Google Cloud IAM C++ Client  1.32.1
A C++ Client Library for Google Cloud IAM
iam_client.h
Go to the documentation of this file.
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 // Generated by the Codegen C++ plugin.
16 // If you make any local changes, they will be lost.
17 // source: google/iam/admin/v1/iam.proto
18 
19 #ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_IAM_IAM_CLIENT_H
20 #define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_IAM_IAM_CLIENT_H
21 
22 #include "google/cloud/iam/iam_connection.h"
23 #include "google/cloud/future.h"
24 #include "google/cloud/iam_updater.h"
25 #include "google/cloud/options.h"
26 #include "google/cloud/polling_policy.h"
27 #include "google/cloud/status_or.h"
28 #include "google/cloud/version.h"
29 #include <memory>
30 
31 namespace google {
32 namespace cloud {
33 namespace iam {
34 inline namespace GOOGLE_CLOUD_CPP_GENERATED_NS {
35 
36 /**
37  * Creates and manages Identity and Access Management (IAM) resources.
38  *
39  * You can use this service to work with all of the following resources:
40  *
41  * * **Service accounts**, which identify an application or a virtual machine
42  * (VM) instance rather than a person
43  * * **Service account keys**, which service accounts use to authenticate with
44  * Google APIs
45  * * **IAM policies for service accounts**, which specify the roles that a
46  * member has for the service account
47  * * **IAM custom roles**, which help you limit the number of permissions that
48  * you grant to members
49  *
50  * In addition, you can use this service to complete the following tasks, among
51  * others:
52  *
53  * * Test whether a service account can use specific permissions
54  * * Check which roles you can grant for a specific resource
55  * * Lint, or validate, condition expressions in an IAM policy
56  */
57 class IAMClient {
58  public:
59  explicit IAMClient(std::shared_ptr<IAMConnection> connection);
61 
62  //@{
63  // @name Copy and move support
64  IAMClient(IAMClient const&) = default;
65  IAMClient& operator=(IAMClient const&) = default;
66  IAMClient(IAMClient&&) = default;
67  IAMClient& operator=(IAMClient&&) = default;
68  //@}
69 
70  //@{
71  // @name Equality
72  friend bool operator==(IAMClient const& a, IAMClient const& b) {
73  return a.connection_ == b.connection_;
74  }
75  friend bool operator!=(IAMClient const& a, IAMClient const& b) {
76  return !(a == b);
77  }
78  //@}
79 
80  /**
81  * Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that
82  * belongs to a specific project.
83  *
84  * @param name Required. The resource name of the project associated with the
85  * service accounts, such as `projects/my-project-123`.
86  */
87  StreamRange<google::iam::admin::v1::ServiceAccount> ListServiceAccounts(
88  std::string const& name);
89 
90  /**
91  * Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
92  *
93  * @param name Required. The resource name of the service account in the
94  * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using
95  * `-` as a wildcard for the `PROJECT_ID` will infer the project from the
96  * account. The `ACCOUNT` value can be the `email` address or the `unique_id`
97  * of the service account.
98  * @return
99  * [google::iam::admin::v1::ServiceAccount](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L461)
100  */
101  StatusOr<google::iam::admin::v1::ServiceAccount> GetServiceAccount(
102  std::string const& name);
103 
104  /**
105  * Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
106  *
107  * @param name Required. The resource name of the project associated with the
108  * service accounts, such as `projects/my-project-123`.
109  * @param account_id Required. The account id that is used to generate the
110  * service account email address and a stable unique id. It is unique within a
111  * project, must be 6-30 characters long, and match the regular expression
112  * `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
113  * @param service_account The
114  * [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create.
115  * Currently, only the following values are user assignable: `display_name`
116  * and `description`.
117  * @return
118  * [google::iam::admin::v1::ServiceAccount](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L461)
119  */
120  StatusOr<google::iam::admin::v1::ServiceAccount> CreateServiceAccount(
121  std::string const& name, std::string const& account_id,
122  google::iam::admin::v1::ServiceAccount const& service_account);
123 
124  /**
125  * Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
126  *
127  * **Warning:** After you delete a service account, you might not be able to
128  * undelete it. If you know that you need to re-enable the service account in
129  * the future, use
130  * [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount]
131  * instead.
132  *
133  * If you delete a service account, IAM permanently removes the service
134  * account 30 days later. Google Cloud cannot recover the service account
135  * after it is permanently removed, even if you file a support request.
136  *
137  * To help avoid unplanned outages, we recommend that you disable the service
138  * account before you delete it. Use
139  * [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to
140  * disable the service account, then wait at least 24 hours and watch for
141  * unintended consequences. If there are no unintended consequences, you can
142  * delete the service account.
143  *
144  * @param name Required. The resource name of the service account in the
145  * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using
146  * `-` as a wildcard for the `PROJECT_ID` will infer the project from the
147  * account. The `ACCOUNT` value can be the `email` address or the `unique_id`
148  * of the service account.
149  */
150  Status DeleteServiceAccount(std::string const& name);
151 
152  /**
153  * Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for
154  * a service account.
155  *
156  * @param name Required. The resource name of the service account in the
157  * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using
158  * `-` as a wildcard for the `PROJECT_ID`, will infer the project from the
159  * account. The `ACCOUNT` value can be the `email` address or the `unique_id`
160  * of the service account.
161  * @param key_types Filters the types of keys the user wants to include in
162  * the list response. Duplicate key types are not allowed. If no key type is
163  * provided, all keys are returned.
164  * @return
165  * [google::iam::admin::v1::ListServiceAccountKeysResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L692)
166  */
167  StatusOr<google::iam::admin::v1::ListServiceAccountKeysResponse>
169  std::string const& name,
170  std::vector<
171  google::iam::admin::v1::ListServiceAccountKeysRequest::KeyType> const&
172  key_types);
173 
174  /**
175  * Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
176  *
177  * @param name Required. The resource name of the service account key in the
178  * following format:
179  * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
180  * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
181  * the account. The `ACCOUNT` value can be the `email` address or the
182  * `unique_id` of the service account.
183  * @param public_key_type The output format of the public key requested.
184  * X509_PEM is the default output format.
185  * @return
186  * [google::iam::admin::v1::ServiceAccountKey](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L741)
187  */
188  StatusOr<google::iam::admin::v1::ServiceAccountKey> GetServiceAccountKey(
189  std::string const& name,
190  google::iam::admin::v1::ServiceAccountPublicKeyType public_key_type);
191 
192  /**
193  * Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
194  *
195  * @param name Required. The resource name of the service account in the
196  * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using
197  * `-` as a wildcard for the `PROJECT_ID` will infer the project from the
198  * account. The `ACCOUNT` value can be the `email` address or the `unique_id`
199  * of the service account.
200  * @param private_key_type The output format of the private key. The default
201  * value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials
202  * File format.
203  * @param key_algorithm Which type of key and algorithm to use for the key.
204  * The default is currently a 2K RSA key. However this may change in the
205  * future.
206  * @return
207  * [google::iam::admin::v1::ServiceAccountKey](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L741)
208  */
209  StatusOr<google::iam::admin::v1::ServiceAccountKey> CreateServiceAccountKey(
210  std::string const& name,
211  google::iam::admin::v1::ServiceAccountPrivateKeyType private_key_type,
212  google::iam::admin::v1::ServiceAccountKeyAlgorithm key_algorithm);
213 
214  /**
215  * Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
216  * Deleting a service account key does not revoke short-lived credentials that
217  * have been issued based on the service account key.
218  *
219  * @param name Required. The resource name of the service account key in the
220  * following format:
221  * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
222  * Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
223  * the account. The `ACCOUNT` value can be the `email` address or the
224  * `unique_id` of the service account.
225  */
226  Status DeleteServiceAccountKey(std::string const& name);
227 
228  /**
229  * Gets the IAM policy that is attached to a
230  * [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM policy
231  * specifies which members have access to the service account.
232  *
233  * This method does not tell you whether the service account has been granted
234  * any roles on other resources. To check whether a service account has role
235  * grants on a resource, use the `getIamPolicy` method for that resource. For
236  * example, to view the role grants for a project, call the Resource Manager
237  * API's
238  * [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
239  * method.
240  *
241  * @param resource REQUIRED: The resource for which the policy is being
242  * requested. See the operation documentation for the appropriate value for
243  * this field.
244  * @return
245  * [google::iam::v1::Policy](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/policy.proto#L88)
246  */
247  StatusOr<google::iam::v1::Policy> GetIamPolicy(std::string const& resource);
248 
249  /**
250  * Sets the IAM policy that is attached to a
251  * [ServiceAccount][google.iam.admin.v1.ServiceAccount].
252  *
253  * Use this method to grant or revoke access to the service account. For
254  * example, you could grant a member the ability to impersonate the service
255  * account.
256  *
257  * This method does not enable the service account to access other resources.
258  * To grant roles to a service account on a resource, follow these steps:
259  *
260  * 1. Call the resource's `getIamPolicy` method to get its current IAM policy.
261  * 2. Edit the policy so that it binds the service account to an IAM role for
262  * the resource.
263  * 3. Call the resource's `setIamPolicy` method to update its IAM policy.
264  *
265  * For detailed instructions, see
266  * [Granting roles to a service account for specific
267  * resources](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts).
268  *
269  * @param resource REQUIRED: The resource for which the policy is being
270  * specified. See the operation documentation for the appropriate value for
271  * this field.
272  * @param policy REQUIRED: The complete policy to be applied to the
273  * `resource`. The size of the policy is limited to a few 10s of KB. An empty
274  * policy is a valid policy but certain Cloud Platform services (such as
275  * Projects) might reject them.
276  * @return
277  * [google::iam::v1::Policy](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/policy.proto#L88)
278  */
279  StatusOr<google::iam::v1::Policy> SetIamPolicy(
280  std::string const& resource, google::iam::v1::Policy const& policy);
281 
282  /**
283  * Updates the IAM policy for @p resource using an optimistic concurrency
284  * control loop.
285  *
286  * The loop fetches the current policy for @p resource, and passes it to @p
287  * updater, which should return the new policy. This new policy should use the
288  * current etag so that the read-modify-write cycle can detect races and rerun
289  * the update when there is a mismatch. If the new policy does not have an
290  * etag, the existing policy will be blindly overwritten. If @p updater does
291  * not yield a policy, the control loop is terminated and kCancelled is
292  * returned.
293  *
294  * @param resource Required. The resource for which the policy is being
295  * specified. See the operation documentation for the appropriate value for
296  * this field.
297  * @param updater Required. Functor to map the current policy to a new one.
298  * @param options Optional. Options to control the loop. Expected options
299  * are:
300  * - `IAMBackoffPolicyOption`
301  * @return google::iam::v1::Policy
302  */
303  StatusOr<google::iam::v1::Policy> SetIamPolicy(std::string const& resource,
304  IamUpdater const& updater,
305  Options options = {});
306 
307  /**
308  * Tests whether the caller has the specified permissions on a
309  * [ServiceAccount][google.iam.admin.v1.ServiceAccount].
310  *
311  * @param resource REQUIRED: The resource for which the policy detail is
312  * being requested. See the operation documentation for the appropriate value
313  * for this field.
314  * @param permissions The set of permissions to check for the `resource`.
315  * Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
316  * For more information see [IAM
317  * Overview](https://cloud.google.com/iam/docs/overview#permissions).
318  * @return
319  * [google::iam::v1::TestIamPermissionsResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/iam_policy.proto#L141)
320  */
321  StatusOr<google::iam::v1::TestIamPermissionsResponse> TestIamPermissions(
322  std::string const& resource, std::vector<std::string> const& permissions);
323 
324  /**
325  * Lists roles that can be granted on a Google Cloud resource. A role is
326  * grantable if the IAM policy for the resource can contain bindings to the
327  * role.
328  *
329  * @param full_resource_name Required. The full resource name to query from
330  * the list of grantable roles. The name follows the Google Cloud Platform
331  * resource format. For example, a Cloud Platform project with id `my-project`
332  * will be named
333  * `//cloudresourcemanager.googleapis.com/projects/my-project`.
334  */
335  StreamRange<google::iam::admin::v1::Role> QueryGrantableRoles(
336  std::string const& full_resource_name);
337 
338  /**
339  * Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that
340  * belongs to a specific project.
341  *
342  * @param request
343  * [google::iam::admin::v1::ListServiceAccountsRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L544)
344  */
345  StreamRange<google::iam::admin::v1::ServiceAccount> ListServiceAccounts(
346  google::iam::admin::v1::ListServiceAccountsRequest request);
347 
348  /**
349  * Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
350  *
351  * @param request
352  * [google::iam::admin::v1::GetServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L579)
353  * @return
354  * [google::iam::admin::v1::ServiceAccount](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L461)
355  */
356  StatusOr<google::iam::admin::v1::ServiceAccount> GetServiceAccount(
357  google::iam::admin::v1::GetServiceAccountRequest const& request);
358 
359  /**
360  * Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
361  *
362  * @param request
363  * [google::iam::admin::v1::CreateServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L521)
364  * @return
365  * [google::iam::admin::v1::ServiceAccount](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L461)
366  */
367  StatusOr<google::iam::admin::v1::ServiceAccount> CreateServiceAccount(
368  google::iam::admin::v1::CreateServiceAccountRequest const& request);
369 
370  /**
371  * Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
372  *
373  * @param request
374  * [google::iam::admin::v1::PatchServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L616)
375  * @return
376  * [google::iam::admin::v1::ServiceAccount](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L461)
377  */
378  StatusOr<google::iam::admin::v1::ServiceAccount> PatchServiceAccount(
379  google::iam::admin::v1::PatchServiceAccountRequest const& request);
380 
381  /**
382  * Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
383  *
384  * **Warning:** After you delete a service account, you might not be able to
385  * undelete it. If you know that you need to re-enable the service account in
386  * the future, use
387  * [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount]
388  * instead.
389  *
390  * If you delete a service account, IAM permanently removes the service
391  * account 30 days later. Google Cloud cannot recover the service account
392  * after it is permanently removed, even if you file a support request.
393  *
394  * To help avoid unplanned outages, we recommend that you disable the service
395  * account before you delete it. Use
396  * [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to
397  * disable the service account, then wait at least 24 hours and watch for
398  * unintended consequences. If there are no unintended consequences, you can
399  * delete the service account.
400  *
401  * @param request
402  * [google::iam::admin::v1::DeleteServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L594)
403  */
405  google::iam::admin::v1::DeleteServiceAccountRequest const& request);
406 
407  /**
408  * Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].
409  *
410  * **Important:** It is not always possible to restore a deleted service
411  * account. Use this method only as a last resort.
412  *
413  * After you delete a service account, IAM permanently removes the service
414  * account 30 days later. There is no way to restore a deleted service account
415  * that has been permanently removed.
416  *
417  * @param request
418  * [google::iam::admin::v1::UndeleteServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L623)
419  * @return
420  * [google::iam::admin::v1::UndeleteServiceAccountResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L631)
421  */
422  StatusOr<google::iam::admin::v1::UndeleteServiceAccountResponse>
424  google::iam::admin::v1::UndeleteServiceAccountRequest const& request);
425 
426  /**
427  * Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was
428  * disabled by
429  * [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].
430  *
431  * If the service account is already enabled, then this method has no effect.
432  *
433  * If the service account was disabled by other means—for example, if Google
434  * disabled the service account because it was compromised—you cannot use this
435  * method to enable the service account.
436  *
437  * @param request
438  * [google::iam::admin::v1::EnableServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L637)
439  */
441  google::iam::admin::v1::EnableServiceAccountRequest const& request);
442 
443  /**
444  * Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
445  * immediately.
446  *
447  * If an application uses the service account to authenticate, that
448  * application can no longer call Google APIs or access Google Cloud
449  * resources. Existing access tokens for the service account are rejected, and
450  * requests for new access tokens will fail.
451  *
452  * To re-enable the service account, use
453  * [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After
454  * you re-enable the service account, its existing access tokens will be
455  * accepted, and you can request new access tokens.
456  *
457  * To help avoid unplanned outages, we recommend that you disable the service
458  * account before you delete it. Use this method to disable the service
459  * account, then wait at least 24 hours and watch for unintended consequences.
460  * If there are no unintended consequences, you can delete the service account
461  * with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].
462  *
463  * @param request
464  * [google::iam::admin::v1::DisableServiceAccountRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L647)
465  */
467  google::iam::admin::v1::DisableServiceAccountRequest const& request);
468 
469  /**
470  * Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for
471  * a service account.
472  *
473  * @param request
474  * [google::iam::admin::v1::ListServiceAccountKeysRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L657)
475  * @return
476  * [google::iam::admin::v1::ListServiceAccountKeysResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L692)
477  */
478  StatusOr<google::iam::admin::v1::ListServiceAccountKeysResponse>
480  google::iam::admin::v1::ListServiceAccountKeysRequest const& request);
481 
482  /**
483  * Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
484  *
485  * @param request
486  * [google::iam::admin::v1::GetServiceAccountKeyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L698)
487  * @return
488  * [google::iam::admin::v1::ServiceAccountKey](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L741)
489  */
490  StatusOr<google::iam::admin::v1::ServiceAccountKey> GetServiceAccountKey(
491  google::iam::admin::v1::GetServiceAccountKeyRequest const& request);
492 
493  /**
494  * Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
495  *
496  * @param request
497  * [google::iam::admin::v1::CreateServiceAccountKeyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L791)
498  * @return
499  * [google::iam::admin::v1::ServiceAccountKey](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L741)
500  */
501  StatusOr<google::iam::admin::v1::ServiceAccountKey> CreateServiceAccountKey(
502  google::iam::admin::v1::CreateServiceAccountKeyRequest const& request);
503 
504  /**
505  * Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey], using
506  * a public key that you provide.
507  *
508  * @param request
509  * [google::iam::admin::v1::UploadServiceAccountKeyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L816)
510  * @return
511  * [google::iam::admin::v1::ServiceAccountKey](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L741)
512  */
513  StatusOr<google::iam::admin::v1::ServiceAccountKey> UploadServiceAccountKey(
514  google::iam::admin::v1::UploadServiceAccountKeyRequest const& request);
515 
516  /**
517  * Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
518  * Deleting a service account key does not revoke short-lived credentials that
519  * have been issued based on the service account key.
520  *
521  * @param request
522  * [google::iam::admin::v1::DeleteServiceAccountKeyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L832)
523  */
525  google::iam::admin::v1::DeleteServiceAccountKeyRequest const& request);
526 
527  /**
528  * Gets the IAM policy that is attached to a
529  * [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM policy
530  * specifies which members have access to the service account.
531  *
532  * This method does not tell you whether the service account has been granted
533  * any roles on other resources. To check whether a service account has role
534  * grants on a resource, use the `getIamPolicy` method for that resource. For
535  * example, to view the role grants for a project, call the Resource Manager
536  * API's
537  * [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
538  * method.
539  *
540  * @param request
541  * [google::iam::v1::GetIamPolicyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/iam_policy.proto#L113)
542  * @return
543  * [google::iam::v1::Policy](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/policy.proto#L88)
544  */
545  StatusOr<google::iam::v1::Policy> GetIamPolicy(
546  google::iam::v1::GetIamPolicyRequest const& request);
547 
548  /**
549  * Sets the IAM policy that is attached to a
550  * [ServiceAccount][google.iam.admin.v1.ServiceAccount].
551  *
552  * Use this method to grant or revoke access to the service account. For
553  * example, you could grant a member the ability to impersonate the service
554  * account.
555  *
556  * This method does not enable the service account to access other resources.
557  * To grant roles to a service account on a resource, follow these steps:
558  *
559  * 1. Call the resource's `getIamPolicy` method to get its current IAM policy.
560  * 2. Edit the policy so that it binds the service account to an IAM role for
561  * the resource.
562  * 3. Call the resource's `setIamPolicy` method to update its IAM policy.
563  *
564  * For detailed instructions, see
565  * [Granting roles to a service account for specific
566  * resources](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts).
567  *
568  * @param request
569  * [google::iam::v1::SetIamPolicyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/iam_policy.proto#L98)
570  * @return
571  * [google::iam::v1::Policy](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/policy.proto#L88)
572  */
573  StatusOr<google::iam::v1::Policy> SetIamPolicy(
574  google::iam::v1::SetIamPolicyRequest const& request);
575 
576  /**
577  * Tests whether the caller has the specified permissions on a
578  * [ServiceAccount][google.iam.admin.v1.ServiceAccount].
579  *
580  * @param request
581  * [google::iam::v1::TestIamPermissionsRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/iam_policy.proto#L126)
582  * @return
583  * [google::iam::v1::TestIamPermissionsResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/v1/iam_policy.proto#L141)
584  */
585  StatusOr<google::iam::v1::TestIamPermissionsResponse> TestIamPermissions(
586  google::iam::v1::TestIamPermissionsRequest const& request);
587 
588  /**
589  * Lists roles that can be granted on a Google Cloud resource. A role is
590  * grantable if the IAM policy for the resource can contain bindings to the
591  * role.
592  *
593  * @param request
594  * [google::iam::admin::v1::QueryGrantableRolesRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1062)
595  */
596  StreamRange<google::iam::admin::v1::Role> QueryGrantableRoles(
597  google::iam::admin::v1::QueryGrantableRolesRequest request);
598 
599  /**
600  * Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports,
601  * or every custom role that is defined for an organization or project.
602  *
603  * @param request
604  * [google::iam::admin::v1::ListRolesRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1093)
605  */
606  StreamRange<google::iam::admin::v1::Role> ListRoles(
607  google::iam::admin::v1::ListRolesRequest request);
608 
609  /**
610  * Gets the definition of a [Role][google.iam.admin.v1.Role].
611  *
612  * @param request
613  * [google::iam::admin::v1::GetRoleRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1152)
614  * @return
615  * [google::iam::admin::v1::Role](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1004)
616  */
617  StatusOr<google::iam::admin::v1::Role> GetRole(
618  google::iam::admin::v1::GetRoleRequest const& request);
619 
620  /**
621  * Creates a new custom [Role][google.iam.admin.v1.Role].
622  *
623  * @param request
624  * [google::iam::admin::v1::CreateRoleRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1184)
625  * @return
626  * [google::iam::admin::v1::Role](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1004)
627  */
628  StatusOr<google::iam::admin::v1::Role> CreateRole(
629  google::iam::admin::v1::CreateRoleRequest const& request);
630 
631  /**
632  * Updates the definition of a custom [Role][google.iam.admin.v1.Role].
633  *
634  * @param request
635  * [google::iam::admin::v1::UpdateRoleRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1219)
636  * @return
637  * [google::iam::admin::v1::Role](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1004)
638  */
639  StatusOr<google::iam::admin::v1::Role> UpdateRole(
640  google::iam::admin::v1::UpdateRoleRequest const& request);
641 
642  /**
643  * Deletes a custom [Role][google.iam.admin.v1.Role].
644  *
645  * When you delete a custom role, the following changes occur immediately:
646  *
647  * * You cannot bind a member to the custom role in an IAM
648  * [Policy][google.iam.v1.Policy].
649  * * Existing bindings to the custom role are not changed, but they have no
650  * effect.
651  * * By default, the response from
652  * [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom
653  * role.
654  *
655  * You have 7 days to undelete the custom role. After 7 days, the following
656  * changes occur:
657  *
658  * * The custom role is permanently deleted and cannot be recovered.
659  * * If an IAM policy contains a binding to the custom role, the binding is
660  * permanently removed.
661  *
662  * @param request
663  * [google::iam::admin::v1::DeleteRoleRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1250)
664  * @return
665  * [google::iam::admin::v1::Role](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1004)
666  */
667  StatusOr<google::iam::admin::v1::Role> DeleteRole(
668  google::iam::admin::v1::DeleteRoleRequest const& request);
669 
670  /**
671  * Undeletes a custom [Role][google.iam.admin.v1.Role].
672  *
673  * @param request
674  * [google::iam::admin::v1::UndeleteRoleRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1278)
675  * @return
676  * [google::iam::admin::v1::Role](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1004)
677  */
678  StatusOr<google::iam::admin::v1::Role> UndeleteRole(
679  google::iam::admin::v1::UndeleteRoleRequest const& request);
680 
681  /**
682  * Lists every permission that you can test on a resource. A permission is
683  * testable if you can check whether a member has that permission on the
684  * resource.
685  *
686  * @param request
687  * [google::iam::admin::v1::QueryTestablePermissionsRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1361)
688  */
689  StreamRange<google::iam::admin::v1::Permission> QueryTestablePermissions(
690  google::iam::admin::v1::QueryTestablePermissionsRequest request);
691 
692  /**
693  * Returns a list of services that allow you to opt into audit logs that are
694  * not generated by default.
695  *
696  * To learn more about audit logs, see the [Logging
697  * documentation](https://cloud.google.com/logging/docs/audit).
698  *
699  * @param request
700  * [google::iam::admin::v1::QueryAuditableServicesRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1391)
701  * @return
702  * [google::iam::admin::v1::QueryAuditableServicesResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1402)
703  */
704  StatusOr<google::iam::admin::v1::QueryAuditableServicesResponse>
706  google::iam::admin::v1::QueryAuditableServicesRequest const& request);
707 
708  /**
709  * Lints, or validates, an IAM policy. Currently checks the
710  * [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field,
711  * which contains a condition expression for a role binding.
712  *
713  * Successful calls to this method always return an HTTP `200 OK` status code,
714  * even if the linter detects an issue in the IAM policy.
715  *
716  * @param request
717  * [google::iam::admin::v1::LintPolicyRequest](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1415)
718  * @return
719  * [google::iam::admin::v1::LintPolicyResponse](https://github.com/googleapis/googleapis/blob/ed739492993c4a99629b6430affdd6c0fb59d435/google/iam/admin/v1/iam.proto#L1513)
720  */
721  StatusOr<google::iam::admin::v1::LintPolicyResponse> LintPolicy(
722  google::iam::admin::v1::LintPolicyRequest const& request);
723 
724  private:
725  std::shared_ptr<IAMConnection> connection_;
726 };
727 
728 } // namespace GOOGLE_CLOUD_CPP_GENERATED_NS
729 } // namespace iam
730 } // namespace cloud
731 } // namespace google
732 
733 #endif // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_IAM_IAM_CLIENT_H