As of January 1, 2020 this library no longer supports Python 2 on the latest released version. Library versions released prior to that date will continue to be available. For more information please visit Python 2 support on Google Cloud.

Types for Google Cloud Iam Admin v1 API

class google.cloud.iam_admin_v1.types.AuditData(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any type in the ServiceData message of an AuditLog message.

permission_delta

The permission_delta when when creating or updating a Role.

Type

google.cloud.iam_admin_v1.types.AuditData.PermissionDelta

class PermissionDelta(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A PermissionDelta message to record the added_permissions and removed_permissions inside a role.

added_permissions

Added permissions.

Type

MutableSequence[str]

removed_permissions

Removed permissions.

Type

MutableSequence[str]

class google.cloud.iam_admin_v1.types.CreateRoleRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to create a new role.

parent

The parent parameter’s value depends on the target resource for the request, namely `projects <https://cloud.google.com/iam/reference/rest/v1/projects.roles>`__ or `organizations <https://cloud.google.com/iam/reference/rest/v1/organizations.roles>`__. Each resource type’s parent value format is described below:

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Type

str

role_id

The role ID to use for this role.

A role ID may contain alphanumeric characters, underscores (_), and periods (.). It must contain a minimum of 3 characters and a maximum of 64 characters.

Type

str

role

The Role resource to create.

Type

google.cloud.iam_admin_v1.types.Role

class google.cloud.iam_admin_v1.types.CreateServiceAccountKeyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account key create request.

name

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

private_key_type

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

Type

google.cloud.iam_admin_v1.types.ServiceAccountPrivateKeyType

key_algorithm

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Type

google.cloud.iam_admin_v1.types.ServiceAccountKeyAlgorithm

class google.cloud.iam_admin_v1.types.CreateServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account create request.

name

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Type

str

account_id

Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.

Type

str

service_account

The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to create. Currently, only the following values are user assignable: display_name and description.

Type

google.cloud.iam_admin_v1.types.ServiceAccount

class google.cloud.iam_admin_v1.types.DeleteRoleRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to delete an existing role.

name

The name parameter’s value depends on the target resource for the request, namely `projects <https://cloud.google.com/iam/reference/rest/v1/projects.roles>`__ or `organizations <https://cloud.google.com/iam/reference/rest/v1/organizations.roles>`__. Each resource type’s name value format is described below:

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Type

str

etag

Used to perform a consistent read-modify-write.

Type

bytes

class google.cloud.iam_admin_v1.types.DeleteServiceAccountKeyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account key delete request.

name

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.DeleteServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account delete request.

name

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.DisableServiceAccountKeyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account key disable request.

name

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.DisableServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account disable request.

name

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.EnableServiceAccountKeyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account key enable request.

name

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.EnableServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account enable request.

name

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.GetRoleRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to get the definition of an existing role.

name

The name parameter’s value depends on the target resource for the request, namely `roles <https://cloud.google.com/iam/reference/rest/v1/roles>`__, `projects <https://cloud.google.com/iam/reference/rest/v1/projects.roles>`__, or `organizations <https://cloud.google.com/iam/reference/rest/v1/organizations.roles>`__. Each resource type’s name value format is described below:

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Type

str

class google.cloud.iam_admin_v1.types.GetServiceAccountKeyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account key get by id request.

name

Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

public_key_type

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

Type

google.cloud.iam_admin_v1.types.ServiceAccountPublicKeyType

class google.cloud.iam_admin_v1.types.GetServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account get request.

name

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

class google.cloud.iam_admin_v1.types.LintPolicyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to lint a Cloud IAM policy object.

full_resource_name

The full resource name of the policy this lint request is about.

The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object.

Type

str

condition

[google.iam.v1.Binding.condition] [google.iam.v1.Binding.condition] object to be linted.

This field is a member of oneof lint_object.

Type

google.type.expr_pb2.Expr

class google.cloud.iam_admin_v1.types.LintPolicyResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.

lint_results

List of lint results sorted by severity in descending order.

Type

MutableSequence[google.cloud.iam_admin_v1.types.LintResult]

class google.cloud.iam_admin_v1.types.LintResult(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Structured response of a single validation unit.

level

The validation unit level.

Type

google.cloud.iam_admin_v1.types.LintResult.Level

validation_unit_name

The validation unit name, for instance “lintValidationUnits/ConditionComplexityCheck”.

Type

str

severity

The validation unit severity.

Type

google.cloud.iam_admin_v1.types.LintResult.Severity

field_name

The name of the field for which this lint result is about.

For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.

Type

str

location_offset

0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression.

Type

int

debug_message

Human readable debug message associated with the issue.

Type

str

class Level(value)[source]

Bases: proto.enums.Enum

Possible Level values of a validation unit corresponding to its domain of discourse.

Values:
LEVEL_UNSPECIFIED (0):

Level is unspecified.

CONDITION (3):

A validation unit which operates on an individual condition within a binding.

class Severity(value)[source]

Bases: proto.enums.Enum

Possible Severity values of an issued result.

Values:
SEVERITY_UNSPECIFIED (0):

Severity is unspecified.

ERROR (1):

A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the setPolicy operation to fail.

WARNING (2):

Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail setPolicy, but there is a high likelihood that they won’t behave as expected during policy evaluation in checkPolicy. This includes the following common scenarios:

  • Unsatisfiable condition: Expired timestamp in date/time condition.

  • Ineffective condition: Condition on a <principal, role> pair which is granted unconditionally in another binding of the same policy.

NOTICE (3):

Reserved for the issues that are not severe as ERROR/WARNING, but need special handling. For instance, messages about skipped validation units are issued as NOTICE.

INFO (4):

Any informative statement which is not severe enough to raise ERROR/WARNING/NOTICE, like auto-correction recommendations on the input content. Note that current version of the linter does not utilize INFO.

DEPRECATED (5):

Deprecated severity level.

class google.cloud.iam_admin_v1.types.ListRolesRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to get all roles defined under a resource.

parent

The parent parameter’s value depends on the target resource for the request, namely `roles <https://cloud.google.com/iam/reference/rest/v1/roles>`__, `projects <https://cloud.google.com/iam/reference/rest/v1/projects.roles>`__, or `organizations <https://cloud.google.com/iam/reference/rest/v1/organizations.roles>`__. Each resource type’s parent value format is described below:

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Type

str

page_size

Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.

Type

int

page_token

Optional pagination token returned in an earlier ListRolesResponse.

Type

str

view

Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.

Type

google.cloud.iam_admin_v1.types.RoleView

show_deleted

Include Roles that have been deleted.

Type

bool

class google.cloud.iam_admin_v1.types.ListRolesResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The response containing the roles defined under a resource.

roles

The Roles defined on this resource.

Type

MutableSequence[google.cloud.iam_admin_v1.types.Role]

next_page_token

To retrieve the next page of results, set ListRolesRequest.page_token to this value.

Type

str

class google.cloud.iam_admin_v1.types.ListServiceAccountKeysRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account keys list request.

name

Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}.

Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

key_types

Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.

Type

MutableSequence[google.cloud.iam_admin_v1.types.ListServiceAccountKeysRequest.KeyType]

class KeyType(value)[source]

Bases: proto.enums.Enum

KeyType filters to selectively retrieve certain varieties of keys.

Values:
KEY_TYPE_UNSPECIFIED (0):

Unspecified key type. The presence of this in the message will immediately result in an error.

USER_MANAGED (1):

User-managed keys (managed and rotated by the user).

SYSTEM_MANAGED (2):

System-managed keys (managed and rotated by Google).

class google.cloud.iam_admin_v1.types.ListServiceAccountKeysResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account keys list response.

keys

The public keys for the service account.

Type

MutableSequence[google.cloud.iam_admin_v1.types.ServiceAccountKey]

class google.cloud.iam_admin_v1.types.ListServiceAccountsRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account list request.

name

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

Type

str

page_size

Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token] in a subsequent request.

The default is 20, and the maximum is 100.

Type

int

page_token

Optional pagination token returned in an earlier [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].

Type

str

class google.cloud.iam_admin_v1.types.ListServiceAccountsResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account list response.

accounts

The list of matching service accounts.

Type

MutableSequence[google.cloud.iam_admin_v1.types.ServiceAccount]

next_page_token

To retrieve the next page of results, set [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token] to this value.

Type

str

class google.cloud.iam_admin_v1.types.PatchServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account patch request.

You can patch only the display_name and description fields. You must use the update_mask field to specify which of these fields you want to patch.

Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.

service_account
Type

google.cloud.iam_admin_v1.types.ServiceAccount

update_mask
Type

google.protobuf.field_mask_pb2.FieldMask

class google.cloud.iam_admin_v1.types.Permission(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A permission which can be included by a role.

name

The name of this Permission.

Type

str

title

The title of this Permission.

Type

str

description

A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.

Type

str

only_in_predefined_roles
Type

bool

stage

The current launch stage of the permission.

Type

google.cloud.iam_admin_v1.types.Permission.PermissionLaunchStage

custom_roles_support_level

The current custom role support level.

Type

google.cloud.iam_admin_v1.types.Permission.CustomRolesSupportLevel

api_disabled

The service API associated with the permission is not enabled.

Type

bool

primary_permission

The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.

Type

str

class CustomRolesSupportLevel(value)[source]

Bases: proto.enums.Enum

The state of the permission with regards to custom roles.

Values:
SUPPORTED (0):

Default state. Permission is fully supported for custom role use.

TESTING (1):

Permission is being tested to check custom role compatibility.

NOT_SUPPORTED (2):

Permission is not supported for custom role use.

class PermissionLaunchStage(value)[source]

Bases: proto.enums.Enum

A stage representing a permission’s lifecycle phase.

Values:
ALPHA (0):

The permission is currently in an alpha phase.

BETA (1):

The permission is currently in a beta phase.

GA (2):

The permission is generally available.

DEPRECATED (3):

The permission is being deprecated.

class google.cloud.iam_admin_v1.types.QueryAuditableServicesRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A request to get the list of auditable services for a resource.

full_resource_name

Required. The full resource name to query from the list of auditable services.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

Type

str

class google.cloud.iam_admin_v1.types.QueryAuditableServicesResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A response containing a list of auditable services for a resource.

services

The auditable services for a resource.

Type

MutableSequence[google.cloud.iam_admin_v1.types.QueryAuditableServicesResponse.AuditableService]

class AuditableService(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Contains information about an auditable service.

name

Public name of the service. For example, the service name for Cloud IAM is ‘iam.googleapis.com’.

Type

str

class google.cloud.iam_admin_v1.types.QueryGrantableRolesRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The grantable role query request.

full_resource_name

Required. The full resource name to query from the list of grantable roles.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

Type

str

view
Type

google.cloud.iam_admin_v1.types.RoleView

page_size

Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.

Type

int

page_token

Optional pagination token returned in an earlier QueryGrantableRolesResponse.

Type

str

class google.cloud.iam_admin_v1.types.QueryGrantableRolesResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The grantable role query response.

roles

The list of matching roles.

Type

MutableSequence[google.cloud.iam_admin_v1.types.Role]

next_page_token

To retrieve the next page of results, set QueryGrantableRolesRequest.page_token to this value.

Type

str

class google.cloud.iam_admin_v1.types.QueryTestablePermissionsRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A request to get permissions which can be tested on a resource.

full_resource_name

Required. The full resource name to query from the list of testable permissions.

The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project.

Type

str

page_size

Optional limit on the number of permissions to include in the response. The default is 100, and the maximum is 1,000.

Type

int

page_token

Optional pagination token returned in an earlier QueryTestablePermissionsRequest.

Type

str

class google.cloud.iam_admin_v1.types.QueryTestablePermissionsResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The response containing permissions which can be tested on a resource.

permissions

The Permissions testable on the requested resource.

Type

MutableSequence[google.cloud.iam_admin_v1.types.Permission]

next_page_token

To retrieve the next page of results, set QueryTestableRolesRequest.page_token to this value.

Type

str

class google.cloud.iam_admin_v1.types.Role(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

A role in the Identity and Access Management API.

name

The name of the role.

When Role is used in CreateRole, the role name must not be set.

When Role is used in output and other input such as UpdateRole, the role name is the complete path, e.g., roles/logging.viewer for predefined roles and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

Type

str

title

Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.

Type

str

description

Optional. A human-readable description for the role.

Type

str

included_permissions

The names of the permissions this role grants when bound in an IAM policy.

Type

MutableSequence[str]

stage

The current launch stage of the role. If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.

Type

google.cloud.iam_admin_v1.types.Role.RoleLaunchStage

etag

Used to perform a consistent read-modify-write.

Type

bytes

deleted

The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.

Type

bool

class RoleLaunchStage(value)[source]

Bases: proto.enums.Enum

A stage representing a role’s lifecycle phase.

Values:
ALPHA (0):

The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role.

BETA (1):

The user has indicated this role is currently in a Beta phase.

GA (2):

The user has indicated this role is generally available.

DEPRECATED (4):

The user has indicated this role is being deprecated.

DISABLED (5):

This role is disabled and will not contribute permissions to any principals it is granted to in policies.

EAP (6):

The user has indicated this role is currently in an EAP phase.

class google.cloud.iam_admin_v1.types.RoleView(value)[source]

Bases: proto.enums.Enum

A view for Role objects.

Values:
BASIC (0):

Omits the included_permissions field. This is the default value.

FULL (1):

Returns all fields.

class google.cloud.iam_admin_v1.types.ServiceAccount(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

An IAM service account.

A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the overview of service accounts.

When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account.

name

The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}

  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}

  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Type

str

project_id

Output only. The ID of the project that owns the service account.

Type

str

unique_id

Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.

Type

str

email

Output only. The email address of the service account.

Type

str

display_name

Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.

Type

str

etag

Deprecated. Do not use.

Type

bytes

description

Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.

Type

str

oauth2_client_id

Output only. The OAuth 2.0 client ID for the service account.

Type

str

disabled

Output only. Whether the service account is disabled.

Type

bool

class google.cloud.iam_admin_v1.types.ServiceAccountKey(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Represents a service account key.

A service account has two sets of key-pairs: user-managed, and system-managed.

User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.

System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key’s lifetime.

If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.

Public keys for all service accounts are also published at the OAuth2 Service Account API.

name

The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Type

str

private_key_type

The output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses.

Google never exposes system-managed private keys, and never retains user-managed private keys.

Type

google.cloud.iam_admin_v1.types.ServiceAccountPrivateKeyType

key_algorithm

Specifies the algorithm (and possibly key size) for the key.

Type

google.cloud.iam_admin_v1.types.ServiceAccountKeyAlgorithm

private_key_data

The private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.

Type

bytes

public_key_data

The public key data. Only provided in GetServiceAccountKey responses.

Type

bytes

valid_after_time

The key can be used after this timestamp.

Type

google.protobuf.timestamp_pb2.Timestamp

valid_before_time

The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

Type

google.protobuf.timestamp_pb2.Timestamp

key_origin

The key origin.

Type

google.cloud.iam_admin_v1.types.ServiceAccountKeyOrigin

key_type

The key type.

Type

google.cloud.iam_admin_v1.types.ListServiceAccountKeysRequest.KeyType

disabled

The key status.

Type

bool

class google.cloud.iam_admin_v1.types.ServiceAccountKeyAlgorithm(value)[source]

Bases: proto.enums.Enum

Supported key algorithms.

Values:
KEY_ALG_UNSPECIFIED (0):

An unspecified key algorithm.

KEY_ALG_RSA_1024 (1):

1k RSA Key.

KEY_ALG_RSA_2048 (2):

2k RSA Key.

class google.cloud.iam_admin_v1.types.ServiceAccountKeyOrigin(value)[source]

Bases: proto.enums.Enum

Service Account Key Origin.

Values:
ORIGIN_UNSPECIFIED (0):

Unspecified key origin.

USER_PROVIDED (1):

Key is provided by user.

GOOGLE_PROVIDED (2):

Key is provided by Google.

class google.cloud.iam_admin_v1.types.ServiceAccountPrivateKeyType(value)[source]

Bases: proto.enums.Enum

Supported private key output formats.

Values:
TYPE_UNSPECIFIED (0):

Unspecified. Equivalent to TYPE_GOOGLE_CREDENTIALS_FILE.

TYPE_PKCS12_FILE (1):

PKCS12 format. The password for the PKCS12 file is notasecret. For more information, see https://tools.ietf.org/html/rfc7292.

TYPE_GOOGLE_CREDENTIALS_FILE (2):

Google Credentials File format.

class google.cloud.iam_admin_v1.types.ServiceAccountPublicKeyType(value)[source]

Bases: proto.enums.Enum

Supported public key output formats.

Values:
TYPE_NONE (0):

Do not return the public key.

TYPE_X509_PEM_FILE (1):

X509 PEM format.

TYPE_RAW_PUBLIC_KEY (2):

Raw public key.

class google.cloud.iam_admin_v1.types.SignBlobRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Deprecated. Migrate to Service Account Credentials API.

The service account sign blob request.

name

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

bytes_to_sign

Required. Deprecated. Migrate to Service Account Credentials API.

The bytes to sign.

Type

bytes

class google.cloud.iam_admin_v1.types.SignBlobResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Deprecated. Migrate to Service Account Credentials API.

The service account sign blob response.

key_id

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the blob.

Type

str

signature

Deprecated. Migrate to Service Account Credentials API.

The signed blob.

Type

bytes

class google.cloud.iam_admin_v1.types.SignJwtRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT request.

name

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

payload

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

Type

str

class google.cloud.iam_admin_v1.types.SignJwtResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT response.

key_id

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the JWT.

Type

str

signed_jwt

Deprecated. Migrate to Service Account Credentials API.

The signed JWT.

Type

str

class google.cloud.iam_admin_v1.types.UndeleteRoleRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to undelete an existing role.

name

The name parameter’s value depends on the target resource for the request, namely `projects <https://cloud.google.com/iam/reference/rest/v1/projects.roles>`__ or `organizations <https://cloud.google.com/iam/reference/rest/v1/organizations.roles>`__. Each resource type’s name value format is described below:

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Type

str

etag

Used to perform a consistent read-modify-write.

Type

bytes

class google.cloud.iam_admin_v1.types.UndeleteServiceAccountRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account undelete request.

name

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}. Using - as a wildcard for the PROJECT_ID will infer the project from the account.

Type

str

class google.cloud.iam_admin_v1.types.UndeleteServiceAccountResponse(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

restored_account

Metadata for the restored service account.

Type

google.cloud.iam_admin_v1.types.ServiceAccount

class google.cloud.iam_admin_v1.types.UpdateRoleRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The request to update a role.

name

The name parameter’s value depends on the target resource for the request, namely `projects <https://cloud.google.com/iam/reference/rest/v1/projects.roles>`__ or `organizations <https://cloud.google.com/iam/reference/rest/v1/organizations.roles>`__. Each resource type’s name value format is described below:

Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.

Type

str

role

The updated role.

Type

google.cloud.iam_admin_v1.types.Role

update_mask

A mask describing which fields in the Role have changed.

Type

google.protobuf.field_mask_pb2.FieldMask

class google.cloud.iam_admin_v1.types.UploadServiceAccountKeyRequest(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]

Bases: proto.message.Message

The service account key upload request.

name

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.

Type

str

public_key_data

The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE-----, and the last line, -----END CERTIFICATE-----.

Type

bytes