Google Cloud IAM C++ Client  1.32.1
A C++ Client Library for Google Cloud IAM
Public Member Functions | Friends | List of all members
google::cloud::iam::v1::IAMClient Class Reference

Creates and manages Identity and Access Management (IAM) resources. More...

#include <google/cloud/iam/iam_client.h>

Public Member Functions

 IAMClient (std::shared_ptr< IAMConnection > connection)
 
 ~IAMClient ()
 
 IAMClient (IAMClient const &)=default
 
IAMClientoperator= (IAMClient const &)=default
 
 IAMClient (IAMClient &&)=default
 
IAMClientoperator= (IAMClient &&)=default
 
StreamRange< google::iam::admin::v1::ServiceAccount > ListServiceAccounts (std::string const &name)
 Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project. More...
 
StatusOr< google::iam::admin::v1::ServiceAccount > GetServiceAccount (std::string const &name)
 Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::admin::v1::ServiceAccount > CreateServiceAccount (std::string const &name, std::string const &account_id, google::iam::admin::v1::ServiceAccount const &service_account)
 Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
Status DeleteServiceAccount (std::string const &name)
 Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::admin::v1::ListServiceAccountKeysResponse > ListServiceAccountKeys (std::string const &name, std::vector< google::iam::admin::v1::ListServiceAccountKeysRequest::KeyType > const &key_types)
 Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account. More...
 
StatusOr< google::iam::admin::v1::ServiceAccountKey > GetServiceAccountKey (std::string const &name, google::iam::admin::v1::ServiceAccountPublicKeyType public_key_type)
 Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. More...
 
StatusOr< google::iam::admin::v1::ServiceAccountKey > CreateServiceAccountKey (std::string const &name, google::iam::admin::v1::ServiceAccountPrivateKeyType private_key_type, google::iam::admin::v1::ServiceAccountKeyAlgorithm key_algorithm)
 Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. More...
 
Status DeleteServiceAccountKey (std::string const &name)
 Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. More...
 
StatusOr< google::iam::v1::Policy > GetIamPolicy (std::string const &resource)
 Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::v1::Policy > SetIamPolicy (std::string const &resource, google::iam::v1::Policy const &policy)
 Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::v1::Policy > SetIamPolicy (std::string const &resource, IamUpdater const &updater, Options options={})
 Updates the IAM policy for resource using an optimistic concurrency control loop. More...
 
StatusOr< google::iam::v1::TestIamPermissionsResponse > TestIamPermissions (std::string const &resource, std::vector< std::string > const &permissions)
 Tests whether the caller has the specified permissions on a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StreamRange< google::iam::admin::v1::Role > QueryGrantableRoles (std::string const &full_resource_name)
 Lists roles that can be granted on a Google Cloud resource. More...
 
StreamRange< google::iam::admin::v1::ServiceAccount > ListServiceAccounts (google::iam::admin::v1::ListServiceAccountsRequest request)
 Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project. More...
 
StatusOr< google::iam::admin::v1::ServiceAccount > GetServiceAccount (google::iam::admin::v1::GetServiceAccountRequest const &request)
 Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::admin::v1::ServiceAccount > CreateServiceAccount (google::iam::admin::v1::CreateServiceAccountRequest const &request)
 Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::admin::v1::ServiceAccount > PatchServiceAccount (google::iam::admin::v1::PatchServiceAccountRequest const &request)
 Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
Status DeleteServiceAccount (google::iam::admin::v1::DeleteServiceAccountRequest const &request)
 Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::admin::v1::UndeleteServiceAccountResponse > UndeleteServiceAccount (google::iam::admin::v1::UndeleteServiceAccountRequest const &request)
 Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
Status EnableServiceAccount (google::iam::admin::v1::EnableServiceAccountRequest const &request)
 Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount]. More...
 
Status DisableServiceAccount (google::iam::admin::v1::DisableServiceAccountRequest const &request)
 Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately. More...
 
StatusOr< google::iam::admin::v1::ListServiceAccountKeysResponse > ListServiceAccountKeys (google::iam::admin::v1::ListServiceAccountKeysRequest const &request)
 Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account. More...
 
StatusOr< google::iam::admin::v1::ServiceAccountKey > GetServiceAccountKey (google::iam::admin::v1::GetServiceAccountKeyRequest const &request)
 Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. More...
 
StatusOr< google::iam::admin::v1::ServiceAccountKey > CreateServiceAccountKey (google::iam::admin::v1::CreateServiceAccountKeyRequest const &request)
 Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. More...
 
StatusOr< google::iam::admin::v1::ServiceAccountKey > UploadServiceAccountKey (google::iam::admin::v1::UploadServiceAccountKeyRequest const &request)
 Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey], using a public key that you provide. More...
 
Status DeleteServiceAccountKey (google::iam::admin::v1::DeleteServiceAccountKeyRequest const &request)
 Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. More...
 
StatusOr< google::iam::v1::Policy > GetIamPolicy (google::iam::v1::GetIamPolicyRequest const &request)
 Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::v1::Policy > SetIamPolicy (google::iam::v1::SetIamPolicyRequest const &request)
 Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StatusOr< google::iam::v1::TestIamPermissionsResponse > TestIamPermissions (google::iam::v1::TestIamPermissionsRequest const &request)
 Tests whether the caller has the specified permissions on a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. More...
 
StreamRange< google::iam::admin::v1::Role > QueryGrantableRoles (google::iam::admin::v1::QueryGrantableRolesRequest request)
 Lists roles that can be granted on a Google Cloud resource. More...
 
StreamRange< google::iam::admin::v1::Role > ListRoles (google::iam::admin::v1::ListRolesRequest request)
 Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role that is defined for an organization or project. More...
 
StatusOr< google::iam::admin::v1::Role > GetRole (google::iam::admin::v1::GetRoleRequest const &request)
 Gets the definition of a [Role][google.iam.admin.v1.Role]. More...
 
StatusOr< google::iam::admin::v1::Role > CreateRole (google::iam::admin::v1::CreateRoleRequest const &request)
 Creates a new custom [Role][google.iam.admin.v1.Role]. More...
 
StatusOr< google::iam::admin::v1::Role > UpdateRole (google::iam::admin::v1::UpdateRoleRequest const &request)
 Updates the definition of a custom [Role][google.iam.admin.v1.Role]. More...
 
StatusOr< google::iam::admin::v1::Role > DeleteRole (google::iam::admin::v1::DeleteRoleRequest const &request)
 Deletes a custom [Role][google.iam.admin.v1.Role]. More...
 
StatusOr< google::iam::admin::v1::Role > UndeleteRole (google::iam::admin::v1::UndeleteRoleRequest const &request)
 Undeletes a custom [Role][google.iam.admin.v1.Role]. More...
 
StreamRange< google::iam::admin::v1::Permission > QueryTestablePermissions (google::iam::admin::v1::QueryTestablePermissionsRequest request)
 Lists every permission that you can test on a resource. More...
 
StatusOr< google::iam::admin::v1::QueryAuditableServicesResponse > QueryAuditableServices (google::iam::admin::v1::QueryAuditableServicesRequest const &request)
 Returns a list of services that allow you to opt into audit logs that are not generated by default. More...
 
StatusOr< google::iam::admin::v1::LintPolicyResponse > LintPolicy (google::iam::admin::v1::LintPolicyRequest const &request)
 Lints, or validates, an IAM policy. More...
 

Friends

bool operator== (IAMClient const &a, IAMClient const &b)
 
bool operator!= (IAMClient const &a, IAMClient const &b)
 

Detailed Description

Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

In addition, you can use this service to complete the following tasks, among others:

Definition at line 57 of file iam_client.h.

Constructor & Destructor Documentation

◆ IAMClient() [1/3]

google::cloud::iam::v1::IAMClient::IAMClient ( std::shared_ptr< IAMConnection connection)
explicit

Definition at line 30 of file iam_client.cc.

◆ ~IAMClient()

google::cloud::iam::v1::IAMClient::~IAMClient ( )
default

◆ IAMClient() [2/3]

google::cloud::iam::v1::IAMClient::IAMClient ( IAMClient const &  )
default

◆ IAMClient() [3/3]

google::cloud::iam::v1::IAMClient::IAMClient ( IAMClient &&  )
default

Member Function Documentation

◆ CreateRole()

StatusOr< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::CreateRole ( google::iam::admin::v1::CreateRoleRequest const &  request)

Creates a new custom [Role][google.iam.admin.v1.Role].

Parameters
requestgoogle::iam::admin::v1::CreateRoleRequest
Returns
google::iam::admin::v1::Role

Definition at line 261 of file iam_client.cc.

◆ CreateServiceAccount() [1/2]

StatusOr< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::CreateServiceAccount ( google::iam::admin::v1::CreateServiceAccountRequest const &  request)

Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
requestgoogle::iam::admin::v1::CreateServiceAccountRequest
Returns
google::iam::admin::v1::ServiceAccount

Definition at line 170 of file iam_client.cc.

◆ CreateServiceAccount() [2/2]

StatusOr< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::CreateServiceAccount ( std::string const &  name,
std::string const &  account_id,
google::iam::admin::v1::ServiceAccount const &  service_account 
)

Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
nameRequired. The resource name of the project associated with the service accounts, such as projects/my-project-123.
account_idRequired. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.
service_accountThe [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create. Currently, only the following values are user assignable: display_name and description.
Returns
google::iam::admin::v1::ServiceAccount

Definition at line 49 of file iam_client.cc.

◆ CreateServiceAccountKey() [1/2]

StatusOr< google::iam::admin::v1::ServiceAccountKey > google::cloud::iam::v1::IAMClient::CreateServiceAccountKey ( google::iam::admin::v1::CreateServiceAccountKeyRequest const &  request)

Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

Parameters
requestgoogle::iam::admin::v1::CreateServiceAccountKeyRequest
Returns
google::iam::admin::v1::ServiceAccountKey

Definition at line 214 of file iam_client.cc.

◆ CreateServiceAccountKey() [2/2]

StatusOr< google::iam::admin::v1::ServiceAccountKey > google::cloud::iam::v1::IAMClient::CreateServiceAccountKey ( std::string const &  name,
google::iam::admin::v1::ServiceAccountPrivateKeyType  private_key_type,
google::iam::admin::v1::ServiceAccountKeyAlgorithm  key_algorithm 
)

Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

Parameters
nameRequired. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
private_key_typeThe output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.
key_algorithmWhich type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.
Returns
google::iam::admin::v1::ServiceAccountKey

Definition at line 88 of file iam_client.cc.

◆ DeleteRole()

StatusOr< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::DeleteRole ( google::iam::admin::v1::DeleteRoleRequest const &  request)

Deletes a custom [Role][google.iam.admin.v1.Role].

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a member to the custom role in an IAM [Policy][google.iam.v1.Policy].
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.
Parameters
requestgoogle::iam::admin::v1::DeleteRoleRequest
Returns
google::iam::admin::v1::Role

Definition at line 271 of file iam_client.cc.

◆ DeleteServiceAccount() [1/2]

Status google::cloud::iam::v1::IAMClient::DeleteServiceAccount ( google::iam::admin::v1::DeleteServiceAccountRequest const &  request)

Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Parameters
requestgoogle::iam::admin::v1::DeleteServiceAccountRequest

Definition at line 180 of file iam_client.cc.

◆ DeleteServiceAccount() [2/2]

Status google::cloud::iam::v1::IAMClient::DeleteServiceAccount ( std::string const &  name)

Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Parameters
nameRequired. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Definition at line 59 of file iam_client.cc.

◆ DeleteServiceAccountKey() [1/2]

Status google::cloud::iam::v1::IAMClient::DeleteServiceAccountKey ( google::iam::admin::v1::DeleteServiceAccountKeyRequest const &  request)

Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Parameters
requestgoogle::iam::admin::v1::DeleteServiceAccountKeyRequest

Definition at line 225 of file iam_client.cc.

◆ DeleteServiceAccountKey() [2/2]

Status google::cloud::iam::v1::IAMClient::DeleteServiceAccountKey ( std::string const &  name)

Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Parameters
nameRequired. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Definition at line 99 of file iam_client.cc.

◆ DisableServiceAccount()

Status google::cloud::iam::v1::IAMClient::DisableServiceAccount ( google::iam::admin::v1::DisableServiceAccountRequest const &  request)

Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].

Parameters
requestgoogle::iam::admin::v1::DisableServiceAccountRequest

Definition at line 196 of file iam_client.cc.

◆ EnableServiceAccount()

Status google::cloud::iam::v1::IAMClient::EnableServiceAccount ( google::iam::admin::v1::EnableServiceAccountRequest const &  request)

Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Parameters
requestgoogle::iam::admin::v1::EnableServiceAccountRequest

Definition at line 191 of file iam_client.cc.

◆ GetIamPolicy() [1/2]

StatusOr< google::iam::v1::Policy > google::cloud::iam::v1::IAMClient::GetIamPolicy ( google::iam::v1::GetIamPolicyRequest const &  request)

Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

This IAM policy specifies which members have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Parameters
requestgoogle::iam::v1::GetIamPolicyRequest
Returns
google::iam::v1::Policy

Definition at line 230 of file iam_client.cc.

◆ GetIamPolicy() [2/2]

StatusOr< google::iam::v1::Policy > google::cloud::iam::v1::IAMClient::GetIamPolicy ( std::string const &  resource)

Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

This IAM policy specifies which members have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

Parameters
resourceREQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.
Returns
google::iam::v1::Policy

Definition at line 105 of file iam_client.cc.

◆ GetRole()

StatusOr< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::GetRole ( google::iam::admin::v1::GetRoleRequest const &  request)

Gets the definition of a [Role][google.iam.admin.v1.Role].

Parameters
requestgoogle::iam::admin::v1::GetRoleRequest
Returns
google::iam::admin::v1::Role

Definition at line 256 of file iam_client.cc.

◆ GetServiceAccount() [1/2]

StatusOr< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::GetServiceAccount ( google::iam::admin::v1::GetServiceAccountRequest const &  request)

Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
requestgoogle::iam::admin::v1::GetServiceAccountRequest
Returns
google::iam::admin::v1::ServiceAccount

Definition at line 164 of file iam_client.cc.

◆ GetServiceAccount() [2/2]

StatusOr< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::GetServiceAccount ( std::string const &  name)

Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
nameRequired. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
Returns
google::iam::admin::v1::ServiceAccount

Definition at line 41 of file iam_client.cc.

◆ GetServiceAccountKey() [1/2]

StatusOr< google::iam::admin::v1::ServiceAccountKey > google::cloud::iam::v1::IAMClient::GetServiceAccountKey ( google::iam::admin::v1::GetServiceAccountKeyRequest const &  request)

Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

Parameters
requestgoogle::iam::admin::v1::GetServiceAccountKeyRequest
Returns
google::iam::admin::v1::ServiceAccountKey

Definition at line 208 of file iam_client.cc.

◆ GetServiceAccountKey() [2/2]

StatusOr< google::iam::admin::v1::ServiceAccountKey > google::cloud::iam::v1::IAMClient::GetServiceAccountKey ( std::string const &  name,
google::iam::admin::v1::ServiceAccountPublicKeyType  public_key_type 
)

Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

Parameters
nameRequired. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
public_key_typeThe output format of the public key requested. X509_PEM is the default output format.
Returns
google::iam::admin::v1::ServiceAccountKey

Definition at line 78 of file iam_client.cc.

◆ LintPolicy()

StatusOr< google::iam::admin::v1::LintPolicyResponse > google::cloud::iam::v1::IAMClient::LintPolicy ( google::iam::admin::v1::LintPolicyRequest const &  request)

Lints, or validates, an IAM policy.

Currently checks the [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Parameters
requestgoogle::iam::admin::v1::LintPolicyRequest
Returns
google::iam::admin::v1::LintPolicyResponse

Definition at line 293 of file iam_client.cc.

◆ ListRoles()

StreamRange< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::ListRoles ( google::iam::admin::v1::ListRolesRequest  request)

Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role that is defined for an organization or project.

Parameters
requestgoogle::iam::admin::v1::ListRolesRequest

Definition at line 251 of file iam_client.cc.

◆ ListServiceAccountKeys() [1/2]

StatusOr< google::iam::admin::v1::ListServiceAccountKeysResponse > google::cloud::iam::v1::IAMClient::ListServiceAccountKeys ( google::iam::admin::v1::ListServiceAccountKeysRequest const &  request)

Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.

Parameters
requestgoogle::iam::admin::v1::ListServiceAccountKeysRequest
Returns
google::iam::admin::v1::ListServiceAccountKeysResponse

Definition at line 202 of file iam_client.cc.

◆ ListServiceAccountKeys() [2/2]

StatusOr< google::iam::admin::v1::ListServiceAccountKeysResponse > google::cloud::iam::v1::IAMClient::ListServiceAccountKeys ( std::string const &  name,
std::vector< google::iam::admin::v1::ListServiceAccountKeysRequest::KeyType > const &  key_types 
)

Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.

Parameters
nameRequired. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
key_typesFilters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.
Returns
google::iam::admin::v1::ListServiceAccountKeysResponse

Definition at line 66 of file iam_client.cc.

◆ ListServiceAccounts() [1/2]

StreamRange< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::ListServiceAccounts ( google::iam::admin::v1::ListServiceAccountsRequest  request)

Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.

Parameters
requestgoogle::iam::admin::v1::ListServiceAccountsRequest

Definition at line 159 of file iam_client.cc.

◆ ListServiceAccounts() [2/2]

StreamRange< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::ListServiceAccounts ( std::string const &  name)

Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.

Parameters
nameRequired. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Definition at line 35 of file iam_client.cc.

◆ operator=() [1/2]

IAMClient& google::cloud::iam::v1::IAMClient::operator= ( IAMClient &&  )
default

◆ operator=() [2/2]

IAMClient& google::cloud::iam::v1::IAMClient::operator= ( IAMClient const &  )
default

◆ PatchServiceAccount()

StatusOr< google::iam::admin::v1::ServiceAccount > google::cloud::iam::v1::IAMClient::PatchServiceAccount ( google::iam::admin::v1::PatchServiceAccountRequest const &  request)

Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
requestgoogle::iam::admin::v1::PatchServiceAccountRequest
Returns
google::iam::admin::v1::ServiceAccount

Definition at line 175 of file iam_client.cc.

◆ QueryAuditableServices()

StatusOr< google::iam::admin::v1::QueryAuditableServicesResponse > google::cloud::iam::v1::IAMClient::QueryAuditableServices ( google::iam::admin::v1::QueryAuditableServicesRequest const &  request)

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Parameters
requestgoogle::iam::admin::v1::QueryAuditableServicesRequest
Returns
google::iam::admin::v1::QueryAuditableServicesResponse

Definition at line 288 of file iam_client.cc.

◆ QueryGrantableRoles() [1/2]

StreamRange< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::QueryGrantableRoles ( google::iam::admin::v1::QueryGrantableRolesRequest  request)

Lists roles that can be granted on a Google Cloud resource.

A role is grantable if the IAM policy for the resource can contain bindings to the role.

Parameters
requestgoogle::iam::admin::v1::QueryGrantableRolesRequest

Definition at line 246 of file iam_client.cc.

◆ QueryGrantableRoles() [2/2]

StreamRange< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::QueryGrantableRoles ( std::string const &  full_resource_name)

Lists roles that can be granted on a Google Cloud resource.

A role is grantable if the IAM policy for the resource can contain bindings to the role.

Parameters
full_resource_nameRequired. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

Definition at line 151 of file iam_client.cc.

◆ QueryTestablePermissions()

StreamRange< google::iam::admin::v1::Permission > google::cloud::iam::v1::IAMClient::QueryTestablePermissions ( google::iam::admin::v1::QueryTestablePermissionsRequest  request)

Lists every permission that you can test on a resource.

A permission is testable if you can check whether a member has that permission on the resource.

Parameters
requestgoogle::iam::admin::v1::QueryTestablePermissionsRequest

Definition at line 282 of file iam_client.cc.

◆ SetIamPolicy() [1/3]

StatusOr< google::iam::v1::Policy > google::cloud::iam::v1::IAMClient::SetIamPolicy ( google::iam::v1::SetIamPolicyRequest const &  request)

Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Use this method to grant or revoke access to the service account. For example, you could grant a member the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

  1. Call the resource's getIamPolicy method to get its current IAM policy.
  2. Edit the policy so that it binds the service account to an IAM role for the resource.
  3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Granting roles to a service account for specific resources.

Parameters
requestgoogle::iam::v1::SetIamPolicyRequest
Returns
google::iam::v1::Policy

Definition at line 235 of file iam_client.cc.

◆ SetIamPolicy() [2/3]

StatusOr< google::iam::v1::Policy > google::cloud::iam::v1::IAMClient::SetIamPolicy ( std::string const &  resource,
google::iam::v1::Policy const &  policy 
)

Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Use this method to grant or revoke access to the service account. For example, you could grant a member the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

  1. Call the resource's getIamPolicy method to get its current IAM policy.
  2. Edit the policy so that it binds the service account to an IAM role for the resource.
  3. Call the resource's setIamPolicy method to update its IAM policy.

For detailed instructions, see Granting roles to a service account for specific resources.

Parameters
resourceREQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.
policyREQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.
Returns
google::iam::v1::Policy

Definition at line 112 of file iam_client.cc.

◆ SetIamPolicy() [3/3]

StatusOr< google::iam::v1::Policy > google::cloud::iam::v1::IAMClient::SetIamPolicy ( std::string const &  resource,
IamUpdater const &  updater,
Options  options = {} 
)

Updates the IAM policy for resource using an optimistic concurrency control loop.

The loop fetches the current policy for resource, and passes it to updater, which should return the new policy. This new policy should use the current etag so that the read-modify-write cycle can detect races and rerun the update when there is a mismatch. If the new policy does not have an etag, the existing policy will be blindly overwritten. If updater does not yield a policy, the control loop is terminated and kCancelled is returned.

Parameters
resourceRequired. The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.
updaterRequired. Functor to map the current policy to a new one.
optionsOptional. Options to control the loop. Expected options are:
Returns
google::iam::v1::Policy

Definition at line 120 of file iam_client.cc.

◆ TestIamPermissions() [1/2]

StatusOr< google::iam::v1::TestIamPermissionsResponse > google::cloud::iam::v1::IAMClient::TestIamPermissions ( google::iam::v1::TestIamPermissionsRequest const &  request)

Tests whether the caller has the specified permissions on a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
requestgoogle::iam::v1::TestIamPermissionsRequest
Returns
google::iam::v1::TestIamPermissionsResponse

Definition at line 241 of file iam_client.cc.

◆ TestIamPermissions() [2/2]

StatusOr< google::iam::v1::TestIamPermissionsResponse > google::cloud::iam::v1::IAMClient::TestIamPermissions ( std::string const &  resource,
std::vector< std::string > const &  permissions 
)

Tests whether the caller has the specified permissions on a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Parameters
resourceREQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.
permissionsThe set of permissions to check for the resource. Permissions with wildcards (such as '*' or 'storage.*') are not allowed. For more information see IAM Overview.
Returns
google::iam::v1::TestIamPermissionsResponse

Definition at line 143 of file iam_client.cc.

◆ UndeleteRole()

StatusOr< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::UndeleteRole ( google::iam::admin::v1::UndeleteRoleRequest const &  request)

Undeletes a custom [Role][google.iam.admin.v1.Role].

Parameters
requestgoogle::iam::admin::v1::UndeleteRoleRequest
Returns
google::iam::admin::v1::Role

Definition at line 276 of file iam_client.cc.

◆ UndeleteServiceAccount()

StatusOr< google::iam::admin::v1::UndeleteServiceAccountResponse > google::cloud::iam::v1::IAMClient::UndeleteServiceAccount ( google::iam::admin::v1::UndeleteServiceAccountRequest const &  request)

Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Parameters
requestgoogle::iam::admin::v1::UndeleteServiceAccountRequest
Returns
google::iam::admin::v1::UndeleteServiceAccountResponse

Definition at line 186 of file iam_client.cc.

◆ UpdateRole()

StatusOr< google::iam::admin::v1::Role > google::cloud::iam::v1::IAMClient::UpdateRole ( google::iam::admin::v1::UpdateRoleRequest const &  request)

Updates the definition of a custom [Role][google.iam.admin.v1.Role].

Parameters
requestgoogle::iam::admin::v1::UpdateRoleRequest
Returns
google::iam::admin::v1::Role

Definition at line 266 of file iam_client.cc.

◆ UploadServiceAccountKey()

StatusOr< google::iam::admin::v1::ServiceAccountKey > google::cloud::iam::v1::IAMClient::UploadServiceAccountKey ( google::iam::admin::v1::UploadServiceAccountKeyRequest const &  request)

Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey], using a public key that you provide.

Parameters
requestgoogle::iam::admin::v1::UploadServiceAccountKeyRequest
Returns
google::iam::admin::v1::ServiceAccountKey

Definition at line 220 of file iam_client.cc.

Friends And Related Function Documentation

◆ operator!=

bool operator!= ( IAMClient const &  a,
IAMClient const &  b 
)
friend

Definition at line 75 of file iam_client.h.

◆ operator==

bool operator== ( IAMClient const &  a,
IAMClient const &  b 
)
friend

Definition at line 72 of file iam_client.h.