docs/dyn/iamcredentials_v1.projects.serviceAccounts.html

<html><body>
<style>

body, h1, h2, h3, div, span, p, pre, a {
  margin: 0;
  padding: 0;
  border: 0;
  font-weight: inherit;
  font-style: inherit;
  font-size: 100%;
  font-family: inherit;
  vertical-align: baseline;
}

body {
  font-size: 13px;
  padding: 1em;
}

h1 {
  font-size: 26px;
  margin-bottom: 1em;
}

h2 {
  font-size: 24px;
  margin-bottom: 1em;
}

h3 {
  font-size: 20px;
  margin-bottom: 1em;
  margin-top: 1em;
}

pre, code {
  line-height: 1.5;
  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}

pre {
  margin-top: 0.5em;
}

h1, h2, h3, p {
  font-family: Arial, sans serif;
}

h1, h2, h3 {
  border-bottom: solid #CCC 1px;
}

.toc_element {
  margin-top: 0.5em;
}

.firstline {
  margin-left: 2 em;
}

.method  {
  margin-top: 1em;
  border: solid 1px #CCC;
  padding: 1em;
  background: #EEE;
}

.details {
  font-weight: bold;
  font-size: 14px;
}

</style>

<h1><a href="iamcredentials_v1.html">IAM Service Account Credentials API</a> . <a href="iamcredentials_v1.projects.html">projects</a> . <a href="iamcredentials_v1.projects.serviceAccounts.html">serviceAccounts</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
  <code><a href="#generateAccessToken">generateAccessToken(name, body, x__xgafv=None)</a></code></p>
<p class="firstline">Generates an OAuth 2.0 access token for a service account.</p>
<p class="toc_element">
  <code><a href="#generateIdToken">generateIdToken(name, body, x__xgafv=None)</a></code></p>
<p class="firstline">Generates an OpenID Connect ID token for a service account.</p>
<p class="toc_element">
  <code><a href="#generateIdentityBindingAccessToken">generateIdentityBindingAccessToken(name, body, x__xgafv=None)</a></code></p>
<p class="firstline"></p>
<p class="toc_element">
  <code><a href="#signBlob">signBlob(name, body, x__xgafv=None)</a></code></p>
<p class="firstline">Signs a blob using a service account's system-managed private key.</p>
<p class="toc_element">
  <code><a href="#signJwt">signJwt(name, body, x__xgafv=None)</a></code></p>
<p class="firstline">Signs a JWT using a service account's system-managed private key.</p>
<h3>Method Details</h3>
<div class="method">
    <code class="details" id="generateAccessToken">generateAccessToken(name, body, x__xgafv=None)</code>
  <pre>Generates an OAuth 2.0 access token for a service account.

Args:
  name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body. (required)
    The object takes the form of:

{
    "lifetime": "A String", # The desired lifetime duration of the access token in seconds.
        # Must be set to a value less than or equal to 3600 (1 hour). If a value is
        # not specified, the token's lifetime will be set to a default value of one
        # hour.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
    "scope": [ # Code to identify the scopes to be included in the OAuth 2.0 access token.
        # See https://developers.google.com/identity/protocols/googlescopes for more
        # information.
        # At least one value required.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "expireTime": "A String", # Token expiration time.
        # The expiration time is always set.
    "accessToken": "A String", # The OAuth 2.0 access token.
  }</pre>
</div>

<div class="method">
    <code class="details" id="generateIdToken">generateIdToken(name, body, x__xgafv=None)</code>
  <pre>Generates an OpenID Connect ID token for a service account.

Args:
  name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body. (required)
    The object takes the form of:

{
    "includeEmail": True or False, # Include the service account email in the token. If set to `true`, the
        # token will contain `email` and `email_verified` claims.
    "audience": "A String", # The audience for the token, such as the API or account that this token
        # grants access to.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "token": "A String", # The OpenId Connect ID token.
  }</pre>
</div>

<div class="method">
    <code class="details" id="generateIdentityBindingAccessToken">generateIdentityBindingAccessToken(name, body, x__xgafv=None)</code>
  <pre>

Args:
  name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body. (required)
    The object takes the form of:

{
    "scope": [ # Code to identify the scopes to be included in the OAuth 2.0 access token.
        # See https://developers.google.com/identity/protocols/googlescopes for more
        # information.
        # At least one value required.
      "A String",
    ],
    "jwt": "A String", # Required. Input token.
        # Must be in JWT format according to
        # RFC7523 (https://tools.ietf.org/html/rfc7523)
        # and must have 'kid' field in the header.
        # Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
        # Mandatory payload fields (along the lines of RFC 7523, section 3):
        # - iss: issuer of the token. Must provide a discovery document at
        #        $iss/.well-known/openid-configuration . The document needs to be
        #        formatted according to section 4.2 of the OpenID Connect Discovery
        #        1.0 specification.
        # - iat: Issue time in seconds since epoch. Must be in the past.
        # - exp: Expiration time in seconds since epoch. Must be less than 48 hours
        #        after iat. We recommend to create tokens that last shorter than 6
        #        hours to improve security unless business reasons mandate longer
        #        expiration times. Shorter token lifetimes are generally more secure
        #        since tokens that have been exfiltrated by attackers can be used for
        #        a shorter time. you can configure the maximum lifetime of the
        #        incoming token in the configuration of the mapper.
        #        The resulting Google token will expire within an hour or at "exp",
        #        whichever is earlier.
        # - sub: JWT subject, identity asserted in the JWT.
        # - aud: Configured in the mapper policy. By default the service account
        #        email.
        # 
        # Claims from the incoming token can be transferred into the output token
        # accoding to the mapper configuration. The outgoing claim size is limited.
        # Outgoing claims size must be less than 4kB serialized as JSON without
        # whitespace.
        # 
        # Example header:
        # {
        #   "alg": "RS256",
        #   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
        # }
        # Example payload:
        # {
        #   "iss": "https://accounts.google.com",
        #   "iat": 1517963104,
        #   "exp": 1517966704,
        #   "aud":
        #   "https://iamcredentials.googleapis.com/google.iam.credentials.v1.CloudGaia",
        #   "sub": "113475438248934895348",
        #   "my_claims": {
        #     "additional_claim": "value"
        #   }
        # }
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "expireTime": "A String", # Token expiration time.
        # The expiration time is always set.
    "accessToken": "A String", # The OAuth 2.0 access token.
  }</pre>
</div>

<div class="method">
    <code class="details" id="signBlob">signBlob(name, body, x__xgafv=None)</code>
  <pre>Signs a blob using a service account's system-managed private key.

Args:
  name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body. (required)
    The object takes the form of:

{
    "payload": "A String", # The bytes to sign.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "signedBlob": "A String", # The signed blob.
    "keyId": "A String", # The ID of the key used to sign the blob.
  }</pre>
</div>

<div class="method">
    <code class="details" id="signJwt">signJwt(name, body, x__xgafv=None)</code>
  <pre>Signs a JWT using a service account's system-managed private key.

Args:
  name: string, The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body. (required)
    The object takes the form of:

{
    "payload": "A String", # The JWT payload to sign: a JSON object that contains a JWT Claims Set.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "keyId": "A String", # The ID of the key used to sign the JWT.
    "signedJwt": "A String", # The signed JWT.
  }</pre>
</div>

</body></html>