docs: update generated docs (#981)
diff --git a/docs/dyn/iam_v1.projects.serviceAccounts.html b/docs/dyn/iam_v1.projects.serviceAccounts.html
index e63522f..4303596 100644
--- a/docs/dyn/iam_v1.projects.serviceAccounts.html
+++ b/docs/dyn/iam_v1.projects.serviceAccounts.html
@@ -81,25 +81,25 @@
<p class="toc_element">
<code><a href="#create">create(name, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Creates a ServiceAccount</p>
+<p class="firstline">Creates a ServiceAccount.</p>
<p class="toc_element">
<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
<p class="firstline">Deletes a ServiceAccount.</p>
<p class="toc_element">
<code><a href="#disable">disable(name, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">DisableServiceAccount is currently in the alpha launch stage.</p>
+<p class="firstline">Disables a ServiceAccount immediately.</p>
<p class="toc_element">
<code><a href="#enable">enable(name, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">EnableServiceAccount is currently in the alpha launch stage.</p>
+<p class="firstline">Enables a ServiceAccount that was disabled by</p>
<p class="toc_element">
<code><a href="#get">get(name, x__xgafv=None)</a></code></p>
<p class="firstline">Gets a ServiceAccount.</p>
<p class="toc_element">
<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Returns the Cloud IAM access control policy for a</p>
+<p class="firstline">Gets the IAM policy that is attached to a ServiceAccount. This IAM</p>
<p class="toc_element">
- <code><a href="#list">list(name, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Lists ServiceAccounts for a project.</p>
+ <code><a href="#list">list(name, pageSize=None, pageToken=None, x__xgafv=None)</a></code></p>
+<p class="firstline">Lists every ServiceAccount that belongs to a specific project.</p>
<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
@@ -108,27 +108,26 @@
<p class="firstline">Patches a ServiceAccount.</p>
<p class="toc_element">
<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Sets the Cloud IAM access control policy for a</p>
+<p class="firstline">Sets the IAM policy that is attached to a ServiceAccount.</p>
<p class="toc_element">
<code><a href="#signBlob">signBlob(name, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">**Note**: This method is in the process of being deprecated. Call the</p>
+<p class="firstline">**Note:** This method is deprecated and will stop working on July 1, 2021.</p>
<p class="toc_element">
<code><a href="#signJwt">signJwt(name, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">**Note**: This method is in the process of being deprecated. Call the</p>
+<p class="firstline">**Note:** This method is deprecated and will stop working on July 1, 2021.</p>
<p class="toc_element">
<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Tests the specified permissions against the IAM access control policy</p>
+<p class="firstline">Tests whether the caller has the specified permissions on a</p>
<p class="toc_element">
<code><a href="#undelete">undelete(name, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Restores a deleted ServiceAccount.</p>
<p class="toc_element">
<code><a href="#update">update(name, body=None, x__xgafv=None)</a></code></p>
-<p class="firstline">Note: This method is in the process of being deprecated. Use</p>
+<p class="firstline">**Note:** We are in the process of deprecating this method. Use</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="create">create(name, body=None, x__xgafv=None)</code>
- <pre>Creates a ServiceAccount
-and returns it.
+ <pre>Creates a ServiceAccount.
Args:
name: string, Required. The resource name of the project associated with the service
@@ -141,48 +140,54 @@
# email address and a stable unique id. It is unique within a project,
# must be 6-30 characters long, and match the regular expression
# `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
- "serviceAccount": { # A service account in the Identity and Access Management API. # The ServiceAccount resource to
+ "serviceAccount": { # An IAM service account. # The ServiceAccount resource to
# create. Currently, only the following values are user assignable:
# `display_name` and `description`.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- },
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ },
}
x__xgafv: string, V1 error format.
@@ -193,52 +198,72 @@
Returns:
An object of the form:
- { # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ { # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- }</pre>
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ }</pre>
</div>
<div class="method">
<code class="details" id="delete">delete(name, x__xgafv=None)</code>
<pre>Deletes a ServiceAccount.
+**Warning:** After you delete a service account, you might not be able to
+undelete it. If you know that you need to re-enable the service account in
+the future, use DisableServiceAccount instead.
+
+If you delete a service account, IAM permanently removes the service
+account 30 days later. Google Cloud cannot recover the service account
+after it is permanently removed, even if you file a support request.
+
+To help avoid unplanned outages, we recommend that you disable the service
+account before you delete it. Use DisableServiceAccount to disable the
+service account, then wait at least 24 hours and watch for unintended
+consequences. If there are no unintended consequences, you can delete the
+service account.
+
Args:
name: string, Required. The resource name of the service account in the following format:
`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
@@ -267,24 +292,22 @@
<div class="method">
<code class="details" id="disable">disable(name, body=None, x__xgafv=None)</code>
- <pre>DisableServiceAccount is currently in the alpha launch stage.
+ <pre>Disables a ServiceAccount immediately.
-Disables a ServiceAccount,
-which immediately prevents the service account from authenticating and
-gaining access to APIs.
+If an application uses the service account to authenticate, that
+application can no longer call Google APIs or access Google Cloud
+resources. Existing access tokens for the service account are rejected, and
+requests for new access tokens will fail.
-Disabled service accounts can be safely restored by using
-EnableServiceAccount at any point. Deleted service accounts cannot be
-restored using this method.
+To re-enable the service account, use EnableServiceAccount. After you
+re-enable the service account, its existing access tokens will be accepted,
+and you can request new access tokens.
-Disabling a service account that is bound to VMs, Apps, Functions, or
-other jobs will cause those jobs to lose access to resources if they are
-using the disabled service account.
-
-To improve reliability of your services and avoid unexpected outages, it
-is recommended to first disable a service account rather than delete it.
-After disabling the service account, wait at least 24 hours to verify there
-are no unintended consequences, and then delete the service account.
+To help avoid unplanned outages, we recommend that you disable the service
+account before you delete it. Use this method to disable the service
+account, then wait at least 24 hours and watch for unintended consequences.
+If there are no unintended consequences, you can delete the service account
+with DeleteServiceAccount.
Args:
name: string, The resource name of the service account in the following format:
@@ -320,16 +343,14 @@
<div class="method">
<code class="details" id="enable">enable(name, body=None, x__xgafv=None)</code>
- <pre>EnableServiceAccount is currently in the alpha launch stage.
+ <pre>Enables a ServiceAccount that was disabled by
+DisableServiceAccount.
- Restores a disabled ServiceAccount
- that has been manually disabled by using DisableServiceAccount. Service
- accounts that have been disabled by other means or for other reasons,
- such as abuse, cannot be restored using this method.
+If the service account is already enabled, then this method has no effect.
- EnableServiceAccount will have no effect on a service account that is
- not disabled. Enabling an already enabled service account will have no
- effect.
+If the service account was disabled by other means—for example, if Google
+disabled the service account because it was compromised—you cannot use this
+method to enable the service account.
Args:
name: string, The resource name of the service account in the following format:
@@ -381,64 +402,65 @@
Returns:
An object of the form:
- { # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ { # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- }</pre>
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ }</pre>
</div>
<div class="method">
<code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>
- <pre>Returns the Cloud IAM access control policy for a
-ServiceAccount.
+ <pre>Gets the IAM policy that is attached to a ServiceAccount. This IAM
+policy specifies which members have access to the service account.
-Note: Service accounts are both
-[resources and
-identities](/iam/docs/service-accounts#service_account_permissions). This
-method treats the service account as a resource. It returns the Cloud IAM
-policy that reflects what members have access to the service account.
-
-This method does not return what resources the service account has access
-to. To see if a service account has access to a resource, call the
-`getIamPolicy` method on the target resource. For example, to view grants
-for a project, call the
-[projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy)
+This method does not tell you whether the service account has been granted
+any roles on other resources. To check whether a service account has role
+grants on a resource, use the `getIamPolicy` method for that resource. For
+example, to view the role grants for a project, call the Resource Manager
+API's
+[`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
method.
Args:
@@ -452,6 +474,10 @@
Requests for policies with any conditional bindings must specify version 3.
Policies without any conditional bindings may specify any valid value or
leave the field unset.
+
+To learn which resources support conditions in their IAM policies, see the
+[IAM
+documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
@@ -470,10 +496,12 @@
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical
- # expression that allows access to a resource only if the expression evaluates
- # to `true`. A condition can add constraints based on attributes of the
- # request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a
+ # `condition`, which is a logical expression that allows access to a resource
+ # only if the expression evaluates to `true`. A condition can add constraints
+ # based on attributes of the request, the resource, or both. To learn which
+ # resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
@@ -490,7 +518,9 @@
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
- # "members": ["user:eve@example.com"],
+ # "members": [
+ # "user:eve@example.com"
+ # ],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
@@ -535,6 +565,91 @@
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # },
+ # {
+ # "log_type": "ADMIN_READ"
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ"
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "logType": "A String", # The log type that this config enables.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
+ },
+ ],
"version": 42, # Specifies the format of the policy.
#
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
@@ -556,139 +671,13 @@
#
# If a policy does not include any conditions, operations on that policy may
# specify any valid version or leave the field unset.
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- },
- ],
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
- # NOTE: An unsatisfied condition will not allow user access via current
- # binding. Different bindings, including their conditions, are examined
- # independently.
- # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
- # are documented at https://github.com/google/cel-spec.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit"
- # description: "Determines if a summary is less than 100 chars"
- # expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner"
- # description: "Determines if requestor is the document owner"
- # expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents"
- # description: "Determine whether the document should be publicly visible"
- # expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string"
- # description: "Create a notification string with a timestamp."
- # expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression
- # are determined by the service that evaluates it. See the service
- # documentation for additional information.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
- "expression": "A String", # Textual representation of an expression in Common Expression Language
- # syntax.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing
- # its purpose. This can be used e.g. in UIs which allow to enter the
- # expression.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- },
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
@@ -736,24 +725,78 @@
],
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the
+ # current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to
+ # the current request. However, a different role binding might grant the same
+ # role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
+ # are documented at https://github.com/google/cel-spec.
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit"
+ # description: "Determines if a summary is less than 100 chars"
+ # expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner"
+ # description: "Determines if requestor is the document owner"
+ # expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents"
+ # description: "Determine whether the document should be publicly visible"
+ # expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string"
+ # description: "Create a notification string with a timestamp."
+ # expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression
+ # are determined by the service that evaluates it. See the service
+ # documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language
+ # syntax.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing
+ # its purpose. This can be used e.g. in UIs which allow to enter the
+ # expression.
+ },
},
],
}</pre>
</div>
<div class="method">
- <code class="details" id="list">list(name, pageToken=None, pageSize=None, x__xgafv=None)</code>
- <pre>Lists ServiceAccounts for a project.
+ <code class="details" id="list">list(name, pageSize=None, pageToken=None, x__xgafv=None)</code>
+ <pre>Lists every ServiceAccount that belongs to a specific project.
Args:
name: string, Required. The resource name of the project associated with the service
accounts, such as `projects/my-project-123`. (required)
- pageToken: string, Optional pagination token returned in an earlier
-ListServiceAccountsResponse.next_page_token.
pageSize: integer, Optional limit on the number of service accounts to include in the
response. Further accounts can subsequently be obtained by including the
ListServiceAccountsResponse.next_page_token
in a subsequent request.
+
+The default is 20, and the maximum is 100.
+ pageToken: string, Optional pagination token returned in an earlier
+ListServiceAccountsResponse.next_page_token.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
@@ -767,46 +810,52 @@
# ListServiceAccountsRequest.page_token
# to this value.
"accounts": [ # The list of matching service accounts.
- { # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ { # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- },
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ },
],
}</pre>
</div>
@@ -829,68 +878,83 @@
<code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>
<pre>Patches a ServiceAccount.
-Currently, only the following fields are updatable:
-`display_name` and `description`.
-
-Only fields specified in the request are guaranteed to be returned in
-the response. Other fields in the response may be empty.
-
-Note: The field mask is required.
-
Args:
- name: string, The resource name of the service account in the following format:
-`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ name: string, The resource name of the service account.
-Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
-project from the `account` and the `ACCOUNT` value can be the `email`
-address or the `unique_id` of the service account.
+Use one of the following formats:
-In responses the resource name will always be in the format
-`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. (required)
+* `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+* `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+
+As an alternative, you can use the `-` wildcard character instead of the
+project ID:
+
+* `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+* `projects/-/serviceAccounts/{UNIQUE_ID}`
+
+When possible, avoid using the `-` wildcard character, because it can cause
+response messages to contain misleading error codes. For example, if you
+try to get the service account
+`projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+response contains an HTTP `403 Forbidden` error instead of a `404 Not
+Found` error. (required)
body: object, The request body.
The object takes the form of:
-{ # The patch service account request.
- "serviceAccount": { # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+{ # The request for
+ # PatchServiceAccount.
+ #
+ # You can patch only the `display_name` and `description` fields. You must use
+ # the `update_mask` field to specify which of these fields you want to patch.
+ #
+ # Only the fields specified in the request are guaranteed to be returned in
+ # the response. Other fields may be empty in the response.
+ "serviceAccount": { # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- },
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ },
"updateMask": "A String",
}
@@ -902,66 +966,73 @@
Returns:
An object of the form:
- { # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ { # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- }</pre>
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ }</pre>
</div>
<div class="method">
<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>
- <pre>Sets the Cloud IAM access control policy for a
-ServiceAccount.
+ <pre>Sets the IAM policy that is attached to a ServiceAccount.
-Note: Service accounts are both
-[resources and
-identities](/iam/docs/service-accounts#service_account_permissions). This
-method treats the service account as a resource. Use it to grant members
-access to the service account, such as when they need to impersonate it.
+Use this method to grant or revoke access to the service account. For
+example, you could grant a member the ability to impersonate the service
+account.
-This method does not grant the service account access to other resources,
-such as projects. To grant a service account access to resources, include
-the service account in the Cloud IAM policy for the desired resource, then
-call the appropriate `setIamPolicy` method on the target resource. For
-example, to grant a service account access to a project, call the
-[projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy)
-method.
+This method does not enable the service account to access other resources.
+To grant roles to a service account on a resource, follow these steps:
+
+1. Call the resource's `getIamPolicy` method to get its current IAM policy.
+2. Edit the policy so that it binds the service account to an IAM role for
+the resource.
+3. Call the resource's `setIamPolicy` method to update its IAM policy.
+
+For detailed instructions, see
+[Granting roles to a service account for specific
+resources](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts).
Args:
resource: string, REQUIRED: The resource for which the policy is being specified.
@@ -983,10 +1054,12 @@
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical
- # expression that allows access to a resource only if the expression evaluates
- # to `true`. A condition can add constraints based on attributes of the
- # request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a
+ # `condition`, which is a logical expression that allows access to a resource
+ # only if the expression evaluates to `true`. A condition can add constraints
+ # based on attributes of the request, the resource, or both. To learn which
+ # resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
@@ -1003,7 +1076,9 @@
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
- # "members": ["user:eve@example.com"],
+ # "members": [
+ # "user:eve@example.com"
+ # ],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
@@ -1048,6 +1123,91 @@
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # },
+ # {
+ # "log_type": "ADMIN_READ"
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ"
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "logType": "A String", # The log type that this config enables.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
+ },
+ ],
"version": 42, # Specifies the format of the policy.
#
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
@@ -1069,139 +1229,13 @@
#
# If a policy does not include any conditions, operations on that policy may
# specify any valid version or leave the field unset.
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- },
- ],
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
- # NOTE: An unsatisfied condition will not allow user access via current
- # binding. Different bindings, including their conditions, are examined
- # independently.
- # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
- # are documented at https://github.com/google/cel-spec.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit"
- # description: "Determines if a summary is less than 100 chars"
- # expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner"
- # description: "Determines if requestor is the document owner"
- # expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents"
- # description: "Determine whether the document should be publicly visible"
- # expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string"
- # description: "Create a notification string with a timestamp."
- # expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression
- # are determined by the service that evaluates it. See the service
- # documentation for additional information.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
- "expression": "A String", # Textual representation of an expression in Common Expression Language
- # syntax.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing
- # its purpose. This can be used e.g. in UIs which allow to enter the
- # expression.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- },
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
@@ -1249,14 +1283,66 @@
],
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the
+ # current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to
+ # the current request. However, a different role binding might grant the same
+ # role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
+ # are documented at https://github.com/google/cel-spec.
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit"
+ # description: "Determines if a summary is less than 100 chars"
+ # expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner"
+ # description: "Determines if requestor is the document owner"
+ # expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents"
+ # description: "Determine whether the document should be publicly visible"
+ # expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string"
+ # description: "Create a notification string with a timestamp."
+ # expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression
+ # are determined by the service that evaluates it. See the service
+ # documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language
+ # syntax.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing
+ # its purpose. This can be used e.g. in UIs which allow to enter the
+ # expression.
+ },
},
],
},
"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
# the fields in the mask will be modified. If no mask is provided, the
# following default mask is used:
- # paths: "bindings, etag"
- # This field is only used by Cloud IAM.
+ #
+ # `paths: "bindings, etag"`
}
x__xgafv: string, V1 error format.
@@ -1277,10 +1363,12 @@
# permissions; each `role` can be an IAM predefined role or a user-created
# custom role.
#
- # Optionally, a `binding` can specify a `condition`, which is a logical
- # expression that allows access to a resource only if the expression evaluates
- # to `true`. A condition can add constraints based on attributes of the
- # request, the resource, or both.
+ # For some types of Google Cloud resources, a `binding` can also specify a
+ # `condition`, which is a logical expression that allows access to a resource
+ # only if the expression evaluates to `true`. A condition can add constraints
+ # based on attributes of the request, the resource, or both. To learn which
+ # resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
#
# **JSON example:**
#
@@ -1297,7 +1385,9 @@
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
- # "members": ["user:eve@example.com"],
+ # "members": [
+ # "user:eve@example.com"
+ # ],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
@@ -1342,6 +1432,91 @@
# whenever you call `setIamPolicy`. If you omit this field, then IAM allows
# you to overwrite a version `3` policy with a version `1` policy, and all of
# the conditions in the version `3` policy are lost.
+ "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
+ { # Specifies the audit configuration for a service.
+ # The configuration determines which permission types are logged, and what
+ # identities, if any, are exempted from logging.
+ # An AuditConfig must have one or more AuditLogConfigs.
+ #
+ # If there are AuditConfigs for both `allServices` and a specific service,
+ # the union of the two AuditConfigs is used for that service: the log_types
+ # specified in each AuditConfig are enabled, and the exempted_members in each
+ # AuditLogConfig are exempted.
+ #
+ # Example Policy with multiple AuditConfigs:
+ #
+ # {
+ # "audit_configs": [
+ # {
+ # "service": "allServices",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # },
+ # {
+ # "log_type": "ADMIN_READ"
+ # }
+ # ]
+ # },
+ # {
+ # "service": "sampleservice.googleapis.com",
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ"
+ # },
+ # {
+ # "log_type": "DATA_WRITE",
+ # "exempted_members": [
+ # "user:aliya@example.com"
+ # ]
+ # }
+ # ]
+ # }
+ # ]
+ # }
+ #
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ # logging. It also exempts jose@example.com from DATA_READ logging, and
+ # aliya@example.com from DATA_WRITE logging.
+ "auditLogConfigs": [ # The configuration for logging of each type of permission.
+ { # Provides the configuration for logging a type of permissions.
+ # Example:
+ #
+ # {
+ # "audit_log_configs": [
+ # {
+ # "log_type": "DATA_READ",
+ # "exempted_members": [
+ # "user:jose@example.com"
+ # ]
+ # },
+ # {
+ # "log_type": "DATA_WRITE"
+ # }
+ # ]
+ # }
+ #
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ # jose@example.com from DATA_READ logging.
+ "logType": "A String", # The log type that this config enables.
+ "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
+ # permission.
+ # Follows the same format of Binding.members.
+ "A String",
+ ],
+ },
+ ],
+ "service": "A String", # Specifies a service that will be enabled for audit logging.
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+ # `allServices` is a special value that covers all services.
+ },
+ ],
"version": 42, # Specifies the format of the policy.
#
# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
@@ -1363,139 +1538,13 @@
#
# If a policy does not include any conditions, operations on that policy may
# specify any valid version or leave the field unset.
- "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
- { # Specifies the audit configuration for a service.
- # The configuration determines which permission types are logged, and what
- # identities, if any, are exempted from logging.
- # An AuditConfig must have one or more AuditLogConfigs.
- #
- # If there are AuditConfigs for both `allServices` and a specific service,
- # the union of the two AuditConfigs is used for that service: the log_types
- # specified in each AuditConfig are enabled, and the exempted_members in each
- # AuditLogConfig are exempted.
- #
- # Example Policy with multiple AuditConfigs:
- #
- # {
- # "audit_configs": [
- # {
- # "service": "allServices"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # },
- # {
- # "log_type": "ADMIN_READ",
- # }
- # ]
- # },
- # {
- # "service": "sampleservice.googleapis.com"
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # },
- # {
- # "log_type": "DATA_WRITE",
- # "exempted_members": [
- # "user:aliya@example.com"
- # ]
- # }
- # ]
- # }
- # ]
- # }
- #
- # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
- # logging. It also exempts jose@example.com from DATA_READ logging, and
- # aliya@example.com from DATA_WRITE logging.
- "service": "A String", # Specifies a service that will be enabled for audit logging.
- # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- # `allServices` is a special value that covers all services.
- "auditLogConfigs": [ # The configuration for logging of each type of permission.
- { # Provides the configuration for logging a type of permissions.
- # Example:
- #
- # {
- # "audit_log_configs": [
- # {
- # "log_type": "DATA_READ",
- # "exempted_members": [
- # "user:jose@example.com"
- # ]
- # },
- # {
- # "log_type": "DATA_WRITE",
- # }
- # ]
- # }
- #
- # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
- # jose@example.com from DATA_READ logging.
- "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
- # permission.
- # Follows the same format of Binding.members.
- "A String",
- ],
- "logType": "A String", # The log type that this config enables.
- },
- ],
- },
- ],
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
# `condition` that determines how and when the `bindings` are applied. Each
# of the `bindings` must contain at least one member.
{ # Associates `members` with a `role`.
- "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
- # NOTE: An unsatisfied condition will not allow user access via current
- # binding. Different bindings, including their conditions, are examined
- # independently.
- # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
- # are documented at https://github.com/google/cel-spec.
- #
- # Example (Comparison):
- #
- # title: "Summary size limit"
- # description: "Determines if a summary is less than 100 chars"
- # expression: "document.summary.size() < 100"
- #
- # Example (Equality):
- #
- # title: "Requestor is owner"
- # description: "Determines if requestor is the document owner"
- # expression: "document.owner == request.auth.claims.email"
- #
- # Example (Logic):
- #
- # title: "Public documents"
- # description: "Determine whether the document should be publicly visible"
- # expression: "document.type != 'private' && document.type != 'internal'"
- #
- # Example (Data Manipulation):
- #
- # title: "Notification string"
- # description: "Create a notification string with a timestamp."
- # expression: "'New message received at ' + string(document.create_time)"
- #
- # The exact variables and functions that may be referenced within an expression
- # are determined by the service that evaluates it. See the service
- # documentation for additional information.
- "description": "A String", # Optional. Description of the expression. This is a longer text which
- # describes the expression, e.g. when hovered over it in a UI.
- "expression": "A String", # Textual representation of an expression in Common Expression Language
- # syntax.
- "title": "A String", # Optional. Title for the expression, i.e. a short string describing
- # its purpose. This can be used e.g. in UIs which allow to enter the
- # expression.
- "location": "A String", # Optional. String indicating the location of the expression for error
- # reporting, e.g. a file name and a position in the file.
- },
"members": [ # Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
@@ -1543,6 +1592,58 @@
],
"role": "A String", # Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+ "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
+ #
+ # If the condition evaluates to `true`, then this binding applies to the
+ # current request.
+ #
+ # If the condition evaluates to `false`, then this binding does not apply to
+ # the current request. However, a different role binding might grant the same
+ # role to one or more of the members in this binding.
+ #
+ # To learn which resources support conditions in their IAM policies, see the
+ # [IAM
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
+ # are documented at https://github.com/google/cel-spec.
+ #
+ # Example (Comparison):
+ #
+ # title: "Summary size limit"
+ # description: "Determines if a summary is less than 100 chars"
+ # expression: "document.summary.size() < 100"
+ #
+ # Example (Equality):
+ #
+ # title: "Requestor is owner"
+ # description: "Determines if requestor is the document owner"
+ # expression: "document.owner == request.auth.claims.email"
+ #
+ # Example (Logic):
+ #
+ # title: "Public documents"
+ # description: "Determine whether the document should be publicly visible"
+ # expression: "document.type != 'private' && document.type != 'internal'"
+ #
+ # Example (Data Manipulation):
+ #
+ # title: "Notification string"
+ # description: "Create a notification string with a timestamp."
+ # expression: "'New message received at ' + string(document.create_time)"
+ #
+ # The exact variables and functions that may be referenced within an expression
+ # are determined by the service that evaluates it. See the service
+ # documentation for additional information.
+ "description": "A String", # Optional. Description of the expression. This is a longer text which
+ # describes the expression, e.g. when hovered over it in a UI.
+ "location": "A String", # Optional. String indicating the location of the expression for error
+ # reporting, e.g. a file name and a position in the file.
+ "expression": "A String", # Textual representation of an expression in Common Expression Language
+ # syntax.
+ "title": "A String", # Optional. Title for the expression, i.e. a short string describing
+ # its purpose. This can be used e.g. in UIs which allow to enter the
+ # expression.
+ },
},
],
}</pre>
@@ -1550,14 +1651,21 @@
<div class="method">
<code class="details" id="signBlob">signBlob(name, body=None, x__xgafv=None)</code>
- <pre>**Note**: This method is in the process of being deprecated. Call the
-[`signBlob()`](/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob)
-method of the Cloud IAM Service Account Credentials API instead.
+ <pre>**Note:** This method is deprecated and will stop working on July 1, 2021.
+Use the
+[`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob)
+method in the IAM Service Account Credentials API instead. If you currently
+use this method, see the [migration
+guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
+instructions.
-Signs a blob using a service account's system-managed private key.
+Signs a blob using the system-managed private key for a ServiceAccount.
Args:
- name: string, Required. The resource name of the service account in the following format:
+ name: string, Required. Deprecated. [Migrate to Service Account Credentials
+API](https://cloud.google.com/iam/help/credentials/migrate-api).
+
+The resource name of the service account in the following format:
`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
the account. The `ACCOUNT` value can be the `email` address or the
@@ -1565,8 +1673,14 @@
body: object, The request body.
The object takes the form of:
-{ # The service account sign blob request.
- "bytesToSign": "A String", # Required. The bytes to sign.
+{ # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The service account sign blob request.
+ "bytesToSign": "A String", # Required. Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The bytes to sign.
}
x__xgafv: string, V1 error format.
@@ -1577,26 +1691,39 @@
Returns:
An object of the form:
- { # The service account sign blob response.
- "signature": "A String", # The signed blob.
- "keyId": "A String", # The id of the key used to sign the blob.
+ { # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The service account sign blob response.
+ "signature": "A String", # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The signed blob.
+ "keyId": "A String", # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The id of the key used to sign the blob.
}</pre>
</div>
<div class="method">
<code class="details" id="signJwt">signJwt(name, body=None, x__xgafv=None)</code>
- <pre>**Note**: This method is in the process of being deprecated. Call the
-[`signJwt()`](/iam/credentials/reference/rest/v1/projects.serviceAccounts/signJwt)
-method of the Cloud IAM Service Account Credentials API instead.
+ <pre>**Note:** This method is deprecated and will stop working on July 1, 2021.
+Use the
+[`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt)
+method in the IAM Service Account Credentials API instead. If you currently
+use this method, see the [migration
+guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
+instructions.
-Signs a JWT using a service account's system-managed private key.
-
-If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an
-an expiry time of one hour by default. If you request an expiry time of
-more than one hour, the request will fail.
+Signs a JSON Web Token (JWT) using the system-managed private key for a
+ServiceAccount.
Args:
- name: string, Required. The resource name of the service account in the following format:
+ name: string, Required. Deprecated. [Migrate to Service Account Credentials
+API](https://cloud.google.com/iam/help/credentials/migrate-api).
+
+The resource name of the service account in the following format:
`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
the account. The `ACCOUNT` value can be the `email` address or the
@@ -1604,8 +1731,23 @@
body: object, The request body.
The object takes the form of:
-{ # The service account sign JWT request.
- "payload": "A String", # Required. The JWT payload to sign, a JSON JWT Claim set.
+{ # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The service account sign JWT request.
+ "payload": "A String", # Required. Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The JWT payload to sign. Must be a serialized JSON object that contains a
+ # JWT Claims Set. For example: `{"sub": "user@example.com", "iat": 313435}`
+ #
+ # If the JWT Claims Set contains an expiration time (`exp`) claim, it must be
+ # an integer timestamp that is not in the past and no more than 1 hour in the
+ # future.
+ #
+ # If the JWT Claims Set does not contain an expiration time (`exp`) claim,
+ # this claim is added automatically, with a timestamp that is 1 hour in the
+ # future.
}
x__xgafv: string, V1 error format.
@@ -1616,16 +1758,25 @@
Returns:
An object of the form:
- { # The service account sign JWT response.
- "keyId": "A String", # The id of the key used to sign the JWT.
- "signedJwt": "A String", # The signed JWT.
+ { # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The service account sign JWT response.
+ "signedJwt": "A String", # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The signed JWT.
+ "keyId": "A String", # Deprecated. [Migrate to Service Account Credentials
+ # API](https://cloud.google.com/iam/help/credentials/migrate-api).
+ #
+ # The id of the key used to sign the JWT.
}</pre>
</div>
<div class="method">
<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>
- <pre>Tests the specified permissions against the IAM access control policy
-for a ServiceAccount.
+ <pre>Tests whether the caller has the specified permissions on a
+ServiceAccount.
Args:
resource: string, REQUIRED: The resource for which the policy detail is being requested.
@@ -1661,8 +1812,13 @@
<div class="method">
<code class="details" id="undelete">undelete(name, body=None, x__xgafv=None)</code>
<pre>Restores a deleted ServiceAccount.
-This is to be used as an action of last resort. A service account may
-not always be restorable.
+
+**Important:** It is not always possible to restore a deleted service
+account. Use this method only as a last resort.
+
+After you delete a service account, IAM permanently removes the service
+account 30 days later. There is no way to restore a deleted service account
+that has been permanently removed.
Args:
name: string, The resource name of the service account in the following format:
@@ -1684,112 +1840,133 @@
An object of the form:
{
- "restoredAccount": { # A service account in the Identity and Access Management API. # Metadata for the restored service account.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ "restoredAccount": { # An IAM service account. # Metadata for the restored service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- },
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ },
}</pre>
</div>
<div class="method">
<code class="details" id="update">update(name, body=None, x__xgafv=None)</code>
- <pre>Note: This method is in the process of being deprecated. Use
+ <pre>**Note:** We are in the process of deprecating this method. Use
PatchServiceAccount instead.
Updates a ServiceAccount.
-Currently, only the following fields are updatable:
-`display_name` and `description`.
+You can update only the `display_name` and `description` fields.
Args:
- name: string, The resource name of the service account in the following format:
-`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ name: string, The resource name of the service account.
-Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
-project from the `account` and the `ACCOUNT` value can be the `email`
-address or the `unique_id` of the service account.
+Use one of the following formats:
-In responses the resource name will always be in the format
-`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. (required)
+* `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+* `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+
+As an alternative, you can use the `-` wildcard character instead of the
+project ID:
+
+* `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+* `projects/-/serviceAccounts/{UNIQUE_ID}`
+
+When possible, avoid using the `-` wildcard character, because it can cause
+response messages to contain misleading error codes. For example, if you
+try to get the service account
+`projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+response contains an HTTP `403 Forbidden` error instead of a `404 Not
+Found` error. (required)
body: object, The request body.
The object takes the form of:
-{ # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+{ # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
-}
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ }
x__xgafv: string, V1 error format.
Allowed values
@@ -1799,46 +1976,52 @@
Returns:
An object of the form:
- { # A service account in the Identity and Access Management API.
- #
- # To create a service account, specify the `project_id` and the `account_id`
- # for the account. The `account_id` is unique within the project, and is used
- # to generate the service account email address and a stable
- # `unique_id`.
- #
- # If the account already exists, the account's resource name is returned
- # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
- # can use the name in other methods to access the account.
- #
- # All other methods can identify the service account using the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
- # the account. The `ACCOUNT` value can be the `email` address or the
- # `unique_id` of the service account.
- "email": "A String", # @OutputOnly The email address of the service account.
- "name": "A String", # The resource name of the service account in the following format:
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+ { # An IAM service account.
#
- # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
- # project from the `account` and the `ACCOUNT` value can be the `email`
- # address or the `unique_id` of the service account.
+ # A service account is an account for an application or a virtual machine (VM)
+ # instance, not a person. You can use a service account to call Google APIs. To
+ # learn more, read the [overview of service
+ # accounts](https://cloud.google.com/iam/help/service-accounts/overview).
#
- # In responses the resource name will always be in the format
- # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
- "projectId": "A String", # @OutputOnly The id of the project that owns the service account.
- "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account.
- # This is used in conjunction with the OAuth2 clientconfig API to make
- # three legged OAuth2 (3LO) flows to access the data of Google users.
- "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account.
- "description": "A String", # Optional. A user-specified opaque description of the service account.
- # Must be less than or equal to 256 UTF-8 bytes.
- "displayName": "A String", # Optional. A user-specified name for the service account.
- # Must be less than or equal to 100 UTF-8 bytes.
- "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned
- # for backwards compatibility.
- "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled.
- # The field is currently in alpha phase.
- }</pre>
+ # When you create a service account, you specify the project ID that owns the
+ # service account, as well as a name that must be unique within the project.
+ # IAM uses these values to create an email address that identifies the service
+ # account.
+ "disabled": True or False, # Output only. Whether the service account is disabled.
+ "uniqueId": "A String", # Output only. The unique, stable numeric ID for the service account.
+ #
+ # Each service account retains its unique ID even if you delete the service
+ # account. For example, if you delete a service account, then create a new
+ # service account with the same name, the new service account has a different
+ # unique ID than the deleted service account.
+ "projectId": "A String", # Output only. The ID of the project that owns the service account.
+ "etag": "A String", # Deprecated. Do not use.
+ "email": "A String", # Output only. The email address of the service account.
+ "name": "A String", # The resource name of the service account.
+ #
+ # Use one of the following formats:
+ #
+ # * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}`
+ #
+ # As an alternative, you can use the `-` wildcard character instead of the
+ # project ID:
+ #
+ # * `projects/-/serviceAccounts/{EMAIL_ADDRESS}`
+ # * `projects/-/serviceAccounts/{UNIQUE_ID}`
+ #
+ # When possible, avoid using the `-` wildcard character, because it can cause
+ # response messages to contain misleading error codes. For example, if you
+ # try to get the service account
+ # `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
+ # response contains an HTTP `403 Forbidden` error instead of a `404 Not
+ # Found` error.
+ "displayName": "A String", # Optional. A user-specified, human-readable name for the service account. The maximum
+ # length is 100 UTF-8 bytes.
+ "oauth2ClientId": "A String", # Output only. The OAuth 2.0 client ID for the service account.
+ "description": "A String", # Optional. A user-specified, human-readable description of the service account. The
+ # maximum length is 256 UTF-8 bytes.
+ }</pre>
</div>
</body></html>
\ No newline at end of file