1 // Copyright 2017 Google Inc.
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
7 // http://www.apache.org/licenses/LICENSE-2.0
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
17 package google.iam.admin.v1;
19 import "google/api/annotations.proto";
20 import "google/iam/v1/iam_policy.proto";
21 import "google/iam/v1/policy.proto";
22 import "google/protobuf/empty.proto";
23 import "google/protobuf/field_mask.proto";
24 import "google/protobuf/timestamp.proto";
26 option cc_enable_arenas = true;
27 option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin";
28 option java_multiple_files = true;
29 option java_outer_classname = "IamProto";
30 option java_package = "com.google.iam.admin.v1";
32 // Creates and manages service account objects.
34 // Service account is an account that belongs to your project instead
35 // of to an individual end user. It is used to authenticate calls
38 // To create a service account, specify the `project_id` and `account_id`
39 // for the account. The `account_id` is unique within the project, and used
40 // to generate the service account email address and a stable
43 // All other methods can identify accounts using the format
44 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
45 // Using `-` as a wildcard for the project will infer the project from
46 // the account. The `account` value can be the `email` address or the
47 // `unique_id` of the service account.
49 // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
50 rpc ListServiceAccounts(ListServiceAccountsRequest)
51 returns (ListServiceAccountsResponse) {
52 option (google.api.http) = {
53 get: "/v1/{name=projects/*}/serviceAccounts"
57 // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
58 rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
59 option (google.api.http) = {
60 get: "/v1/{name=projects/*/serviceAccounts/*}"
64 // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
66 rpc CreateServiceAccount(CreateServiceAccountRequest)
67 returns (ServiceAccount) {
68 option (google.api.http) = {
69 post: "/v1/{name=projects/*}/serviceAccounts"
74 // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
76 // Currently, only the following fields are updatable:
78 // The `etag` is mandatory.
79 rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
80 option (google.api.http) = {
81 put: "/v1/{name=projects/*/serviceAccounts/*}"
86 // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
87 rpc DeleteServiceAccount(DeleteServiceAccountRequest)
88 returns (google.protobuf.Empty) {
89 option (google.api.http) = {
90 delete: "/v1/{name=projects/*/serviceAccounts/*}"
94 // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
95 rpc ListServiceAccountKeys(ListServiceAccountKeysRequest)
96 returns (ListServiceAccountKeysResponse) {
97 option (google.api.http) = {
98 get: "/v1/{name=projects/*/serviceAccounts/*}/keys"
102 // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
104 rpc GetServiceAccountKey(GetServiceAccountKeyRequest)
105 returns (ServiceAccountKey) {
106 option (google.api.http) = {
107 get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
111 // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
113 rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest)
114 returns (ServiceAccountKey) {
115 option (google.api.http) = {
116 post: "/v1/{name=projects/*/serviceAccounts/*}/keys"
121 // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
122 rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest)
123 returns (google.protobuf.Empty) {
124 option (google.api.http) = {
125 delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
129 // Signs a blob using a service account's system-managed private key.
130 rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
131 option (google.api.http) = {
132 post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
137 // Signs a JWT using a service account's system-managed private key.
139 // If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an
140 // an expiry time of one hour by default. If you request an expiry time of
141 // more than one hour, the request will fail.
142 rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {
143 option (google.api.http) = {
144 post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
149 // Returns the IAM access control policy for a
150 // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
151 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest)
152 returns (google.iam.v1.Policy) {
153 option (google.api.http) = {
154 post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
159 // Sets the IAM access control policy for a
160 // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
161 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest)
162 returns (google.iam.v1.Policy) {
163 option (google.api.http) = {
164 post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
169 // Tests the specified permissions against the IAM access control policy
170 // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
171 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest)
172 returns (google.iam.v1.TestIamPermissionsResponse) {
173 option (google.api.http) = {
174 post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
179 // Queries roles that can be granted on a particular resource.
180 // A role is grantable if it can be used as the role in a binding for a policy
181 // for that resource.
182 rpc QueryGrantableRoles(QueryGrantableRolesRequest)
183 returns (QueryGrantableRolesResponse) {
184 option (google.api.http) = {
185 post: "/v1/roles:queryGrantableRoles"
190 // Lists the Roles defined on a resource.
191 rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
192 option (google.api.http) = {
197 // Gets a Role definition.
198 rpc GetRole(GetRoleRequest) returns (Role) {
199 option (google.api.http) = {
200 get: "/v1/{name=roles/*}"
204 // Creates a new Role.
205 rpc CreateRole(CreateRoleRequest) returns (Role) {
206 option (google.api.http) = {
207 post: "/v1/{parent=organizations/*}/roles"
212 // Updates a Role definition.
213 rpc UpdateRole(UpdateRoleRequest) returns (Role) {
214 option (google.api.http) = {
215 patch: "/v1/{name=organizations/*/roles/*}"
220 // Soft deletes a role. The role is suspended and cannot be used to create new
221 // IAM Policy Bindings.
222 // The Role will not be included in `ListRoles()` unless `show_deleted` is set
223 // in the `ListRolesRequest`. The Role contains the deleted boolean set.
224 // Existing Bindings remains, but are inactive. The Role can be undeleted
225 // within 7 days. After 7 days the Role is deleted and all Bindings associated
226 // with the role are removed.
227 rpc DeleteRole(DeleteRoleRequest) returns (Role) {
228 option (google.api.http) = {
229 delete: "/v1/{name=organizations/*/roles/*}"
233 // Undelete a Role, bringing it back in its previous state.
234 rpc UndeleteRole(UndeleteRoleRequest) returns (Role) {
235 option (google.api.http) = {
236 post: "/v1/{name=organizations/*/roles/*}:undelete"
241 // Lists the permissions testable on a resource.
242 // A permission is testable if it can be tested for an identity on a resource.
243 rpc QueryTestablePermissions(QueryTestablePermissionsRequest)
244 returns (QueryTestablePermissionsResponse) {
245 option (google.api.http) = {
246 post: "/v1/permissions:queryTestablePermissions"
252 // A service account in the Identity and Access Management API.
254 // To create a service account, specify the `project_id` and the `account_id`
255 // for the account. The `account_id` is unique within the project, and is used
256 // to generate the service account email address and a stable
259 // If the account already exists, the account's resource name is returned
260 // in util::Status's ResourceInfo.resource_name in the format of
261 // projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}. The caller can
262 // use the name in other methods to access the account.
264 // All other methods can identify the service account using the format
265 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
266 // Using `-` as a wildcard for the project will infer the project from
267 // the account. The `account` value can be the `email` address or the
268 // `unique_id` of the service account.
269 message ServiceAccount {
270 // The resource name of the service account in the following format:
271 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
273 // Requests using `-` as a wildcard for the project will infer the project
274 // from the `account` and the `account` value can be the `email` address or
275 // the `unique_id` of the service account.
277 // In responses the resource name will always be in the format
278 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
281 // @OutputOnly The id of the project that owns the service account.
282 string project_id = 2;
284 // @OutputOnly The unique and stable id of the service account.
285 string unique_id = 4;
287 // @OutputOnly The email address of the service account.
290 // Optional. A user-specified description of the service account. Must be
291 // fewer than 100 UTF-8 bytes.
292 string display_name = 6;
294 // Used to perform a consistent read-modify-write.
297 // @OutputOnly. The OAuth2 client id for the service account.
298 // This is used in conjunction with the OAuth2 clientconfig API to make
299 // three legged OAuth2 (3LO) flows to access the data of Google users.
300 string oauth2_client_id = 9;
303 // The service account create request.
304 message CreateServiceAccountRequest {
305 // Required. The resource name of the project associated with the service
306 // accounts, such as `projects/my-project-123`.
309 // Required. The account id that is used to generate the service account
310 // email address and a stable unique id. It is unique within a project,
311 // must be 6-30 characters long, and match the regular expression
312 // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
313 string account_id = 2;
315 // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
316 // create. Currently, only the following values are user assignable:
318 ServiceAccount service_account = 3;
321 // The service account list request.
322 message ListServiceAccountsRequest {
323 // Required. The resource name of the project associated with the service
324 // accounts, such as `projects/my-project-123`.
327 // Optional limit on the number of service accounts to include in the
328 // response. Further accounts can subsequently be obtained by including the
329 // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
330 // in a subsequent request.
333 // Optional pagination token returned in an earlier
334 // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
335 string page_token = 3;
338 // The service account list response.
339 message ListServiceAccountsResponse {
340 // The list of matching service accounts.
341 repeated ServiceAccount accounts = 1;
343 // To retrieve the next page of results, set
344 // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
346 string next_page_token = 2;
349 // The service account get request.
350 message GetServiceAccountRequest {
351 // The resource name of the service account in the following format:
352 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
353 // Using `-` as a wildcard for the project will infer the project from
354 // the account. The `account` value can be the `email` address or the
355 // `unique_id` of the service account.
359 // The service account delete request.
360 message DeleteServiceAccountRequest {
361 // The resource name of the service account in the following format:
362 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
363 // Using `-` as a wildcard for the project will infer the project from
364 // the account. The `account` value can be the `email` address or the
365 // `unique_id` of the service account.
369 // The service account keys list request.
370 message ListServiceAccountKeysRequest {
371 // `KeyType` filters to selectively retrieve certain varieties
374 // Unspecified key type. The presence of this in the
375 // message will immediately result in an error.
376 KEY_TYPE_UNSPECIFIED = 0;
378 // User-managed keys (managed and rotated by the user).
381 // System-managed keys (managed and rotated by Google).
385 // The resource name of the service account in the following format:
386 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
388 // Using `-` as a wildcard for the project, will infer the project from
389 // the account. The `account` value can be the `email` address or the
390 // `unique_id` of the service account.
393 // Filters the types of keys the user wants to include in the list
394 // response. Duplicate key types are not allowed. If no key type
395 // is provided, all keys are returned.
396 repeated KeyType key_types = 2;
399 // The service account keys list response.
400 message ListServiceAccountKeysResponse {
401 // The public keys for the service account.
402 repeated ServiceAccountKey keys = 1;
405 // The service account key get by id request.
406 message GetServiceAccountKeyRequest {
407 // The resource name of the service account key in the following format:
408 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.
410 // Using `-` as a wildcard for the project will infer the project from
411 // the account. The `account` value can be the `email` address or the
412 // `unique_id` of the service account.
415 // The output format of the public key requested.
416 // X509_PEM is the default output format.
417 ServiceAccountPublicKeyType public_key_type = 2;
420 // Represents a service account key.
422 // A service account has two sets of key-pairs: user-managed, and
425 // User-managed key-pairs can be created and deleted by users. Users are
426 // responsible for rotating these keys periodically to ensure security of
427 // their service accounts. Users retain the private key of these key-pairs,
428 // and Google retains ONLY the public key.
430 // System-managed key-pairs are managed automatically by Google, and rotated
431 // daily without user intervention. The private key never leaves Google's
432 // servers to maximize security.
434 // Public keys for all service accounts are also published at the OAuth2
435 // Service Account API.
436 message ServiceAccountKey {
437 // The resource name of the service account key in the following format
438 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.
441 // The output format for the private key.
442 // Only provided in `CreateServiceAccountKey` responses, not
443 // in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
445 // Google never exposes system-managed private keys, and never retains
446 // user-managed private keys.
447 ServiceAccountPrivateKeyType private_key_type = 2;
449 // Specifies the algorithm (and possibly key size) for the key.
450 ServiceAccountKeyAlgorithm key_algorithm = 8;
452 // The private key data. Only provided in `CreateServiceAccountKey`
453 // responses. Make sure to keep the private key data secure because it
454 // allows for the assertion of the service account identity.
455 // When decoded, the private key data can be used to authenticate with
456 // Google API client libraries and with
457 // <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud
458 // auth activate-service-account</a>.
459 bytes private_key_data = 3;
461 // The public key data. Only provided in `GetServiceAccountKey` responses.
462 bytes public_key_data = 7;
464 // The key can be used after this timestamp.
465 google.protobuf.Timestamp valid_after_time = 4;
467 // The key can be used before this timestamp.
468 google.protobuf.Timestamp valid_before_time = 5;
471 // The service account key create request.
472 message CreateServiceAccountKeyRequest {
473 // The resource name of the service account in the following format:
474 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
475 // Using `-` as a wildcard for the project will infer the project from
476 // the account. The `account` value can be the `email` address or the
477 // `unique_id` of the service account.
480 // The output format of the private key. `GOOGLE_CREDENTIALS_FILE` is the
481 // default output format.
482 ServiceAccountPrivateKeyType private_key_type = 2;
484 // Which type of key and algorithm to use for the key.
485 // The default is currently a 2K RSA key. However this may change in the
487 ServiceAccountKeyAlgorithm key_algorithm = 3;
490 // The service account key delete request.
491 message DeleteServiceAccountKeyRequest {
492 // The resource name of the service account key in the following format:
493 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}/keys/{key}`.
494 // Using `-` as a wildcard for the project will infer the project from
495 // the account. The `account` value can be the `email` address or the
496 // `unique_id` of the service account.
500 // The service account sign blob request.
501 message SignBlobRequest {
502 // The resource name of the service account in the following format:
503 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
504 // Using `-` as a wildcard for the project will infer the project from
505 // the account. The `account` value can be the `email` address or the
506 // `unique_id` of the service account.
509 // The bytes to sign.
510 bytes bytes_to_sign = 2;
513 // The service account sign blob response.
514 message SignBlobResponse {
515 // The id of the key used to sign the blob.
522 // The service account sign JWT request.
523 message SignJwtRequest {
524 // The resource name of the service account in the following format:
525 // `projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}`.
526 // Using `-` as a wildcard for the project will infer the project from
527 // the account. The `account` value can be the `email` address or the
528 // `unique_id` of the service account.
531 // The JWT payload to sign, a JSON JWT Claim set.
535 // The service account sign JWT response.
536 message SignJwtResponse {
537 // The id of the key used to sign the JWT.
541 string signed_jwt = 2;
544 // A role in the Identity and Access Management API.
546 // A stage representing a role's lifecycle phase.
547 enum RoleLaunchStage {
548 // The user has indicated this role is currently in an alpha phase.
551 // The user has indicated this role is currently in a beta phase.
554 // The user has indicated this role is generally available.
557 // The user has indicated this role is being deprecated.
560 // This role is disabled and will not contribute permissions to any members
561 // it is granted to in policies.
564 // The user has indicated this role is currently in an eap phase.
568 // The name of the role.
570 // When Role is used in CreateRole, the role name must not be set.
572 // When Role is used in output and other input such as UpdateRole, the role
573 // name is the complete path, e.g., roles/logging.viewer for curated roles
574 // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
577 // Optional. A human-readable title for the role. Typically this
578 // is limited to 100 UTF-8 bytes.
581 // Optional. A human-readable description for the role.
582 string description = 3;
584 // The names of the permissions this role grants when bound in an IAM policy.
585 repeated string included_permissions = 7;
587 // The current launch stage of the role.
588 RoleLaunchStage stage = 8;
590 // Used to perform a consistent read-modify-write.
593 // The current deleted state of the role. This field is read only.
594 // It will be ignored in calls to CreateRole and UpdateRole.
598 // The grantable role query request.
599 message QueryGrantableRolesRequest {
600 // Required. The full resource name to query from the list of grantable roles.
602 // The name follows the Google Cloud Platform resource format.
603 // For example, a Cloud Platform project with id `my-project` will be named
604 // `//cloudresourcemanager.googleapis.com/projects/my-project`.
605 string full_resource_name = 1;
609 // Optional limit on the number of roles to include in the response.
612 // Optional pagination token returned in an earlier
613 // QueryGrantableRolesResponse.
614 string page_token = 4;
617 // The grantable role query response.
618 message QueryGrantableRolesResponse {
619 // The list of matching roles.
620 repeated Role roles = 1;
622 // To retrieve the next page of results, set
623 // `QueryGrantableRolesRequest.page_token` to this value.
624 string next_page_token = 2;
627 // The request to get all roles defined under a resource.
628 message ListRolesRequest {
629 // The resource name of the parent resource in one of the following formats:
630 // `` (empty string) -- this refers to curated roles.
631 // `organizations/{ORGANIZATION_ID}`
632 // `projects/{PROJECT_ID}`
635 // Optional limit on the number of roles to include in the response.
638 // Optional pagination token returned in an earlier ListRolesResponse.
639 string page_token = 3;
641 // Optional view for the returned Role objects.
644 // Include Roles that have been deleted.
645 bool show_deleted = 6;
648 // The response containing the roles defined under a resource.
649 message ListRolesResponse {
650 // The Roles defined on this resource.
651 repeated Role roles = 1;
653 // To retrieve the next page of results, set
654 // `ListRolesRequest.page_token` to this value.
655 string next_page_token = 2;
658 // The request to get the definition of an existing role.
659 message GetRoleRequest {
660 // The resource name of the role in one of the following formats:
661 // `roles/{ROLE_NAME}`
662 // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
663 // `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
667 // The request to create a new role.
668 message CreateRoleRequest {
669 // The resource name of the parent resource in one of the following formats:
670 // `organizations/{ORGANIZATION_ID}`
671 // `projects/{PROJECT_ID}`
674 // The role id to use for this role.
677 // The Role resource to create.
681 // The request to update a role.
682 message UpdateRoleRequest {
683 // The resource name of the role in one of the following formats:
684 // `roles/{ROLE_NAME}`
685 // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
686 // `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
692 // A mask describing which fields in the Role have changed.
693 google.protobuf.FieldMask update_mask = 3;
696 // The request to delete an existing role.
697 message DeleteRoleRequest {
698 // The resource name of the role in one of the following formats:
699 // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
700 // `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
703 // Used to perform a consistent read-modify-write.
707 // The request to undelete an existing role.
708 message UndeleteRoleRequest {
709 // The resource name of the role in one of the following formats:
710 // `organizations/{ORGANIZATION_ID}/roles/{ROLE_NAME}`
711 // `projects/{PROJECT_ID}/roles/{ROLE_NAME}`
714 // Used to perform a consistent read-modify-write.
718 // A permission which can be included by a role.
720 // A stage representing a permission's lifecycle phase.
721 enum PermissionLaunchStage {
722 // The permission is currently in an alpha phase.
725 // The permission is currently in a beta phase.
728 // The permission is generally available.
731 // The permission is being deprecated.
735 // The state of the permission with regards to custom roles.
736 enum CustomRolesSupportLevel {
737 // Permission is fully supported for custom role use.
740 // Permission is being tested to check custom role compatibility.
743 // Permission is not supported for custom role use.
747 // The name of this Permission.
750 // The title of this Permission.
753 // A brief description of what this Permission is used for.
754 string description = 3;
756 // This permission can ONLY be used in predefined roles.
757 bool only_in_predefined_roles = 4;
759 // The current launch stage of the permission.
760 PermissionLaunchStage stage = 5;
762 // The current custom role support level.
763 CustomRolesSupportLevel custom_roles_support_level = 6;
766 // A request to get permissions which can be tested on a resource.
767 message QueryTestablePermissionsRequest {
768 // Required. The full resource name to query from the list of testable
771 // The name follows the Google Cloud Platform resource format.
772 // For example, a Cloud Platform project with id `my-project` will be named
773 // `//cloudresourcemanager.googleapis.com/projects/my-project`.
774 string full_resource_name = 1;
776 // Optional limit on the number of permissions to include in the response.
779 // Optional pagination token returned in an earlier
780 // QueryTestablePermissionsRequest.
781 string page_token = 3;
784 // The response containing permissions which can be tested on a resource.
785 message QueryTestablePermissionsResponse {
786 // The Permissions testable on the requested resource.
787 repeated Permission permissions = 1;
789 // To retrieve the next page of results, set
790 // `QueryTestableRolesRequest.page_token` to this value.
791 string next_page_token = 2;
794 // Supported key algorithms.
795 enum ServiceAccountKeyAlgorithm {
796 // An unspecified key algorithm.
797 KEY_ALG_UNSPECIFIED = 0;
800 KEY_ALG_RSA_1024 = 1;
803 KEY_ALG_RSA_2048 = 2;
806 // Supported private key output formats.
807 enum ServiceAccountPrivateKeyType {
808 // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
809 TYPE_UNSPECIFIED = 0;
812 // The password for the PKCS12 file is `notasecret`.
813 // For more information, see https://tools.ietf.org/html/rfc7292.
814 TYPE_PKCS12_FILE = 1;
816 // Google Credentials File format.
817 TYPE_GOOGLE_CREDENTIALS_FILE = 2;
820 // Supported public key output formats.
821 enum ServiceAccountPublicKeyType {
822 // Unspecified. Returns nothing here.
826 TYPE_X509_PEM_FILE = 1;
829 TYPE_RAW_PUBLIC_KEY = 2;
832 // A view for Role objects.
834 // Omits the `included_permissions` field.
835 // This is the default value.
838 // Returns all fields.