google::cloud::iam_credentials_v1::IAMCredentialsClient Class Reference

A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. More...

#include <google/cloud/iam/credentials/v1/iam_credentials_client.h>

Public Member Functions
	IAMCredentialsClient (std::shared_ptr< IAMCredentialsConnection > connection, Options opts={})
	~IAMCredentialsClient ()
StatusOr< google::iam::credentials::v1::GenerateAccessTokenResponse >	GenerateAccessToken (std::string const &name, std::vector< std::string > const &delegates, std::vector< std::string > const &scope, google::protobuf::Duration const &lifetime, Options opts={})
	Generates an OAuth 2.0 access token for a service account. More...
StatusOr< google::iam::credentials::v1::GenerateAccessTokenResponse >	GenerateAccessToken (google::iam::credentials::v1::GenerateAccessTokenRequest const &request, Options opts={})
	Generates an OAuth 2.0 access token for a service account. More...
StatusOr< google::iam::credentials::v1::GenerateIdTokenResponse >	GenerateIdToken (std::string const &name, std::vector< std::string > const &delegates, std::string const &audience, bool include_email, Options opts={})
	Generates an OpenID Connect ID token for a service account. More...
StatusOr< google::iam::credentials::v1::GenerateIdTokenResponse >	GenerateIdToken (google::iam::credentials::v1::GenerateIdTokenRequest const &request, Options opts={})
	Generates an OpenID Connect ID token for a service account. More...
StatusOr< google::iam::credentials::v1::SignBlobResponse >	SignBlob (std::string const &name, std::vector< std::string > const &delegates, std::string const &payload, Options opts={})
	Signs a blob using a service account's system-managed private key. More...
StatusOr< google::iam::credentials::v1::SignBlobResponse >	SignBlob (google::iam::credentials::v1::SignBlobRequest const &request, Options opts={})
	Signs a blob using a service account's system-managed private key. More...
StatusOr< google::iam::credentials::v1::SignJwtResponse >	SignJwt (std::string const &name, std::vector< std::string > const &delegates, std::string const &payload, Options opts={})
	Signs a JWT using a service account's system-managed private key. More...
StatusOr< google::iam::credentials::v1::SignJwtResponse >	SignJwt (google::iam::credentials::v1::SignJwtRequest const &request, Options opts={})
	Signs a JWT using a service account's system-managed private key. More...
Copy and move support
	IAMCredentialsClient (IAMCredentialsClient const &)=default
IAMCredentialsClient &	operator= (IAMCredentialsClient const &)=default
	IAMCredentialsClient (IAMCredentialsClient &&)=default
IAMCredentialsClient &	operator= (IAMCredentialsClient &&)=default

Friends
Equality
bool	operator== (IAMCredentialsClient const &a, IAMCredentialsClient const &b)
bool	operator!= (IAMCredentialsClient const &a, IAMCredentialsClient const &b)

Detailed Description

A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user.

Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

Equality

Instances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal std::shared_ptr<*Connection> objects compare equal. Objects that compare equal share the same underlying resources.

Performance

Creating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.

Thread Safety

Concurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.

Constructor & Destructor Documentation

IAMCredentialsClient() [1/3]

google::cloud::iam_credentials_v1::IAMCredentialsClient::IAMCredentialsClient ( std::shared_ptr< IAMCredentialsConnection >  connection, Options  opts = {}  )

explicit

~IAMCredentialsClient()

google::cloud::iam_credentials_v1::IAMCredentialsClient::~IAMCredentialsClient

(

)

IAMCredentialsClient() [2/3]

google::cloud::iam_credentials_v1::IAMCredentialsClient::IAMCredentialsClient ( IAMCredentialsClient const &  )

default

IAMCredentialsClient() [3/3]

google::cloud::iam_credentials_v1::IAMCredentialsClient::IAMCredentialsClient ( IAMCredentialsClient &&  )

default

Member Function Documentation

GenerateAccessToken() [1/2]

StatusOr< google::iam::credentials::v1::GenerateAccessTokenResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::GenerateAccessToken	(	google::iam::credentials::v1::GenerateAccessTokenRequest const &	request,
		Options	opts = {}
	)

Generates an OAuth 2.0 access token for a service account.

Parameters

request	Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.iam.credentials.v1.GenerateAccessTokenRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.GenerateAccessTokenResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

GenerateAccessToken() [2/2]

StatusOr< google::iam::credentials::v1::GenerateAccessTokenResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::GenerateAccessToken	(	std::string const &	name,
		std::vector< std::string > const &	delegates,
		std::vector< std::string > const &	scope,
		google::protobuf::Duration const &	lifetime,
		Options	opts = {}
	)

Generates an OAuth 2.0 access token for a service account.

Parameters

name	Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates	The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
scope	Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
lifetime	The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.GenerateAccessTokenResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

GenerateIdToken() [1/2]

StatusOr< google::iam::credentials::v1::GenerateIdTokenResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::GenerateIdToken	(	google::iam::credentials::v1::GenerateIdTokenRequest const &	request,
		Options	opts = {}
	)

Generates an OpenID Connect ID token for a service account.

Parameters

request	Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.iam.credentials.v1.GenerateIdTokenRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.GenerateIdTokenResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

GenerateIdToken() [2/2]

StatusOr< google::iam::credentials::v1::GenerateIdTokenResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::GenerateIdToken	(	std::string const &	name,
		std::vector< std::string > const &	delegates,
		std::string const &	audience,
		bool	include_email,
		Options	opts = {}
	)

Generates an OpenID Connect ID token for a service account.

Parameters

name	Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates	The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
audience	Required. The audience for the token, such as the API or account that this token grants access to.
include_email	Include the service account email in the token. If set to true, the token will contain email and email_verified claims.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.GenerateIdTokenResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

operator=() [1/2]

IAMCredentialsClient & google::cloud::iam_credentials_v1::IAMCredentialsClient::operator= ( IAMCredentialsClient &&  )

default

operator=() [2/2]

IAMCredentialsClient & google::cloud::iam_credentials_v1::IAMCredentialsClient::operator= ( IAMCredentialsClient const &  )

default

SignBlob() [1/2]

StatusOr< google::iam::credentials::v1::SignBlobResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::SignBlob	(	google::iam::credentials::v1::SignBlobRequest const &	request,
		Options	opts = {}
	)

Signs a blob using a service account's system-managed private key.

Parameters

request	Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.iam.credentials.v1.SignBlobRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.SignBlobResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

SignBlob() [2/2]

StatusOr< google::iam::credentials::v1::SignBlobResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::SignBlob	(	std::string const &	name,
		std::vector< std::string > const &	delegates,
		std::string const &	payload,
		Options	opts = {}
	)

Signs a blob using a service account's system-managed private key.

Parameters

name	Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates	The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
payload	Required. The bytes to sign.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.SignBlobResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

SignJwt() [1/2]

StatusOr< google::iam::credentials::v1::SignJwtResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::SignJwt	(	google::iam::credentials::v1::SignJwtRequest const &	request,
		Options	opts = {}
	)

Signs a JWT using a service account's system-managed private key.

Parameters

request	Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.iam.credentials.v1.SignJwtRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.SignJwtResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

SignJwt() [2/2]

StatusOr< google::iam::credentials::v1::SignJwtResponse > google::cloud::iam_credentials_v1::IAMCredentialsClient::SignJwt	(	std::string const &	name,
		std::vector< std::string > const &	delegates,
		std::string const &	payload,
		Options	opts = {}
	)

Signs a JWT using a service account's system-managed private key.

Parameters

name	Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates	The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request. The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
payload	Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
opts	Optional. Override the class-level options, such as retry and backoff policies.

Returns

the result of the RPC. The response message type (google.iam.credentials.v1.SignJwtResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the `StatusOr` contains the error details.

Friends And Related Function Documentation

operator!=

bool operator!= ( IAMCredentialsClient const &  a, IAMCredentialsClient const &  b  )

friend

operator==

bool operator== ( IAMCredentialsClient const &  a, IAMCredentialsClient const &  b  )

friend