by specifying
`attribute.{custom_attribute}`, where `{custom_attribute}` is the name of
the custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100
characters, and the key may only contain the characters [a-z0-9_]. You can
reference these attributes in IAM policies to define fine-grained access
for a workload to Google Cloud resources. For example: * `google.subject`:
`principal://iam.googleapis.com/projects/{project}/locations/{location}/wo
rkloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalS
et://iam.googleapis.com/projects/{project}/locations/{location}/workloadId
entityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `princ
ipalSet://iam.googleapis.com/projects/{project}/locations/{location}/workl
oadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value
must be a [Common Expression Language]
(https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the
corresponding map key. You can use the `assertion` keyword in the
expression to access a JSON representation of the authentication
credential issued by the provider. The maximum length of an attribute
mapping expression is 2048 characters. When evaluated, the total size of
all mapped attributes must not exceed 8KB. For AWS providers, if no
attribute mapping is defined, the following default mapping applies: ``` {
"google.subject":"assertion.arn", "attribute.aws_role":
"assertion.arn.contains('assumed-role')" " ?
assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'"
" + assertion.arn.extract('assumed-role/{role_name}/')" " :
assertion.arn", } ``` If any custom attribute mappings are defined, they
must include a mapping to the `google.subject` attribute. For OIDC
providers, you must supply a custom mapping, which must include the
`google.subject` attribute. For example, the following maps the `sub`
claim of the incoming credential to the `subject` attribute on a Google
token: ``` {"google.subject": "assertion.sub"} ```
Messages:
AdditionalProperty: An additional property for a AttributeMappingValue
object.
Fields:
additionalProperties: Additional properties of type
AttributeMappingValue
"""
class AdditionalProperty(_messages.Message):
r"""An additional property for a AttributeMappingValue object.
Fields:
key: Name of the additional property.
value: A string attribute.
"""
key = _messages.StringField(1)
value = _messages.StringField(2)
additionalProperties = _messages.MessageField('AdditionalProperty', 1, repeated=True)
attributeCondition = _messages.StringField(1)
attributeMapping = _messages.MessageField('AttributeMappingValue', 2)
aws = _messages.MessageField('Aws', 3)
description = _messages.StringField(4)
disabled = _messages.BooleanField(5)
displayName = _messages.StringField(6)
expireTime = _messages.StringField(7)
name = _messages.StringField(8)
oidc = _messages.MessageField('Oidc', 9)
saml = _messages.MessageField('Saml', 10)
state = _messages.EnumField('StateValueValuesEnum', 11)
x509 = _messages.MessageField('X509', 12)
class WorkloadIdentityPoolProviderKey(_messages.Message):
r"""Represents a public key configuration for your workload identity pool
provider. The key can be configured in your identity provider to encrypt the
SAML assertions. Google holds the corresponding private key which it uses to
decrypt encrypted tokens.
Enums:
StateValueValuesEnum: Output only. The state of the key.
UseValueValuesEnum: Required. The purpose of the key.
Fields:
expireTime: Output only. Time after which the key will be permanently
purged and cannot be recovered. Note that the key may get purged before
this timestamp if the total limit of keys per provider is crossed.
keyData: Immutable. Public half of the asymmetric key.
name: Output only. The resource name of the key.
state: Output only. The state of the key.
use: Required. The purpose of the key.
"""
class StateValueValuesEnum(_messages.Enum):
r"""Output only. The state of the key.
Values:
STATE_UNSPECIFIED: State unspecified.
ACTIVE: The key is active.
DELETED: The key is soft-deleted. Soft-deleted keys are permanently
deleted after approximately 30 days. You can restore a soft-deleted
key using UndeleteWorkloadIdentityPoolProviderKey. While a key is
deleted, you cannot use it during the federation.
"""
STATE_UNSPECIFIED = 0
ACTIVE = 1
DELETED = 2
class UseValueValuesEnum(_messages.Enum):
r"""Required. The purpose of the key.
Values:
KEY_USE_UNSPECIFIED: The key use is not known.
ENCRYPTION: The public key is used for encryption purposes.
"""
KEY_USE_UNSPECIFIED = 0
ENCRYPTION = 1
expireTime = _messages.StringField(1)
keyData = _messages.MessageField('KeyData', 2)
name = _messages.StringField(3)
state = _messages.EnumField('StateValueValuesEnum', 4)
use = _messages.EnumField('UseValueValuesEnum', 5)
class WorkloadSource(_messages.Message):
r"""Defines which workloads can attest an identity within a pool. When a
WorkloadSource is defined under a namespace, matching workloads may receive
any identity within that namespace. When a WorkloadSource is defined under a
managed identity, matching workloads may receive that specific identity.
Each WorkloadSource may set at most 50 workload selectors.
Fields:
etag: Optional. The etag for this resource. If this is provided on update,
it must match the server's etag.
identityAssignments: Optional. Defines how a matched workload has its
identity assigned. This option may only be set when the Workload Source
is defined on a Namespace.
name: Output only. The resource name of the workload source. If ID of the
WorkloadSource resource determines which workloads may be matched. The
following formats are supported: - `project-{project_number}` matches
workloads within the referenced Google Cloud project.
singleAttributeSelectors: Optional. Defines the set of attributes that a
workload must attest in order to be matched by the policy.
"""
etag = _messages.StringField(1)
identityAssignments = _messages.MessageField('IdentityAssignment', 2, repeated=True)
name = _messages.StringField(3)
singleAttributeSelectors = _messages.MessageField('SingleAttributeSelector', 4, repeated=True)
class X509(_messages.Message):
r"""An X.509-type identity provider represents a CA. It is trusted to assert
a client identity if the client has a certificate that chains up to this CA.
Fields:
trustStore: Required. A TrustStore. Use this trust store as a wrapper to
config the trust anchor and optional intermediate cas to help build the
trust chain for the incoming end entity certificate. Follow the X.509
guidelines to define those PEM encoded certs. Only one trust store is
currently supported.
"""
trustStore = _messages.MessageField('TrustStore', 1)
encoding.AddCustomJsonFieldMapping(
StandardQueryParameters, 'f__xgafv', '$.xgafv')
encoding.AddCustomJsonEnumMapping(
StandardQueryParameters.FXgafvValueValuesEnum, '_1', '1')
encoding.AddCustomJsonEnumMapping(
StandardQueryParameters.FXgafvValueValuesEnum, '_2', '2')
encoding.AddCustomJsonFieldMapping(
IamProjectsServiceAccountsGetIamPolicyRequest, 'options_requestedPolicyVersion', 'options.requestedPolicyVersion')