Home | History | Annotate | Download | only in iam_v1
      1 """Generated message classes for iam version v1.
      2 
      3 Manages identity and access control for Google Cloud Platform resources,
      4 including the creation of service accounts, which you can use to authenticate
      5 to Google and make API calls.
      6 """
      7 # NOTE: This file is autogenerated and should not be edited by hand.
      8 
      9 from apitools.base.protorpclite import messages as _messages
     10 from apitools.base.py import encoding
     11 
     12 
     13 package = 'iam'
     14 
     15 
     16 class AuditConfig(_messages.Message):
     17   """Enables "data access" audit logging for a service and specifies a list of
     18   members that are log-exempted.
     19 
     20   Fields:
     21     exemptedMembers: Specifies the identities that are exempted from "data
     22       access" audit logging for the `service` specified above. Follows the
     23       same format of Binding.members.
     24     service: Specifies a service that will be enabled for "data access" audit
     25       logging. For example, `resourcemanager`, `storage`, `compute`.
     26       `allServices` is a special value that covers all services.
     27   """
     28 
     29   exemptedMembers = _messages.StringField(1, repeated=True)
     30   service = _messages.StringField(2)
     31 
     32 
     33 class Binding(_messages.Message):
     34   """Associates `members` with a `role`.
     35 
     36   Fields:
     37     members: Specifies the identities requesting access for a Cloud Platform
     38       resource. `members` can have the following values:  * `allUsers`: A
     39       special identifier that represents anyone who is    on the internet;
     40       with or without a Google account.  * `allAuthenticatedUsers`: A special
     41       identifier that represents anyone    who is authenticated with a Google
     42       account or a service account.  * `user:{emailid}`: An email address that
     43       represents a specific Google    account. For example, `alice@gmail.com`
     44       or `joe@example.com`.  * `serviceAccount:{emailid}`: An email address
     45       that represents a service    account. For example, `my-other-
     46       app@appspot.gserviceaccount.com`.  * `group:{emailid}`: An email address
     47       that represents a Google group.    For example, `admins@example.com`.  *
     48       `domain:{domain}`: A Google Apps domain name that represents all the
     49       users of that domain. For example, `google.com` or `example.com`.
     50     role: Role that is assigned to `members`. For example, `roles/viewer`,
     51       `roles/editor`, or `roles/owner`. Required
     52   """
     53 
     54   members = _messages.StringField(1, repeated=True)
     55   role = _messages.StringField(2)
     56 
     57 
     58 class CloudAuditOptions(_messages.Message):
     59   """Write a Cloud Audit log"""
     60 
     61 
     62 class Condition(_messages.Message):
     63   """A condition to be met.
     64 
     65   Enums:
     66     IamValueValuesEnum: Trusted attributes supplied by the IAM system.
     67     OpValueValuesEnum: An operator to apply the subject with.
     68     SysValueValuesEnum: Trusted attributes supplied by any service that owns
     69       resources and uses the IAM system for access control.
     70 
     71   Fields:
     72     iam: Trusted attributes supplied by the IAM system.
     73     op: An operator to apply the subject with.
     74     svc: Trusted attributes discharged by the service.
     75     sys: Trusted attributes supplied by any service that owns resources and
     76       uses the IAM system for access control.
     77     value: DEPRECATED. Use 'values' instead.
     78     values: The objects of the condition. This is mutually exclusive with
     79       'value'.
     80   """
     81 
     82   class IamValueValuesEnum(_messages.Enum):
     83     """Trusted attributes supplied by the IAM system.
     84 
     85     Values:
     86       NO_ATTR: Default non-attribute.
     87       AUTHORITY: Either principal or (if present) authority
     88       ATTRIBUTION: selector Always the original principal, but making clear
     89     """
     90     NO_ATTR = 0
     91     AUTHORITY = 1
     92     ATTRIBUTION = 2
     93 
     94   class OpValueValuesEnum(_messages.Enum):
     95     """An operator to apply the subject with.
     96 
     97     Values:
     98       NO_OP: Default no-op.
     99       EQUALS: DEPRECATED. Use IN instead.
    100       NOT_EQUALS: DEPRECATED. Use NOT_IN instead.
    101       IN: Set-inclusion check.
    102       NOT_IN: Set-exclusion check.
    103       DISCHARGED: Subject is discharged
    104     """
    105     NO_OP = 0
    106     EQUALS = 1
    107     NOT_EQUALS = 2
    108     IN = 3
    109     NOT_IN = 4
    110     DISCHARGED = 5
    111 
    112   class SysValueValuesEnum(_messages.Enum):
    113     """Trusted attributes supplied by any service that owns resources and uses
    114     the IAM system for access control.
    115 
    116     Values:
    117       NO_ATTR: Default non-attribute type
    118       REGION: Region of the resource
    119       SERVICE: Service name
    120       NAME: Resource name
    121       IP: IP address of the caller
    122     """
    123     NO_ATTR = 0
    124     REGION = 1
    125     SERVICE = 2
    126     NAME = 3
    127     IP = 4
    128 
    129   iam = _messages.EnumField('IamValueValuesEnum', 1)
    130   op = _messages.EnumField('OpValueValuesEnum', 2)
    131   svc = _messages.StringField(3)
    132   sys = _messages.EnumField('SysValueValuesEnum', 4)
    133   value = _messages.StringField(5)
    134   values = _messages.StringField(6, repeated=True)
    135 
    136 
    137 class CounterOptions(_messages.Message):
    138   """Options for counters
    139 
    140   Fields:
    141     field: The field value to attribute.
    142     metric: The metric to update.
    143   """
    144 
    145   field = _messages.StringField(1)
    146   metric = _messages.StringField(2)
    147 
    148 
    149 class CreateServiceAccountKeyRequest(_messages.Message):
    150   """The service account key create request.
    151 
    152   Enums:
    153     PrivateKeyTypeValueValuesEnum: The output format of the private key.
    154       `GOOGLE_CREDENTIALS_FILE` is the default output format.
    155 
    156   Fields:
    157     privateKeyType: The output format of the private key.
    158       `GOOGLE_CREDENTIALS_FILE` is the default output format.
    159   """
    160 
    161   class PrivateKeyTypeValueValuesEnum(_messages.Enum):
    162     """The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the
    163     default output format.
    164 
    165     Values:
    166       TYPE_UNSPECIFIED: Unspecified. Equivalent to
    167         `TYPE_GOOGLE_CREDENTIALS_FILE`.
    168       TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is
    169         `notasecret`. For more information, see
    170         https://tools.ietf.org/html/rfc7292.
    171       TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format.
    172     """
    173     TYPE_UNSPECIFIED = 0
    174     TYPE_PKCS12_FILE = 1
    175     TYPE_GOOGLE_CREDENTIALS_FILE = 2
    176 
    177   privateKeyType = _messages.EnumField('PrivateKeyTypeValueValuesEnum', 1)
    178 
    179 
    180 class CreateServiceAccountRequest(_messages.Message):
    181   """The service account create request.
    182 
    183   Fields:
    184     accountId: Required. The account id that is used to generate the service
    185       account email address and a stable unique id. It is unique within a
    186       project, must be 1-63 characters long, and match the regular expression
    187       `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
    188     serviceAccount: The ServiceAccount resource to create. Currently, only the
    189       following values are user assignable: `display_name` .
    190   """
    191 
    192   accountId = _messages.StringField(1)
    193   serviceAccount = _messages.MessageField('ServiceAccount', 2)
    194 
    195 
    196 class DataAccessOptions(_messages.Message):
    197   """Write a Data Access (Gin) log"""
    198 
    199 
    200 class Empty(_messages.Message):
    201   """A generic empty message that you can re-use to avoid defining duplicated
    202   empty messages in your APIs. A typical example is to use it as the request
    203   or the response type of an API method. For instance:      service Foo {
    204   rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);     }  The
    205   JSON representation for `Empty` is empty JSON object `{}`.
    206   """
    207 
    208 
    209 
    210 class GetPolicyDetailsRequest(_messages.Message):
    211   """The request to get the current policy and the policies on the inherited
    212   resources the user has access to.
    213 
    214   Fields:
    215     fullResourcePath: REQUIRED: The full resource path of the current policy
    216       being requested, e.g., `//dataflow.googleapis.com/projects/../jobs/..`.
    217     pageSize: Limit on the number of policies to include in the response.
    218       Further accounts can subsequently be obtained by including the
    219       GetPolicyDetailsResponse.next_page_token in a subsequent request. If
    220       zero, the default page size 20 will be used. Must be given a value in
    221       range [0, 100], otherwise an invalid argument error will be returned.
    222     pageToken: Optional pagination token returned in an earlier
    223       GetPolicyDetailsResponse.next_page_token response.
    224   """
    225 
    226   fullResourcePath = _messages.StringField(1)
    227   pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
    228   pageToken = _messages.StringField(3)
    229 
    230 
    231 class GetPolicyDetailsResponse(_messages.Message):
    232   """The response to the `GetPolicyDetailsRequest` containing the current
    233   policy and the policies on the inherited resources the user has access to.
    234 
    235   Fields:
    236     nextPageToken: To retrieve the next page of results, set
    237       GetPolicyDetailsRequest.page_token to this value. If this value is
    238       empty, then there are not any further policies that the user has access
    239       to. The lifetime is 60 minutes. An "Expired pagination token" error will
    240       be returned if exceeded.
    241     policies: The current policy and all the inherited policies the user has
    242       access to.
    243   """
    244 
    245   nextPageToken = _messages.StringField(1)
    246   policies = _messages.MessageField('PolicyDetail', 2, repeated=True)
    247 
    248 
    249 class IamProjectsServiceAccountsCreateRequest(_messages.Message):
    250   """A IamProjectsServiceAccountsCreateRequest object.
    251 
    252   Fields:
    253     createServiceAccountRequest: A CreateServiceAccountRequest resource to be
    254       passed as the request body.
    255     name: Required. The resource name of the project associated with the
    256       service accounts, such as `projects/my-project-123`.
    257   """
    258 
    259   createServiceAccountRequest = _messages.MessageField('CreateServiceAccountRequest', 1)
    260   name = _messages.StringField(2, required=True)
    261 
    262 
    263 class IamProjectsServiceAccountsDeleteRequest(_messages.Message):
    264   """A IamProjectsServiceAccountsDeleteRequest object.
    265 
    266   Fields:
    267     name: The resource name of the service account in the following format:
    268       `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard
    269       for the project will infer the project from the account. The `account`
    270       value can be the `email` address or the `unique_id` of the service
    271       account.
    272   """
    273 
    274   name = _messages.StringField(1, required=True)
    275 
    276 
    277 class IamProjectsServiceAccountsGetIamPolicyRequest(_messages.Message):
    278   """A IamProjectsServiceAccountsGetIamPolicyRequest object.
    279 
    280   Fields:
    281     resource: REQUIRED: The resource for which the policy is being requested.
    282       `resource` is usually specified as a path, such as
    283       `projects/*project*/zones/*zone*/disks/*disk*`.  The format for the path
    284       specified in this value is resource specific and is specified in the
    285       `getIamPolicy` documentation.
    286   """
    287 
    288   resource = _messages.StringField(1, required=True)
    289 
    290 
    291 class IamProjectsServiceAccountsGetRequest(_messages.Message):
    292   """A IamProjectsServiceAccountsGetRequest object.
    293 
    294   Fields:
    295     name: The resource name of the service account in the following format:
    296       `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard
    297       for the project will infer the project from the account. The `account`
    298       value can be the `email` address or the `unique_id` of the service
    299       account.
    300   """
    301 
    302   name = _messages.StringField(1, required=True)
    303 
    304 
    305 class IamProjectsServiceAccountsKeysCreateRequest(_messages.Message):
    306   """A IamProjectsServiceAccountsKeysCreateRequest object.
    307 
    308   Fields:
    309     createServiceAccountKeyRequest: A CreateServiceAccountKeyRequest resource
    310       to be passed as the request body.
    311     name: The resource name of the service account in the following format:
    312       `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard
    313       for the project will infer the project from the account. The `account`
    314       value can be the `email` address or the `unique_id` of the service
    315       account.
    316   """
    317 
    318   createServiceAccountKeyRequest = _messages.MessageField('CreateServiceAccountKeyRequest', 1)
    319   name = _messages.StringField(2, required=True)
    320 
    321 
    322 class IamProjectsServiceAccountsKeysDeleteRequest(_messages.Message):
    323   """A IamProjectsServiceAccountsKeysDeleteRequest object.
    324 
    325   Fields:
    326     name: The resource name of the service account key in the following
    327       format: `projects/{project}/serviceAccounts/{account}/keys/{key}`. Using
    328       `-` as a wildcard for the project will infer the project from the
    329       account. The `account` value can be the `email` address or the
    330       `unique_id` of the service account.
    331   """
    332 
    333   name = _messages.StringField(1, required=True)
    334 
    335 
    336 class IamProjectsServiceAccountsKeysGetRequest(_messages.Message):
    337   """A IamProjectsServiceAccountsKeysGetRequest object.
    338 
    339   Enums:
    340     PublicKeyTypeValueValuesEnum: The output format of the public key
    341       requested. X509_PEM is the default output format.
    342 
    343   Fields:
    344     name: The resource name of the service account key in the following
    345       format: `projects/{project}/serviceAccounts/{account}/keys/{key}`.
    346       Using `-` as a wildcard for the project will infer the project from the
    347       account. The `account` value can be the `email` address or the
    348       `unique_id` of the service account.
    349     publicKeyType: The output format of the public key requested. X509_PEM is
    350       the default output format.
    351   """
    352 
    353   class PublicKeyTypeValueValuesEnum(_messages.Enum):
    354     """The output format of the public key requested. X509_PEM is the default
    355     output format.
    356 
    357     Values:
    358       TYPE_NONE: <no description>
    359       TYPE_X509_PEM_FILE: <no description>
    360       TYPE_RAW_PUBLIC_KEY: <no description>
    361     """
    362     TYPE_NONE = 0
    363     TYPE_X509_PEM_FILE = 1
    364     TYPE_RAW_PUBLIC_KEY = 2
    365 
    366   name = _messages.StringField(1, required=True)
    367   publicKeyType = _messages.EnumField('PublicKeyTypeValueValuesEnum', 2)
    368 
    369 
    370 class IamProjectsServiceAccountsKeysListRequest(_messages.Message):
    371   """A IamProjectsServiceAccountsKeysListRequest object.
    372 
    373   Enums:
    374     KeyTypesValueValuesEnum: Filters the types of keys the user wants to
    375       include in the list response. Duplicate key types are not allowed. If no
    376       key type is provided, all keys are returned.
    377 
    378   Fields:
    379     keyTypes: Filters the types of keys the user wants to include in the list
    380       response. Duplicate key types are not allowed. If no key type is
    381       provided, all keys are returned.
    382     name: The resource name of the service account in the following format:
    383       `projects/{project}/serviceAccounts/{account}`.  Using `-` as a wildcard
    384       for the project, will infer the project from the account. The `account`
    385       value can be the `email` address or the `unique_id` of the service
    386       account.
    387   """
    388 
    389   class KeyTypesValueValuesEnum(_messages.Enum):
    390     """Filters the types of keys the user wants to include in the list
    391     response. Duplicate key types are not allowed. If no key type is provided,
    392     all keys are returned.
    393 
    394     Values:
    395       KEY_TYPE_UNSPECIFIED: <no description>
    396       USER_MANAGED: <no description>
    397       SYSTEM_MANAGED: <no description>
    398     """
    399     KEY_TYPE_UNSPECIFIED = 0
    400     USER_MANAGED = 1
    401     SYSTEM_MANAGED = 2
    402 
    403   keyTypes = _messages.EnumField('KeyTypesValueValuesEnum', 1, repeated=True)
    404   name = _messages.StringField(2, required=True)
    405 
    406 
    407 class IamProjectsServiceAccountsListRequest(_messages.Message):
    408   """A IamProjectsServiceAccountsListRequest object.
    409 
    410   Fields:
    411     name: Required. The resource name of the project associated with the
    412       service accounts, such as `projects/my-project-123`.
    413     pageSize: Optional limit on the number of service accounts to include in
    414       the response. Further accounts can subsequently be obtained by including
    415       the ListServiceAccountsResponse.next_page_token in a subsequent request.
    416     pageToken: Optional pagination token returned in an earlier
    417       ListServiceAccountsResponse.next_page_token.
    418     removeDeletedServiceAccounts: Do not list service accounts deleted from
    419       Gaia. <b><font color="red">DO NOT INCLUDE IN EXTERNAL
    420       DOCUMENTATION</font></b>.
    421   """
    422 
    423   name = _messages.StringField(1, required=True)
    424   pageSize = _messages.IntegerField(2, variant=_messages.Variant.INT32)
    425   pageToken = _messages.StringField(3)
    426   removeDeletedServiceAccounts = _messages.BooleanField(4)
    427 
    428 
    429 class IamProjectsServiceAccountsSetIamPolicyRequest(_messages.Message):
    430   """A IamProjectsServiceAccountsSetIamPolicyRequest object.
    431 
    432   Fields:
    433     resource: REQUIRED: The resource for which the policy is being specified.
    434       `resource` is usually specified as a path, such as
    435       `projects/*project*/zones/*zone*/disks/*disk*`.  The format for the path
    436       specified in this value is resource specific and is specified in the
    437       `setIamPolicy` documentation.
    438     setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the
    439       request body.
    440   """
    441 
    442   resource = _messages.StringField(1, required=True)
    443   setIamPolicyRequest = _messages.MessageField('SetIamPolicyRequest', 2)
    444 
    445 
    446 class IamProjectsServiceAccountsSignBlobRequest(_messages.Message):
    447   """A IamProjectsServiceAccountsSignBlobRequest object.
    448 
    449   Fields:
    450     name: The resource name of the service account in the following format:
    451       `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard
    452       for the project will infer the project from the account. The `account`
    453       value can be the `email` address or the `unique_id` of the service
    454       account.
    455     signBlobRequest: A SignBlobRequest resource to be passed as the request
    456       body.
    457   """
    458 
    459   name = _messages.StringField(1, required=True)
    460   signBlobRequest = _messages.MessageField('SignBlobRequest', 2)
    461 
    462 
    463 class IamProjectsServiceAccountsSignJwtRequest(_messages.Message):
    464   """A IamProjectsServiceAccountsSignJwtRequest object.
    465 
    466   Fields:
    467     name: The resource name of the service account in the following format:
    468       `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard
    469       for the project will infer the project from the account. The `account`
    470       value can be the `email` address or the `unique_id` of the service
    471       account.
    472     signJwtRequest: A SignJwtRequest resource to be passed as the request
    473       body.
    474   """
    475 
    476   name = _messages.StringField(1, required=True)
    477   signJwtRequest = _messages.MessageField('SignJwtRequest', 2)
    478 
    479 
    480 class IamProjectsServiceAccountsTestIamPermissionsRequest(_messages.Message):
    481   """A IamProjectsServiceAccountsTestIamPermissionsRequest object.
    482 
    483   Fields:
    484     resource: REQUIRED: The resource for which the policy detail is being
    485       requested. `resource` is usually specified as a path, such as
    486       `projects/*project*/zones/*zone*/disks/*disk*`.  The format for the path
    487       specified in this value is resource specific and is specified in the
    488       `testIamPermissions` documentation.
    489     testIamPermissionsRequest: A TestIamPermissionsRequest resource to be
    490       passed as the request body.
    491   """
    492 
    493   resource = _messages.StringField(1, required=True)
    494   testIamPermissionsRequest = _messages.MessageField('TestIamPermissionsRequest', 2)
    495 
    496 
    497 class ListServiceAccountKeysResponse(_messages.Message):
    498   """The service account keys list response.
    499 
    500   Fields:
    501     keys: The public keys for the service account.
    502   """
    503 
    504   keys = _messages.MessageField('ServiceAccountKey', 1, repeated=True)
    505 
    506 
    507 class ListServiceAccountsResponse(_messages.Message):
    508   """The service account list response.
    509 
    510   Fields:
    511     accounts: The list of matching service accounts.
    512     nextPageToken: To retrieve the next page of results, set
    513       ListServiceAccountsRequest.page_token to this value.
    514   """
    515 
    516   accounts = _messages.MessageField('ServiceAccount', 1, repeated=True)
    517   nextPageToken = _messages.StringField(2)
    518 
    519 
    520 class LogConfig(_messages.Message):
    521   """Specifies what kind of log the caller must write Increment a streamz
    522   counter with the specified metric and field names.  Metric names should
    523   start with a '/', generally be lowercase-only, and end in "_count". Field
    524   names should not contain an initial slash. The actual exported metric names
    525   will have "/iam/policy" prepended.  Field names correspond to IAM request
    526   parameters and field values are their respective values.  At present the
    527   only supported field names are    - "iam_principal", corresponding to
    528   IAMContext.principal;    - "" (empty string), resulting in one aggretated
    529   counter with no field.  Examples:   counter { metric: "/debug_access_count"
    530   field: "iam_principal" }   ==> increment counter
    531   /iam/policy/backend_debug_access_count
    532   {iam_principal=[value of IAMContext.principal]}  At this time we do not
    533   support: * multiple field names (though this may be supported in the future)
    534   * decrementing the counter * incrementing it by anything other than 1
    535 
    536   Fields:
    537     cloudAudit: Cloud audit options.
    538     counter: Counter options.
    539     dataAccess: Data access options.
    540   """
    541 
    542   cloudAudit = _messages.MessageField('CloudAuditOptions', 1)
    543   counter = _messages.MessageField('CounterOptions', 2)
    544   dataAccess = _messages.MessageField('DataAccessOptions', 3)
    545 
    546 
    547 class Policy(_messages.Message):
    548   """Defines an Identity and Access Management (IAM) policy. It is used to
    549   specify access control policies for Cloud Platform resources.   A `Policy`
    550   consists of a list of `bindings`. A `Binding` binds a list of `members` to a
    551   `role`, where the members can be user accounts, Google groups, Google
    552   domains, and service accounts. A `role` is a named list of permissions
    553   defined by IAM.  **Example**      {       "bindings": [         {
    554   "role": "roles/owner",           "members": [
    555   "user:mike@example.com",             "group:admins@example.com",
    556   "domain:google.com",             "serviceAccount:my-other-
    557   app@appspot.gserviceaccount.com",           ]         },         {
    558   "role": "roles/viewer",           "members": ["user:sean@example.com"]
    559   }       ]     }  For a description of IAM and its features, see the [IAM
    560   developer's guide](https://cloud.google.com/iam).
    561 
    562   Fields:
    563     auditConfigs: Specifies audit logging configs for "data access". "data
    564       access": generally refers to data reads/writes and admin reads. "admin
    565       activity": generally refers to admin writes.  Note: `AuditConfig`
    566       doesn't apply to "admin activity", which always enables audit logging.
    567     bindings: Associates a list of `members` to a `role`. Multiple `bindings`
    568       must not be specified for the same `role`. `bindings` with no members
    569       will result in an error.
    570     etag: `etag` is used for optimistic concurrency control as a way to help
    571       prevent simultaneous updates of a policy from overwriting each other. It
    572       is strongly suggested that systems make use of the `etag` in the read-
    573       modify-write cycle to perform policy updates in order to avoid race
    574       conditions: An `etag` is returned in the response to `getIamPolicy`, and
    575       systems are expected to put that etag in the request to `setIamPolicy`
    576       to ensure that their change will be applied to the same version of the
    577       policy.  If no `etag` is provided in the call to `setIamPolicy`, then
    578       the existing policy is overwritten blindly.
    579     iamOwned: A boolean attribute.
    580     rules: If more than one rule is specified, the rules are applied in the
    581       following manner: - All matching LOG rules are always applied. - If any
    582       DENY/DENY_WITH_LOG rule matches, permission is denied.   Logging will be
    583       applied if one or more matching rule requires logging. - Otherwise, if
    584       any ALLOW/ALLOW_WITH_LOG rule matches, permission is   granted.
    585       Logging will be applied if one or more matching rule requires logging. -
    586       Otherwise, if no rule applies, permission is denied.
    587     version: Version of the `Policy`. The default version is 0.
    588   """
    589 
    590   auditConfigs = _messages.MessageField('AuditConfig', 1, repeated=True)
    591   bindings = _messages.MessageField('Binding', 2, repeated=True)
    592   etag = _messages.BytesField(3)
    593   iamOwned = _messages.BooleanField(4)
    594   rules = _messages.MessageField('Rule', 5, repeated=True)
    595   version = _messages.IntegerField(6, variant=_messages.Variant.INT32)
    596 
    597 
    598 class PolicyDetail(_messages.Message):
    599   """A policy and its full resource path.
    600 
    601   Fields:
    602     fullResourcePath: The full resource path of the policy e.g.,
    603       `//dataflow.googleapis.com/projects/../jobs/..`. Note that a resource
    604       and its inherited resource have different `full_resource_path`.
    605     policy: The policy of a `resource/project/folder`.
    606   """
    607 
    608   fullResourcePath = _messages.StringField(1)
    609   policy = _messages.MessageField('Policy', 2)
    610 
    611 
    612 class QueryGrantableRolesRequest(_messages.Message):
    613   """The grantable role query request.
    614 
    615   Fields:
    616     fullResourceName: Required. The full resource name to query from the list
    617       of grantable roles.  The name follows the Google Cloud Platform resource
    618       format. For example, a Cloud Platform project with id `my-project` will
    619       be named `//cloudresourcemanager.googleapis.com/projects/my-project`.
    620   """
    621 
    622   fullResourceName = _messages.StringField(1)
    623 
    624 
    625 class QueryGrantableRolesResponse(_messages.Message):
    626   """The grantable role query response.
    627 
    628   Fields:
    629     roles: The list of matching roles.
    630   """
    631 
    632   roles = _messages.MessageField('Role', 1, repeated=True)
    633 
    634 
    635 class Role(_messages.Message):
    636   """A role in the Identity and Access Management API.
    637 
    638   Fields:
    639     apiTokens: A string attribute.
    640     description: Optional.  A human-readable description for the role.
    641     name: The name of the role.  Examples of roles names are: `roles/editor`,
    642       `roles/viewer` and `roles/logging.viewer`.
    643     title: Optional.  A human-readable title for the role.  Typically this is
    644       limited to 100 UTF-8 bytes.
    645   """
    646 
    647   apiTokens = _messages.StringField(1, repeated=True)
    648   description = _messages.StringField(2)
    649   name = _messages.StringField(3)
    650   title = _messages.StringField(4)
    651 
    652 
    653 class Rule(_messages.Message):
    654   """A rule to be applied in a Policy.
    655 
    656   Enums:
    657     ActionValueValuesEnum: Required
    658 
    659   Fields:
    660     action: Required
    661     conditions: Additional restrictions that must be met
    662     description: Human-readable description of the rule.
    663     in_: If one or more 'in' clauses are specified, the rule matches if the
    664       PRINCIPAL/AUTHORITY_SELECTOR is in at least one of these entries.
    665     logConfig: The config returned to callers of tech.iam.IAM.CheckPolicy for
    666       any entries that match the LOG action.
    667     notIn: If one or more 'not_in' clauses are specified, the rule matches if
    668       the PRINCIPAL/AUTHORITY_SELECTOR is in none of the entries. The format
    669       for in and not_in entries is the same as for members in a Binding (see
    670       google/iam/v1/policy.proto).
    671     permissions: A permission is a string of form '<service>.<resource
    672       type>.<verb>' (e.g., 'storage.buckets.list'). A value of '*' matches all
    673       permissions, and a verb part of '*' (e.g., 'storage.buckets.*') matches
    674       all verbs.
    675   """
    676 
    677   class ActionValueValuesEnum(_messages.Enum):
    678     """Required
    679 
    680     Values:
    681       NO_ACTION: Default no action.
    682       ALLOW: Matching 'Entries' grant access.
    683       ALLOW_WITH_LOG: Matching 'Entries' grant access and the caller promises
    684         to log the request per the returned log_configs.
    685       DENY: Matching 'Entries' deny access.
    686       DENY_WITH_LOG: Matching 'Entries' deny access and the caller promises to
    687         log the request per the returned log_configs.
    688       LOG: Matching 'Entries' tell IAM.Check callers to generate logs.
    689     """
    690     NO_ACTION = 0
    691     ALLOW = 1
    692     ALLOW_WITH_LOG = 2
    693     DENY = 3
    694     DENY_WITH_LOG = 4
    695     LOG = 5
    696 
    697   action = _messages.EnumField('ActionValueValuesEnum', 1)
    698   conditions = _messages.MessageField('Condition', 2, repeated=True)
    699   description = _messages.StringField(3)
    700   in_ = _messages.StringField(4, repeated=True)
    701   logConfig = _messages.MessageField('LogConfig', 5, repeated=True)
    702   notIn = _messages.StringField(6, repeated=True)
    703   permissions = _messages.StringField(7, repeated=True)
    704 
    705 
    706 class ServiceAccount(_messages.Message):
    707   """A service account in the Identity and Access Management API.  To create a
    708   service account, specify the `project_id` and the `account_id` for the
    709   account.  The `account_id` is unique within the project, and is used to
    710   generate the service account email address and a stable `unique_id`.  All
    711   other methods can identify the service account using the format
    712   `projects/{project}/serviceAccounts/{account}`. Using `-` as a wildcard for
    713   the project will infer the project from the account. The `account` value can
    714   be the `email` address or the `unique_id` of the service account.
    715 
    716   Fields:
    717     description: Optional. A user-specified opaque description of the service
    718       account.
    719     displayName: Optional. A user-specified description of the service
    720       account.  Must be fewer than 100 UTF-8 bytes.
    721     email: @OutputOnly The email address of the service account.
    722     etag: Used to perform a consistent read-modify-write.
    723     name: The resource name of the service account in the following format:
    724       `projects/{project}/serviceAccounts/{account}`.  Requests using `-` as a
    725       wildcard for the project will infer the project from the `account` and
    726       the `account` value can be the `email` address or the `unique_id` of the
    727       service account.  In responses the resource name will always be in the
    728       format `projects/{project}/serviceAccounts/{email}`.
    729     oauth2ClientId: @OutputOnly. The OAuth2 client id for the service account.
    730       This is used in conjunction with the OAuth2 clientconfig API to make
    731       three legged OAuth2 (3LO) flows to access the data of Google users.
    732     projectId: @OutputOnly The id of the project that owns the service
    733       account.
    734     uniqueId: @OutputOnly The unique and stable id of the service account.
    735   """
    736 
    737   description = _messages.StringField(1)
    738   displayName = _messages.StringField(2)
    739   email = _messages.StringField(3)
    740   etag = _messages.BytesField(4)
    741   name = _messages.StringField(5)
    742   oauth2ClientId = _messages.StringField(6)
    743   projectId = _messages.StringField(7)
    744   uniqueId = _messages.StringField(8)
    745 
    746 
    747 class ServiceAccountKey(_messages.Message):
    748   """Represents a service account key.  A service account has two sets of key-
    749   pairs: user-managed, and system-managed.  User-managed key-pairs can be
    750   created and deleted by users.  Users are responsible for rotating these keys
    751   periodically to ensure security of their service accounts.  Users retain the
    752   private key of these key-pairs, and Google retains ONLY the public key.
    753   System-managed key-pairs are managed automatically by Google, and rotated
    754   daily without user intervention.  The private key never leaves Google's
    755   servers to maximize security.  Public keys for all service accounts are also
    756   published at the OAuth2 Service Account API.
    757 
    758   Enums:
    759     PrivateKeyTypeValueValuesEnum: The output format for the private key. Only
    760       provided in `CreateServiceAccountKey` responses, not in
    761       `GetServiceAccountKey` or `ListServiceAccountKey` responses.  Google
    762       never exposes system-managed private keys, and never retains user-
    763       managed private keys.
    764 
    765   Fields:
    766     name: The resource name of the service account key in the following format
    767       `projects/{project}/serviceAccounts/{account}/keys/{key}`.
    768     privateKeyData: The private key data. Only provided in
    769       `CreateServiceAccountKey` responses.
    770     privateKeyType: The output format for the private key. Only provided in
    771       `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or
    772       `ListServiceAccountKey` responses.  Google never exposes system-managed
    773       private keys, and never retains user-managed private keys.
    774     publicKeyData: The public key data. Only provided in
    775       `GetServiceAccountKey` responses.
    776     validAfterTime: The key can be used after this timestamp.
    777     validBeforeTime: The key can be used before this timestamp.
    778   """
    779 
    780   class PrivateKeyTypeValueValuesEnum(_messages.Enum):
    781     """The output format for the private key. Only provided in
    782     `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or
    783     `ListServiceAccountKey` responses.  Google never exposes system-managed
    784     private keys, and never retains user-managed private keys.
    785 
    786     Values:
    787       TYPE_UNSPECIFIED: Unspecified. Equivalent to
    788         `TYPE_GOOGLE_CREDENTIALS_FILE`.
    789       TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is
    790         `notasecret`. For more information, see
    791         https://tools.ietf.org/html/rfc7292.
    792       TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format.
    793     """
    794     TYPE_UNSPECIFIED = 0
    795     TYPE_PKCS12_FILE = 1
    796     TYPE_GOOGLE_CREDENTIALS_FILE = 2
    797 
    798   name = _messages.StringField(1)
    799   privateKeyData = _messages.BytesField(2)
    800   privateKeyType = _messages.EnumField('PrivateKeyTypeValueValuesEnum', 3)
    801   publicKeyData = _messages.BytesField(4)
    802   validAfterTime = _messages.StringField(5)
    803   validBeforeTime = _messages.StringField(6)
    804 
    805 
    806 class SetIamPolicyRequest(_messages.Message):
    807   """Request message for `SetIamPolicy` method.
    808 
    809   Fields:
    810     policy: REQUIRED: The complete policy to be applied to the `resource`. The
    811       size of the policy is limited to a few 10s of KB. An empty policy is a
    812       valid policy but certain Cloud Platform services (such as Projects)
    813       might reject them.
    814   """
    815 
    816   policy = _messages.MessageField('Policy', 1)
    817 
    818 
    819 class SignBlobRequest(_messages.Message):
    820   """The service account sign blob request.
    821 
    822   Fields:
    823     bytesToSign: The bytes to sign.
    824   """
    825 
    826   bytesToSign = _messages.BytesField(1)
    827 
    828 
    829 class SignBlobResponse(_messages.Message):
    830   """The service account sign blob response.
    831 
    832   Fields:
    833     keyId: The id of the key used to sign the blob.
    834     signature: The signed blob.
    835   """
    836 
    837   keyId = _messages.StringField(1)
    838   signature = _messages.BytesField(2)
    839 
    840 
    841 class SignJwtRequest(_messages.Message):
    842   """The service account sign JWT request.
    843 
    844   Fields:
    845     payload: The JWT payload to sign, a JSON JWT Claim set.
    846   """
    847 
    848   payload = _messages.StringField(1)
    849 
    850 
    851 class SignJwtResponse(_messages.Message):
    852   """The service account sign JWT response.
    853 
    854   Fields:
    855     keyId: The id of the key used to sign the JWT.
    856     signedJwt: The signed JWT.
    857   """
    858 
    859   keyId = _messages.StringField(1)
    860   signedJwt = _messages.StringField(2)
    861 
    862 
    863 class StandardQueryParameters(_messages.Message):
    864   """Query parameters accepted by all methods.
    865 
    866   Enums:
    867     FXgafvValueValuesEnum: V1 error format.
    868     AltValueValuesEnum: Data format for response.
    869 
    870   Fields:
    871     f__xgafv: V1 error format.
    872     access_token: OAuth access token.
    873     alt: Data format for response.
    874     bearer_token: OAuth bearer token.
    875     callback: JSONP
    876     fields: Selector specifying which fields to include in a partial response.
    877     key: API key. Your API key identifies your project and provides you with
    878       API access, quota, and reports. Required unless you provide an OAuth 2.0
    879       token.
    880     oauth_token: OAuth 2.0 token for the current user.
    881     pp: Pretty-print response.
    882     prettyPrint: Returns response with indentations and line breaks.
    883     quotaUser: Available to use for quota purposes for server-side
    884       applications. Can be any arbitrary string assigned to a user, but should
    885       not exceed 40 characters.
    886     trace: A tracing token of the form "token:<tokenid>" to include in api
    887       requests.
    888     uploadType: Legacy upload protocol for media (e.g. "media", "multipart").
    889     upload_protocol: Upload protocol for media (e.g. "raw", "multipart").
    890   """
    891 
    892   class AltValueValuesEnum(_messages.Enum):
    893     """Data format for response.
    894 
    895     Values:
    896       json: Responses with Content-Type of application/json
    897       media: Media download with context-dependent Content-Type
    898       proto: Responses with Content-Type of application/x-protobuf
    899     """
    900     json = 0
    901     media = 1
    902     proto = 2
    903 
    904   class FXgafvValueValuesEnum(_messages.Enum):
    905     """V1 error format.
    906 
    907     Values:
    908       _1: v1 error format
    909       _2: v2 error format
    910     """
    911     _1 = 0
    912     _2 = 1
    913 
    914   f__xgafv = _messages.EnumField('FXgafvValueValuesEnum', 1)
    915   access_token = _messages.StringField(2)
    916   alt = _messages.EnumField('AltValueValuesEnum', 3, default=u'json')
    917   bearer_token = _messages.StringField(4)
    918   callback = _messages.StringField(5)
    919   fields = _messages.StringField(6)
    920   key = _messages.StringField(7)
    921   oauth_token = _messages.StringField(8)
    922   pp = _messages.BooleanField(9, default=True)
    923   prettyPrint = _messages.BooleanField(10, default=True)
    924   quotaUser = _messages.StringField(11)
    925   trace = _messages.StringField(12)
    926   uploadType = _messages.StringField(13)
    927   upload_protocol = _messages.StringField(14)
    928 
    929 
    930 class TestIamPermissionsRequest(_messages.Message):
    931   """Request message for `TestIamPermissions` method.
    932 
    933   Fields:
    934     permissions: The set of permissions to check for the `resource`.
    935       Permissions with wildcards (such as '*' or 'storage.*') are not allowed.
    936       For more information see IAM Overview.
    937   """
    938 
    939   permissions = _messages.StringField(1, repeated=True)
    940 
    941 
    942 class TestIamPermissionsResponse(_messages.Message):
    943   """Response message for `TestIamPermissions` method.
    944 
    945   Fields:
    946     permissions: A subset of `TestPermissionsRequest.permissions` that the
    947       caller is allowed.
    948   """
    949 
    950   permissions = _messages.StringField(1, repeated=True)
    951 
    952 
    953 encoding.AddCustomJsonFieldMapping(
    954     Rule, 'in_', 'in',
    955     package=u'iam')
    956 encoding.AddCustomJsonFieldMapping(
    957     StandardQueryParameters, 'f__xgafv', '$.xgafv',
    958     package=u'iam')
    959 encoding.AddCustomJsonEnumMapping(
    960     StandardQueryParameters.FXgafvValueValuesEnum, '_1', '1',
    961     package=u'iam')
    962 encoding.AddCustomJsonEnumMapping(
    963     StandardQueryParameters.FXgafvValueValuesEnum, '_2', '2',
    964     package=u'iam')
    965