Namespace Google.Apis.Iam.v1

Classes

IamBaseServiceRequest<TResponse>

A base abstract class for Iam requests.

IamPoliciesResource

The "iamPolicies" collection of methods.

IamPoliciesResource.LintPolicyRequest

Lints a Cloud IAM policy object or its sub fields. Currently supports google.iam.v1.Policy, google.iam.v1.Binding and google.iam.v1.Binding.condition.

Each lint operation consists of multiple lint validation units. Validation units have the following properties:

Each unit inspects the input object in regard to a particular linting aspect and issues a google.iam.admin.v1.LintResult disclosing the result. - Domain of discourse of each unit can be either google.iam.v1.Policy, google.iam.v1.Binding, or google.iam.v1.Binding.condition depending on the purpose of the validation. - A unit may require additional data (like the list of all possible enumerable values of a particular attribute used in the policy instance) which shall be provided by the caller. Refer to the comments of google.iam.admin.v1.LintPolicyRequest.context for more details.

The set of applicable validation units is determined by the Cloud IAM server and is not configurable.

Regardless of any lint issues or their severities, successful calls to lintPolicy return an HTTP 200 OK status code.

IamPoliciesResource.QueryAuditableServicesRequest

Returns a list of services that support service level audit logging configuration for the given resource.

IamService.Scope

Available OAuth 2.0 scopes for use with the Identity and Access Management (IAM) API.

IamService.ScopeConstants

Available OAuth 2.0 scope constants for use with the Identity and Access Management (IAM) API.

OrganizationsResource

The "organizations" collection of methods.

OrganizationsResource.RolesResource

The "roles" collection of methods.

OrganizationsResource.RolesResource.CreateRequest

Creates a new Role.

OrganizationsResource.RolesResource.DeleteRequest

Soft deletes a role. The role is suspended and cannot be used to create new IAM Policy Bindings. The Role will not be included in ListRoles() unless show_deleted is set in the ListRolesRequest. The Role contains the deleted boolean set. Existing Bindings remains, but are inactive. The Role can be undeleted within 7 days. After 7 days the Role is deleted and all Bindings associated with the role are removed.

OrganizationsResource.RolesResource.GetRequest

Gets a Role definition.

OrganizationsResource.RolesResource.ListRequest

Lists the Roles defined on a resource.

OrganizationsResource.RolesResource.PatchRequest

Updates a Role definition.

OrganizationsResource.RolesResource.UndeleteRequest

Undelete a Role, bringing it back in its previous state.

PermissionsResource

The "permissions" collection of methods.

PermissionsResource.QueryTestablePermissionsRequest

Lists the permissions testable on a resource. A permission is testable if it can be tested for an identity on a resource.

ProjectsResource

The "projects" collection of methods.

ProjectsResource.RolesResource

The "roles" collection of methods.

ProjectsResource.RolesResource.CreateRequest

Creates a new Role.

ProjectsResource.RolesResource.DeleteRequest

ProjectsResource.RolesResource.GetRequest

Gets a Role definition.

ProjectsResource.RolesResource.ListRequest

Lists the Roles defined on a resource.

ProjectsResource.RolesResource.PatchRequest

Updates a Role definition.

ProjectsResource.RolesResource.UndeleteRequest

Undelete a Role, bringing it back in its previous state.

ProjectsResource.ServiceAccountsResource

The "serviceAccounts" collection of methods.

ProjectsResource.ServiceAccountsResource.CreateRequest

Creates a ServiceAccount and returns it.

ProjectsResource.ServiceAccountsResource.DeleteRequest

Deletes a ServiceAccount.

ProjectsResource.ServiceAccountsResource.DisableRequest

DisableServiceAccount is currently in the alpha launch stage.

Disables a ServiceAccount, which immediately prevents the service account from authenticating and gaining access to APIs.

Disabled service accounts can be safely restored by using EnableServiceAccount at any point. Deleted service accounts cannot be restored using this method.

Disabling a service account that is bound to VMs, Apps, Functions, or other jobs will cause those jobs to lose access to resources if they are using the disabled service account.

To improve reliability of your services and avoid unexpected outages, it is recommended to first disable a service account rather than delete it. After disabling the service account, wait at least 24 hours to verify there are no unintended consequences, and then delete the service account.

ProjectsResource.ServiceAccountsResource.EnableRequest

EnableServiceAccount is currently in the alpha launch stage.

Restores a disabled ServiceAccount that has been manually disabled by using DisableServiceAccount. Service accounts that have been disabled by other means or for other reasons, such as abuse, cannot be restored using this method.

EnableServiceAccount will have no effect on a service account that is not disabled. Enabling an already enabled service account will have no effect.

ProjectsResource.ServiceAccountsResource.GetIamPolicyRequest

Returns the Cloud IAM access control policy for a ServiceAccount.

Note: Service accounts are both [resources and identities](/iam/docs/service- accounts#service_account_permissions). This method treats the service account as a resource. It returns the Cloud IAM policy that reflects what members have access to the service account.

This method does not return what resources the service account has access to. To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the [projects.getIamPolicy](/resource- manager/reference/rest/v1/projects/getIamPolicy) method.

ProjectsResource.ServiceAccountsResource.GetRequest

Gets a ServiceAccount.

ProjectsResource.ServiceAccountsResource.KeysResource

The "keys" collection of methods.

ProjectsResource.ServiceAccountsResource.KeysResource.CreateRequest

Creates a ServiceAccountKey and returns it.

ProjectsResource.ServiceAccountsResource.KeysResource.DeleteRequest

Deletes a ServiceAccountKey.

ProjectsResource.ServiceAccountsResource.KeysResource.GetRequest

Gets the ServiceAccountKey by key id.

ProjectsResource.ServiceAccountsResource.KeysResource.ListRequest

Lists ServiceAccountKeys.

ProjectsResource.ServiceAccountsResource.KeysResource.UploadRequest

Upload public key for a given service account. This rpc will create a ServiceAccountKey that has the provided public key and returns it.

ProjectsResource.ServiceAccountsResource.ListRequest

Lists ServiceAccounts for a project.

ProjectsResource.ServiceAccountsResource.PatchRequest

Patches a ServiceAccount.

Currently, only the following fields are updatable: display_name and description.

Only fields specified in the request are guaranteed to be returned in the response. Other fields in the response may be empty.

Note: The field mask is required.

ProjectsResource.ServiceAccountsResource.SetIamPolicyRequest

Sets the Cloud IAM access control policy for a ServiceAccount.

Note: Service accounts are both [resources and identities](/iam/docs/service- accounts#service_account_permissions). This method treats the service account as a resource. Use it to grant members access to the service account, such as when they need to impersonate it.

This method does not grant the service account access to other resources, such as projects. To grant a service account access to resources, include the service account in the Cloud IAM policy for the desired resource, then call the appropriate setIamPolicy method on the target resource. For example, to grant a service account access to a project, call the [projects.setIamPolicy](/resource- manager/reference/rest/v1/projects/setIamPolicy) method.

ProjectsResource.ServiceAccountsResource.SignBlobRequest

Note: This method is in the process of being deprecated. Call the signBlob() method of the Cloud IAM Service Account Credentials API instead.

Signs a blob using a service account's system-managed private key.

ProjectsResource.ServiceAccountsResource.SignJwtRequest

Note: This method is in the process of being deprecated. Call the signJwt() method of the Cloud IAM Service Account Credentials API instead.

Signs a JWT using a service account's system-managed private key.

If no expiry time (exp) is provided in the SignJwtRequest, IAM sets an an expiry time of one hour by default. If you request an expiry time of more than one hour, the request will fail.

ProjectsResource.ServiceAccountsResource.TestIamPermissionsRequest

Tests the specified permissions against the IAM access control policy for a ServiceAccount.

ProjectsResource.ServiceAccountsResource.UndeleteRequest

Restores a deleted ServiceAccount. This is to be used as an action of last resort. A service account may not always be restorable.

ProjectsResource.ServiceAccountsResource.UpdateRequest

Note: This method is in the process of being deprecated. Use PatchServiceAccount instead.

Updates a ServiceAccount.

Currently, only the following fields are updatable: display_name and description.

RolesResource

The "roles" collection of methods.

RolesResource.GetRequest

Gets a Role definition.

RolesResource.ListRequest

Lists the Roles defined on a resource.

RolesResource.QueryGrantableRolesRequest

Queries roles that can be granted on a particular resource. A role is grantable if it can be used as the role in a binding for a policy for that resource.

Enums

IamBaseServiceRequest<TResponse>.AltEnum

Data format for response.

IamBaseServiceRequest<TResponse>.XgafvEnum

V1 error format.

OrganizationsResource.RolesResource.ListRequest.ViewEnum

Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.