1 <html><body> 2 <style> 3 4 body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13 } 14 15 body { 16 font-size: 13px; 17 padding: 1em; 18 } 19 20 h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23 } 24 25 h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28 } 29 30 h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34 } 35 36 pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39 } 40 41 pre { 42 margin-top: 0.5em; 43 } 44 45 h1, h2, h3, p { 46 font-family: Arial, sans serif; 47 } 48 49 h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51 } 52 53 .toc_element { 54 margin-top: 0.5em; 55 } 56 57 .firstline { 58 margin-left: 2 em; 59 } 60 61 .method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66 } 67 68 .details { 69 font-weight: bold; 70 font-size: 14px; 71 } 72 73 </style> 74 75 <h1><a href="iam_v1.html">Google Identity and Access Management (IAM) API</a> . <a href="iam_v1.projects.html">projects</a> . <a href="iam_v1.projects.serviceAccounts.html">serviceAccounts</a></h1> 76 <h2>Instance Methods</h2> 77 <p class="toc_element"> 78 <code><a href="iam_v1.projects.serviceAccounts.keys.html">keys()</a></code> 79 </p> 80 <p class="firstline">Returns the keys Resource.</p> 81 82 <p class="toc_element"> 83 <code><a href="#create">create(name, body, x__xgafv=None)</a></code></p> 84 <p class="firstline">Creates a ServiceAccount</p> 85 <p class="toc_element"> 86 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p> 87 <p class="firstline">Deletes a ServiceAccount.</p> 88 <p class="toc_element"> 89 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 90 <p class="firstline">Gets a ServiceAccount.</p> 91 <p class="toc_element"> 92 <code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p> 93 <p class="firstline">Returns the IAM access control policy for a</p> 94 <p class="toc_element"> 95 <code><a href="#list">list(name, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p> 96 <p class="firstline">Lists ServiceAccounts for a project.</p> 97 <p class="toc_element"> 98 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 99 <p class="firstline">Retrieves the next page of results.</p> 100 <p class="toc_element"> 101 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 102 <p class="firstline">Sets the IAM access control policy for a</p> 103 <p class="toc_element"> 104 <code><a href="#signBlob">signBlob(name, body, x__xgafv=None)</a></code></p> 105 <p class="firstline">Signs a blob using a service account's system-managed private key.</p> 106 <p class="toc_element"> 107 <code><a href="#signJwt">signJwt(name, body, x__xgafv=None)</a></code></p> 108 <p class="firstline">Signs a JWT using a service account's system-managed private key.</p> 109 <p class="toc_element"> 110 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 111 <p class="firstline">Tests the specified permissions against the IAM access control policy</p> 112 <p class="toc_element"> 113 <code><a href="#update">update(name, body, x__xgafv=None)</a></code></p> 114 <p class="firstline">Updates a ServiceAccount.</p> 115 <h3>Method Details</h3> 116 <div class="method"> 117 <code class="details" id="create">create(name, body, x__xgafv=None)</code> 118 <pre>Creates a ServiceAccount 119 and returns it. 120 121 Args: 122 name: string, Required. The resource name of the project associated with the service 123 accounts, such as `projects/my-project-123`. (required) 124 body: object, The request body. (required) 125 The object takes the form of: 126 127 { # The service account create request. 128 "serviceAccount": { # A service account in the Identity and Access Management API. # The ServiceAccount resource to create. 129 # Currently, only the following values are user assignable: 130 # `display_name` . 131 # 132 # To create a service account, specify the `project_id` and the `account_id` 133 # for the account. The `account_id` is unique within the project, and is used 134 # to generate the service account email address and a stable 135 # `unique_id`. 136 # 137 # If the account already exists, the account's resource name is returned 138 # in util::Status's ResourceInfo.resource_name in the format of 139 # projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can 140 # use the name in other methods to access the account. 141 # 142 # All other methods can identify the service account using the format 143 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 144 # Using `-` as a wildcard for the project will infer the project from 145 # the account. The `account` value can be the `email` address or the 146 # `unique_id` of the service account. 147 "oauth2ClientId": "A String", # @OutputOnly. The OAuth2 client id for the service account. 148 # This is used in conjunction with the OAuth2 clientconfig API to make 149 # three legged OAuth2 (3LO) flows to access the data of Google users. 150 "displayName": "A String", # Optional. A user-specified description of the service account. Must be 151 # fewer than 100 UTF-8 bytes. 152 "name": "A String", # The resource name of the service account in the following format: 153 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 154 # 155 # Requests using `-` as a wildcard for the project will infer the project 156 # from the `account` and the `account` value can be the `email` address or 157 # the `unique_id` of the service account. 158 # 159 # In responses the resource name will always be in the format 160 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 161 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 162 "etag": "A String", # Used to perform a consistent read-modify-write. 163 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 164 "email": "A String", # @OutputOnly The email address of the service account. 165 }, 166 "accountId": "A String", # Required. The account id that is used to generate the service account 167 # email address and a stable unique id. It is unique within a project, 168 # must be 6-30 characters long, and match the regular expression 169 # `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. 170 } 171 172 x__xgafv: string, V1 error format. 173 Allowed values 174 1 - v1 error format 175 2 - v2 error format 176 177 Returns: 178 An object of the form: 179 180 { # A service account in the Identity and Access Management API. 181 # 182 # To create a service account, specify the `project_id` and the `account_id` 183 # for the account. The `account_id` is unique within the project, and is used 184 # to generate the service account email address and a stable 185 # `unique_id`. 186 # 187 # If the account already exists, the account's resource name is returned 188 # in util::Status's ResourceInfo.resource_name in the format of 189 # projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can 190 # use the name in other methods to access the account. 191 # 192 # All other methods can identify the service account using the format 193 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 194 # Using `-` as a wildcard for the project will infer the project from 195 # the account. The `account` value can be the `email` address or the 196 # `unique_id` of the service account. 197 "oauth2ClientId": "A String", # @OutputOnly. The OAuth2 client id for the service account. 198 # This is used in conjunction with the OAuth2 clientconfig API to make 199 # three legged OAuth2 (3LO) flows to access the data of Google users. 200 "displayName": "A String", # Optional. A user-specified description of the service account. Must be 201 # fewer than 100 UTF-8 bytes. 202 "name": "A String", # The resource name of the service account in the following format: 203 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 204 # 205 # Requests using `-` as a wildcard for the project will infer the project 206 # from the `account` and the `account` value can be the `email` address or 207 # the `unique_id` of the service account. 208 # 209 # In responses the resource name will always be in the format 210 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 211 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 212 "etag": "A String", # Used to perform a consistent read-modify-write. 213 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 214 "email": "A String", # @OutputOnly The email address of the service account. 215 }</pre> 216 </div> 217 218 <div class="method"> 219 <code class="details" id="delete">delete(name, x__xgafv=None)</code> 220 <pre>Deletes a ServiceAccount. 221 222 Args: 223 name: string, The resource name of the service account in the following format: 224 `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 225 Using `-` as a wildcard for the project will infer the project from 226 the account. The `account` value can be the `email` address or the 227 `unique_id` of the service account. (required) 228 x__xgafv: string, V1 error format. 229 Allowed values 230 1 - v1 error format 231 2 - v2 error format 232 233 Returns: 234 An object of the form: 235 236 { # A generic empty message that you can re-use to avoid defining duplicated 237 # empty messages in your APIs. A typical example is to use it as the request 238 # or the response type of an API method. For instance: 239 # 240 # service Foo { 241 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 242 # } 243 # 244 # The JSON representation for `Empty` is empty JSON object `{}`. 245 }</pre> 246 </div> 247 248 <div class="method"> 249 <code class="details" id="get">get(name, x__xgafv=None)</code> 250 <pre>Gets a ServiceAccount. 251 252 Args: 253 name: string, The resource name of the service account in the following format: 254 `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 255 Using `-` as a wildcard for the project will infer the project from 256 the account. The `account` value can be the `email` address or the 257 `unique_id` of the service account. (required) 258 x__xgafv: string, V1 error format. 259 Allowed values 260 1 - v1 error format 261 2 - v2 error format 262 263 Returns: 264 An object of the form: 265 266 { # A service account in the Identity and Access Management API. 267 # 268 # To create a service account, specify the `project_id` and the `account_id` 269 # for the account. The `account_id` is unique within the project, and is used 270 # to generate the service account email address and a stable 271 # `unique_id`. 272 # 273 # If the account already exists, the account's resource name is returned 274 # in util::Status's ResourceInfo.resource_name in the format of 275 # projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can 276 # use the name in other methods to access the account. 277 # 278 # All other methods can identify the service account using the format 279 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 280 # Using `-` as a wildcard for the project will infer the project from 281 # the account. The `account` value can be the `email` address or the 282 # `unique_id` of the service account. 283 "oauth2ClientId": "A String", # @OutputOnly. The OAuth2 client id for the service account. 284 # This is used in conjunction with the OAuth2 clientconfig API to make 285 # three legged OAuth2 (3LO) flows to access the data of Google users. 286 "displayName": "A String", # Optional. A user-specified description of the service account. Must be 287 # fewer than 100 UTF-8 bytes. 288 "name": "A String", # The resource name of the service account in the following format: 289 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 290 # 291 # Requests using `-` as a wildcard for the project will infer the project 292 # from the `account` and the `account` value can be the `email` address or 293 # the `unique_id` of the service account. 294 # 295 # In responses the resource name will always be in the format 296 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 297 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 298 "etag": "A String", # Used to perform a consistent read-modify-write. 299 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 300 "email": "A String", # @OutputOnly The email address of the service account. 301 }</pre> 302 </div> 303 304 <div class="method"> 305 <code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code> 306 <pre>Returns the IAM access control policy for a 307 ServiceAccount. 308 309 Args: 310 resource: string, REQUIRED: The resource for which the policy is being requested. 311 See the operation documentation for the appropriate value for this field. (required) 312 x__xgafv: string, V1 error format. 313 Allowed values 314 1 - v1 error format 315 2 - v2 error format 316 317 Returns: 318 An object of the form: 319 320 { # Defines an Identity and Access Management (IAM) policy. It is used to 321 # specify access control policies for Cloud Platform resources. 322 # 323 # 324 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 325 # `members` to a `role`, where the members can be user accounts, Google groups, 326 # Google domains, and service accounts. A `role` is a named list of permissions 327 # defined by IAM. 328 # 329 # **Example** 330 # 331 # { 332 # "bindings": [ 333 # { 334 # "role": "roles/owner", 335 # "members": [ 336 # "user:mike (a] example.com", 337 # "group:admins (a] example.com", 338 # "domain:google.com", 339 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 340 # ] 341 # }, 342 # { 343 # "role": "roles/viewer", 344 # "members": ["user:sean (a] example.com"] 345 # } 346 # ] 347 # } 348 # 349 # For a description of IAM and its features, see the 350 # [IAM developer's guide](https://cloud.google.com/iam). 351 "bindings": [ # Associates a list of `members` to a `role`. 352 # Multiple `bindings` must not be specified for the same `role`. 353 # `bindings` with no members will result in an error. 354 { # Associates `members` with a `role`. 355 "role": "A String", # Role that is assigned to `members`. 356 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 357 # Required 358 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 359 # `members` can have the following values: 360 # 361 # * `allUsers`: A special identifier that represents anyone who is 362 # on the internet; with or without a Google account. 363 # 364 # * `allAuthenticatedUsers`: A special identifier that represents anyone 365 # who is authenticated with a Google account or a service account. 366 # 367 # * `user:{emailid}`: An email address that represents a specific Google 368 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 369 # 370 # 371 # * `serviceAccount:{emailid}`: An email address that represents a service 372 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 373 # 374 # * `group:{emailid}`: An email address that represents a Google group. 375 # For example, `admins (a] example.com`. 376 # 377 # 378 # * `domain:{domain}`: A Google Apps domain name that represents all the 379 # users of that domain. For example, `google.com` or `example.com`. 380 # 381 "A String", 382 ], 383 }, 384 ], 385 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 386 # prevent simultaneous updates of a policy from overwriting each other. 387 # It is strongly suggested that systems make use of the `etag` in the 388 # read-modify-write cycle to perform policy updates in order to avoid race 389 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 390 # systems are expected to put that etag in the request to `setIamPolicy` to 391 # ensure that their change will be applied to the same version of the policy. 392 # 393 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 394 # policy is overwritten blindly. 395 "version": 42, # Version of the `Policy`. The default version is 0. 396 }</pre> 397 </div> 398 399 <div class="method"> 400 <code class="details" id="list">list(name, pageToken=None, x__xgafv=None, pageSize=None)</code> 401 <pre>Lists ServiceAccounts for a project. 402 403 Args: 404 name: string, Required. The resource name of the project associated with the service 405 accounts, such as `projects/my-project-123`. (required) 406 pageToken: string, Optional pagination token returned in an earlier 407 ListServiceAccountsResponse.next_page_token. 408 x__xgafv: string, V1 error format. 409 Allowed values 410 1 - v1 error format 411 2 - v2 error format 412 pageSize: integer, Optional limit on the number of service accounts to include in the 413 response. Further accounts can subsequently be obtained by including the 414 ListServiceAccountsResponse.next_page_token 415 in a subsequent request. 416 417 Returns: 418 An object of the form: 419 420 { # The service account list response. 421 "nextPageToken": "A String", # To retrieve the next page of results, set 422 # ListServiceAccountsRequest.page_token 423 # to this value. 424 "accounts": [ # The list of matching service accounts. 425 { # A service account in the Identity and Access Management API. 426 # 427 # To create a service account, specify the `project_id` and the `account_id` 428 # for the account. The `account_id` is unique within the project, and is used 429 # to generate the service account email address and a stable 430 # `unique_id`. 431 # 432 # If the account already exists, the account's resource name is returned 433 # in util::Status's ResourceInfo.resource_name in the format of 434 # projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can 435 # use the name in other methods to access the account. 436 # 437 # All other methods can identify the service account using the format 438 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 439 # Using `-` as a wildcard for the project will infer the project from 440 # the account. The `account` value can be the `email` address or the 441 # `unique_id` of the service account. 442 "oauth2ClientId": "A String", # @OutputOnly. The OAuth2 client id for the service account. 443 # This is used in conjunction with the OAuth2 clientconfig API to make 444 # three legged OAuth2 (3LO) flows to access the data of Google users. 445 "displayName": "A String", # Optional. A user-specified description of the service account. Must be 446 # fewer than 100 UTF-8 bytes. 447 "name": "A String", # The resource name of the service account in the following format: 448 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 449 # 450 # Requests using `-` as a wildcard for the project will infer the project 451 # from the `account` and the `account` value can be the `email` address or 452 # the `unique_id` of the service account. 453 # 454 # In responses the resource name will always be in the format 455 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 456 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 457 "etag": "A String", # Used to perform a consistent read-modify-write. 458 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 459 "email": "A String", # @OutputOnly The email address of the service account. 460 }, 461 ], 462 }</pre> 463 </div> 464 465 <div class="method"> 466 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 467 <pre>Retrieves the next page of results. 468 469 Args: 470 previous_request: The request for the previous page. (required) 471 previous_response: The response from the request for the previous page. (required) 472 473 Returns: 474 A request object that you can call 'execute()' on to request the next 475 page. Returns None if there are no more items in the collection. 476 </pre> 477 </div> 478 479 <div class="method"> 480 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 481 <pre>Sets the IAM access control policy for a 482 ServiceAccount. 483 484 Args: 485 resource: string, REQUIRED: The resource for which the policy is being specified. 486 See the operation documentation for the appropriate value for this field. (required) 487 body: object, The request body. (required) 488 The object takes the form of: 489 490 { # Request message for `SetIamPolicy` method. 491 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 492 # the policy is limited to a few 10s of KB. An empty policy is a 493 # valid policy but certain Cloud Platform services (such as Projects) 494 # might reject them. 495 # specify access control policies for Cloud Platform resources. 496 # 497 # 498 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 499 # `members` to a `role`, where the members can be user accounts, Google groups, 500 # Google domains, and service accounts. A `role` is a named list of permissions 501 # defined by IAM. 502 # 503 # **Example** 504 # 505 # { 506 # "bindings": [ 507 # { 508 # "role": "roles/owner", 509 # "members": [ 510 # "user:mike (a] example.com", 511 # "group:admins (a] example.com", 512 # "domain:google.com", 513 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 514 # ] 515 # }, 516 # { 517 # "role": "roles/viewer", 518 # "members": ["user:sean (a] example.com"] 519 # } 520 # ] 521 # } 522 # 523 # For a description of IAM and its features, see the 524 # [IAM developer's guide](https://cloud.google.com/iam). 525 "bindings": [ # Associates a list of `members` to a `role`. 526 # Multiple `bindings` must not be specified for the same `role`. 527 # `bindings` with no members will result in an error. 528 { # Associates `members` with a `role`. 529 "role": "A String", # Role that is assigned to `members`. 530 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 531 # Required 532 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 533 # `members` can have the following values: 534 # 535 # * `allUsers`: A special identifier that represents anyone who is 536 # on the internet; with or without a Google account. 537 # 538 # * `allAuthenticatedUsers`: A special identifier that represents anyone 539 # who is authenticated with a Google account or a service account. 540 # 541 # * `user:{emailid}`: An email address that represents a specific Google 542 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 543 # 544 # 545 # * `serviceAccount:{emailid}`: An email address that represents a service 546 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 547 # 548 # * `group:{emailid}`: An email address that represents a Google group. 549 # For example, `admins (a] example.com`. 550 # 551 # 552 # * `domain:{domain}`: A Google Apps domain name that represents all the 553 # users of that domain. For example, `google.com` or `example.com`. 554 # 555 "A String", 556 ], 557 }, 558 ], 559 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 560 # prevent simultaneous updates of a policy from overwriting each other. 561 # It is strongly suggested that systems make use of the `etag` in the 562 # read-modify-write cycle to perform policy updates in order to avoid race 563 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 564 # systems are expected to put that etag in the request to `setIamPolicy` to 565 # ensure that their change will be applied to the same version of the policy. 566 # 567 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 568 # policy is overwritten blindly. 569 "version": 42, # Version of the `Policy`. The default version is 0. 570 }, 571 } 572 573 x__xgafv: string, V1 error format. 574 Allowed values 575 1 - v1 error format 576 2 - v2 error format 577 578 Returns: 579 An object of the form: 580 581 { # Defines an Identity and Access Management (IAM) policy. It is used to 582 # specify access control policies for Cloud Platform resources. 583 # 584 # 585 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 586 # `members` to a `role`, where the members can be user accounts, Google groups, 587 # Google domains, and service accounts. A `role` is a named list of permissions 588 # defined by IAM. 589 # 590 # **Example** 591 # 592 # { 593 # "bindings": [ 594 # { 595 # "role": "roles/owner", 596 # "members": [ 597 # "user:mike (a] example.com", 598 # "group:admins (a] example.com", 599 # "domain:google.com", 600 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 601 # ] 602 # }, 603 # { 604 # "role": "roles/viewer", 605 # "members": ["user:sean (a] example.com"] 606 # } 607 # ] 608 # } 609 # 610 # For a description of IAM and its features, see the 611 # [IAM developer's guide](https://cloud.google.com/iam). 612 "bindings": [ # Associates a list of `members` to a `role`. 613 # Multiple `bindings` must not be specified for the same `role`. 614 # `bindings` with no members will result in an error. 615 { # Associates `members` with a `role`. 616 "role": "A String", # Role that is assigned to `members`. 617 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 618 # Required 619 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 620 # `members` can have the following values: 621 # 622 # * `allUsers`: A special identifier that represents anyone who is 623 # on the internet; with or without a Google account. 624 # 625 # * `allAuthenticatedUsers`: A special identifier that represents anyone 626 # who is authenticated with a Google account or a service account. 627 # 628 # * `user:{emailid}`: An email address that represents a specific Google 629 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 630 # 631 # 632 # * `serviceAccount:{emailid}`: An email address that represents a service 633 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 634 # 635 # * `group:{emailid}`: An email address that represents a Google group. 636 # For example, `admins (a] example.com`. 637 # 638 # 639 # * `domain:{domain}`: A Google Apps domain name that represents all the 640 # users of that domain. For example, `google.com` or `example.com`. 641 # 642 "A String", 643 ], 644 }, 645 ], 646 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 647 # prevent simultaneous updates of a policy from overwriting each other. 648 # It is strongly suggested that systems make use of the `etag` in the 649 # read-modify-write cycle to perform policy updates in order to avoid race 650 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 651 # systems are expected to put that etag in the request to `setIamPolicy` to 652 # ensure that their change will be applied to the same version of the policy. 653 # 654 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 655 # policy is overwritten blindly. 656 "version": 42, # Version of the `Policy`. The default version is 0. 657 }</pre> 658 </div> 659 660 <div class="method"> 661 <code class="details" id="signBlob">signBlob(name, body, x__xgafv=None)</code> 662 <pre>Signs a blob using a service account's system-managed private key. 663 664 Args: 665 name: string, The resource name of the service account in the following format: 666 `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 667 Using `-` as a wildcard for the project will infer the project from 668 the account. The `account` value can be the `email` address or the 669 `unique_id` of the service account. (required) 670 body: object, The request body. (required) 671 The object takes the form of: 672 673 { # The service account sign blob request. 674 "bytesToSign": "A String", # The bytes to sign. 675 } 676 677 x__xgafv: string, V1 error format. 678 Allowed values 679 1 - v1 error format 680 2 - v2 error format 681 682 Returns: 683 An object of the form: 684 685 { # The service account sign blob response. 686 "keyId": "A String", # The id of the key used to sign the blob. 687 "signature": "A String", # The signed blob. 688 }</pre> 689 </div> 690 691 <div class="method"> 692 <code class="details" id="signJwt">signJwt(name, body, x__xgafv=None)</code> 693 <pre>Signs a JWT using a service account's system-managed private key. 694 695 If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an 696 an expiry time of one hour by default. If you request an expiry time of 697 more than one hour, the request will fail. 698 699 Args: 700 name: string, The resource name of the service account in the following format: 701 `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 702 Using `-` as a wildcard for the project will infer the project from 703 the account. The `account` value can be the `email` address or the 704 `unique_id` of the service account. (required) 705 body: object, The request body. (required) 706 The object takes the form of: 707 708 { # The service account sign JWT request. 709 "payload": "A String", # The JWT payload to sign, a JSON JWT Claim set. 710 } 711 712 x__xgafv: string, V1 error format. 713 Allowed values 714 1 - v1 error format 715 2 - v2 error format 716 717 Returns: 718 An object of the form: 719 720 { # The service account sign JWT response. 721 "keyId": "A String", # The id of the key used to sign the JWT. 722 "signedJwt": "A String", # The signed JWT. 723 }</pre> 724 </div> 725 726 <div class="method"> 727 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 728 <pre>Tests the specified permissions against the IAM access control policy 729 for a ServiceAccount. 730 731 Args: 732 resource: string, REQUIRED: The resource for which the policy detail is being requested. 733 See the operation documentation for the appropriate value for this field. (required) 734 body: object, The request body. (required) 735 The object takes the form of: 736 737 { # Request message for `TestIamPermissions` method. 738 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 739 # wildcards (such as '*' or 'storage.*') are not allowed. For more 740 # information see 741 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 742 "A String", 743 ], 744 } 745 746 x__xgafv: string, V1 error format. 747 Allowed values 748 1 - v1 error format 749 2 - v2 error format 750 751 Returns: 752 An object of the form: 753 754 { # Response message for `TestIamPermissions` method. 755 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 756 # allowed. 757 "A String", 758 ], 759 }</pre> 760 </div> 761 762 <div class="method"> 763 <code class="details" id="update">update(name, body, x__xgafv=None)</code> 764 <pre>Updates a ServiceAccount. 765 766 Currently, only the following fields are updatable: 767 `display_name` . 768 The `etag` is mandatory. 769 770 Args: 771 name: string, The resource name of the service account in the following format: 772 `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 773 774 Requests using `-` as a wildcard for the project will infer the project 775 from the `account` and the `account` value can be the `email` address or 776 the `unique_id` of the service account. 777 778 In responses the resource name will always be in the format 779 `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. (required) 780 body: object, The request body. (required) 781 The object takes the form of: 782 783 { # A service account in the Identity and Access Management API. 784 # 785 # To create a service account, specify the `project_id` and the `account_id` 786 # for the account. The `account_id` is unique within the project, and is used 787 # to generate the service account email address and a stable 788 # `unique_id`. 789 # 790 # If the account already exists, the account's resource name is returned 791 # in util::Status's ResourceInfo.resource_name in the format of 792 # projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can 793 # use the name in other methods to access the account. 794 # 795 # All other methods can identify the service account using the format 796 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 797 # Using `-` as a wildcard for the project will infer the project from 798 # the account. The `account` value can be the `email` address or the 799 # `unique_id` of the service account. 800 "oauth2ClientId": "A String", # @OutputOnly. The OAuth2 client id for the service account. 801 # This is used in conjunction with the OAuth2 clientconfig API to make 802 # three legged OAuth2 (3LO) flows to access the data of Google users. 803 "displayName": "A String", # Optional. A user-specified description of the service account. Must be 804 # fewer than 100 UTF-8 bytes. 805 "name": "A String", # The resource name of the service account in the following format: 806 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 807 # 808 # Requests using `-` as a wildcard for the project will infer the project 809 # from the `account` and the `account` value can be the `email` address or 810 # the `unique_id` of the service account. 811 # 812 # In responses the resource name will always be in the format 813 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 814 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 815 "etag": "A String", # Used to perform a consistent read-modify-write. 816 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 817 "email": "A String", # @OutputOnly The email address of the service account. 818 } 819 820 x__xgafv: string, V1 error format. 821 Allowed values 822 1 - v1 error format 823 2 - v2 error format 824 825 Returns: 826 An object of the form: 827 828 { # A service account in the Identity and Access Management API. 829 # 830 # To create a service account, specify the `project_id` and the `account_id` 831 # for the account. The `account_id` is unique within the project, and is used 832 # to generate the service account email address and a stable 833 # `unique_id`. 834 # 835 # If the account already exists, the account's resource name is returned 836 # in util::Status's ResourceInfo.resource_name in the format of 837 # projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can 838 # use the name in other methods to access the account. 839 # 840 # All other methods can identify the service account using the format 841 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 842 # Using `-` as a wildcard for the project will infer the project from 843 # the account. The `account` value can be the `email` address or the 844 # `unique_id` of the service account. 845 "oauth2ClientId": "A String", # @OutputOnly. The OAuth2 client id for the service account. 846 # This is used in conjunction with the OAuth2 clientconfig API to make 847 # three legged OAuth2 (3LO) flows to access the data of Google users. 848 "displayName": "A String", # Optional. A user-specified description of the service account. Must be 849 # fewer than 100 UTF-8 bytes. 850 "name": "A String", # The resource name of the service account in the following format: 851 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 852 # 853 # Requests using `-` as a wildcard for the project will infer the project 854 # from the `account` and the `account` value can be the `email` address or 855 # the `unique_id` of the service account. 856 # 857 # In responses the resource name will always be in the format 858 # `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`. 859 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 860 "etag": "A String", # Used to perform a consistent read-modify-write. 861 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 862 "email": "A String", # @OutputOnly The email address of the service account. 863 }</pre> 864 </div> 865 866 </body></html>
