@datafire/google_iam

Client library for Identity and Access Management (IAM) API

Installation and Usage

npm install --save @datafire/google_iam

let google_iam = require('@datafire/google_iam').create({
  access_token: "",
  refresh_token: "",
  client_id: "",
  client_secret: "",
  redirect_uri: ""
});

.then(data => {
  console.log(data);
});

Description

Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.

Actions

oauthCallback

Exchange the code passed to your redirect URI for an access_token

google_iam.oauthCallback({
  "code": ""
}, context)

Input

• input object
  • code required string

Output

• output object
  • access_token string
  • refresh_token string
  • token_type string
  • scope string
  • expiration string

oauthRefresh

Exchange a refresh_token for an access_token

google_iam.oauthRefresh(null, context)

Input

This action has no parameters

Output

• output object
  • access_token string
  • refresh_token string
  • token_type string
  • scope string
  • expiration string

iam.iamPolicies.lintPolicy

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding. Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

google_iam.iam.iamPolicies.lintPolicy({}, context)

Input

• input object
  • body LintPolicyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output LintPolicyResponse

iam.iamPolicies.queryAuditableServices

Returns a list of services that allow you to opt into audit logs that are not generated by default. To learn more about audit logs, see the Logging documentation.

google_iam.iam.iamPolicies.queryAuditableServices({}, context)

Input

• input object
  • body QueryAuditableServicesRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output QueryAuditableServicesResponse

iam.permissions.queryTestablePermissions

Lists every permission that you can test on a resource. A permission is testable if you can check whether a member has that permission on the resource.

google_iam.iam.permissions.queryTestablePermissions({}, context)

Input

• input object
  • body QueryTestablePermissionsRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output QueryTestablePermissionsResponse

iam.roles.list

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

google_iam.iam.roles.list({}, context)

Input

• input object
  • pageSize integer: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
  • pageToken string: Optional pagination token returned in an earlier ListRolesResponse.
  • parent string: The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below: * roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles * projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles * organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • showDeleted boolean: Include Roles that have been deleted.
  • view string (values: BASIC, FULL): Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListRolesResponse

iam.roles.queryGrantableRoles

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

google_iam.iam.roles.queryGrantableRoles({}, context)

Input

• input object
  • body QueryGrantableRolesRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output QueryGrantableRolesResponse

iam.projects.serviceAccounts.keys.delete

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

google_iam.iam.projects.serviceAccounts.keys.delete({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the service account key in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • etag string: Used to perform a consistent read-modify-write.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

iam.roles.get

Gets the definition of a Role.

google_iam.iam.roles.get({
  "name": ""
}, context)

Input

• input object
  • name required string: The name parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's name value format is described below: * roles.get(): roles/{ROLE_NAME}. This method returns results from all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles/{ROLE_NAME} * projects.roles.get(): projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the project level. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} * organizations.roles.get(): organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}. This method returns only custom roles that have been created at the organization level. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID} Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • publicKeyType string (values: TYPE_NONE, TYPE_X509_PEM_FILE, TYPE_RAW_PUBLIC_KEY): The output format of the public key requested. X509_PEM is the default output format.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Role

iam.projects.serviceAccounts.patch

Patches a ServiceAccount.

google_iam.iam.projects.serviceAccounts.patch({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/[email protected], which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
  • updateMask string: A mask describing which fields in the Role have changed.
  • body PatchServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccount

iam.projects.serviceAccounts.update

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name and description fields.

google_iam.iam.projects.serviceAccounts.update({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to get the service account projects/-/serviceAccounts/[email protected], which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
  • body ServiceAccount
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccount

iam.projects.serviceAccounts.keys.list

Lists every ServiceAccountKey for a service account.

google_iam.iam.projects.serviceAccounts.keys.list({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID, will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • keyTypes array: Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListServiceAccountKeysResponse

iam.projects.serviceAccounts.keys.create

Creates a ServiceAccountKey.

google_iam.iam.projects.serviceAccounts.keys.create({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body CreateServiceAccountKeyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccountKey

iam.projects.serviceAccounts.keys.upload

Creates a ServiceAccountKey, using a public key that you provide.

google_iam.iam.projects.serviceAccounts.keys.upload({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body UploadServiceAccountKeyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccountKey

iam.projects.serviceAccounts.list

Lists every ServiceAccount that belongs to a specific project.

google_iam.iam.projects.serviceAccounts.list({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.
  • pageSize integer: Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request. The default is 20, and the maximum is 100.
  • pageToken string: Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListServiceAccountsResponse

iam.projects.serviceAccounts.create

Creates a ServiceAccount.

google_iam.iam.projects.serviceAccounts.create({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.
  • body CreateServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ServiceAccount

iam.projects.serviceAccounts.disable

Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

google_iam.iam.projects.serviceAccounts.disable({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body DisableServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

iam.projects.serviceAccounts.enable

Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

google_iam.iam.projects.serviceAccounts.enable({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body EnableServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

iam.projects.serviceAccounts.signBlob

Note: This method is deprecated and will stop working on July 1, 2021. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount.

google_iam.iam.projects.serviceAccounts.signBlob({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body SignBlobRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output SignBlobResponse

iam.projects.serviceAccounts.signJwt

Note: This method is deprecated and will stop working on July 1, 2021. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

google_iam.iam.projects.serviceAccounts.signJwt({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the unique_id of the service account.
  • body SignJwtRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output SignJwtResponse

iam.projects.serviceAccounts.undelete

Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

google_iam.iam.projects.serviceAccounts.undelete({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}. Using - as a wildcard for the PROJECT_ID will infer the project from the account.
  • body UndeleteServiceAccountRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output UndeleteServiceAccountResponse

iam.projects.roles.list

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

google_iam.iam.projects.roles.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: The parent parameter's value depends on the target resource for the request, namely roles, projects, or organizations. Each resource type's parent value format is described below: * roles.list(): An empty string. This method doesn't require a resource; it simply returns all predefined roles in Cloud IAM. Example request URL: https://iam.googleapis.com/v1/roles * projects.roles.list(): projects/{PROJECT_ID}. This method lists all project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles * organizations.roles.list(): organizations/{ORGANIZATION_ID}. This method lists all organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • pageSize integer: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
  • pageToken string: Optional pagination token returned in an earlier ListRolesResponse.
  • showDeleted boolean: Include Roles that have been deleted.
  • view string (values: BASIC, FULL): Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListRolesResponse

iam.projects.roles.create

Creates a new custom Role.

google_iam.iam.projects.roles.create({
  "parent": ""
}, context)

Input

• input object
  • parent required string: The parent parameter's value depends on the target resource for the request, namely projects or organizations. Each resource type's parent value format is described below: * projects.roles.create(): projects/{PROJECT_ID}. This method creates project-level custom roles. Example request URL: https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles * organizations.roles.create(): organizations/{ORGANIZATION_ID}. This method creates organization-level custom roles. Example request URL: https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID.
  • body CreateRoleRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Role

iam.projects.serviceAccounts.getIamPolicy

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which members have access to the service account. This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

google_iam.iam.projects.serviceAccounts.getIamPolicy({
  "resource": ""
}, context)

Input

• input object
  • resource required string: REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.
  • options.requestedPolicyVersion integer: Optional. The policy format version to be returned. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional bindings must specify version 3. Policies without any conditional bindings may specify any valid value or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Policy

iam.projects.serviceAccounts.setIamPolicy

Sets the IAM policy that is attached to a ServiceAccount. Use this method to grant or revoke access to the service account. For example, you could grant a member the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps: 1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy. For detailed instructions, see Granting roles to a service account for specific resources.

google_iam.iam.projects.serviceAccounts.setIamPolicy({
  "resource": ""
}, context)

Input

• input object
  • resource required string: REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.
  • body SetIamPolicyRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Policy

iam.projects.serviceAccounts.testIamPermissions

Tests whether the caller has the specified permissions on a ServiceAccount.

google_iam.iam.projects.serviceAccounts.testIamPermissions({
  "resource": ""
}, context)

Input

• input object
  • resource required string: REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.
  • body TestIamPermissionsRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output TestIamPermissionsResponse

Definitions

AdminAuditData

• AdminAuditData object: Audit log information specific to Cloud IAM admin APIs. This message is serialized as an Any type in the ServiceData message of an AuditLog message.
  • permissionDelta PermissionDelta

AuditConfig

• AuditConfig object: Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE" }, { "log_type": "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": "DATA_WRITE", "exempted_members": [ "user:[email protected]" ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [email protected] from DATA_READ logging, and [email protected] from DATA_WRITE logging.
  • auditLogConfigs array: The configuration for logging of each type of permission.
    • items AuditLogConfig
  • service string: Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

AuditData

• AuditData object: Audit log information specific to Cloud IAM. This message is serialized as an Any type in the ServiceData message of an AuditLog message.
  • policyDelta PolicyDelta

AuditLogConfig

• AuditLogConfig object: Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:[email protected]" ] }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [email protected] from DATA_READ logging.
  • exemptedMembers array: Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members.
    • items string
  • logType string (values: LOG_TYPE_UNSPECIFIED, ADMIN_READ, DATA_WRITE, DATA_READ): The log type that this config enables.

AuditableService

• AuditableService object: Contains information about an auditable service.
  • name string: Public name of the service. For example, the service name for Cloud IAM is 'iam.googleapis.com'.

Binding

• Binding object: Associates members with a role.
  • condition Expr
  • members array: Specifies the identities requesting access for a Cloud Platform resource. members can have the following values: * allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. * allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. * user:{emailid}: An email address that represents a specific Google account. For example, [email protected] . * serviceAccount:{emailid}: An email address that represents a service account. For example, [email protected]. * group:{emailid}: An email address that represents a Google group. For example, [email protected]. * deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, [email protected]?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. * deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, [email protected]?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. * deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, [email protected]?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. * domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com.
    • items string
  • role string: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

BindingDelta

• BindingDelta object: One delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry.
  • action string (values: ACTION_UNSPECIFIED, ADD, REMOVE): The action that was performed on a Binding. Required
  • condition Expr
  • member string: A single identity requesting access for a Cloud Platform resource. Follows the same format of Binding.members. Required
  • role string: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner. Required

CreateRoleRequest

• CreateRoleRequest object: The request to create a new role.
  • role Role
  • roleId string: The role ID to use for this role. A role ID may contain alphanumeric characters, underscores (_), and periods (.). It must contain a minimum of 3 characters and a maximum of 64 characters.

CreateServiceAccountKeyRequest

• CreateServiceAccountKeyRequest object: The service account key create request.
  • keyAlgorithm string (values: KEY_ALG_UNSPECIFIED, KEY_ALG_RSA_1024, KEY_ALG_RSA_2048): Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.
  • privateKeyType string (values: TYPE_UNSPECIFIED, TYPE_PKCS12_FILE, TYPE_GOOGLE_CREDENTIALS_FILE): The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

CreateServiceAccountRequest

• CreateServiceAccountRequest object: The service account create request.
  • accountId string: Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]) to comply with RFC1035.
  • serviceAccount ServiceAccount

DisableServiceAccountRequest

• DisableServiceAccountRequest object: The service account disable request.

Empty

• Empty object: A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for Empty is empty JSON object {}.

EnableServiceAccountRequest

• EnableServiceAccountRequest object: The service account enable request.

Expr

• Expr object: Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
  • description string: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
  • expression string: Textual representation of an expression in Common Expression Language syntax.
  • location string: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
  • title string: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

LintPolicyRequest

• LintPolicyRequest object: The request to lint a Cloud IAM policy object.
  • condition Expr
  • fullResourceName string: The full resource name of the policy this lint request is about. The name follows the Google Cloud Platform (GCP) resource format. For example, a GCP project with ID my-project will be named //cloudresourcemanager.googleapis.com/projects/my-project. The resource name is not used to read the policy instance from the Cloud IAM database. The candidate policy for lint has to be provided in the same request object.

LintPolicyResponse

• LintPolicyResponse object: The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.
  • lintResults array: List of lint results sorted by severity in descending order.
    • items LintResult

LintResult

• LintResult object: Structured response of a single validation unit.
  • debugMessage string: Human readable debug message associated with the issue.
  • fieldName string: The name of the field for which this lint result is about. For nested messages field_name consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the field_name value condition.expression identifies a lint result for the expression field of the provided condition.
  • level string (values: LEVEL_UNSPECIFIED, CONDITION): The validation unit level.
  • locationOffset integer: 0-based character position of problematic construct within the object identified by field_name. Currently, this is populated only for condition expression.
  • severity string (values: SEVERITY_UNSPECIFIED, ERROR, WARNING, NOTICE, INFO, DEPRECATED): The validation unit severity.
  • validationUnitName string: The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck".

ListRolesResponse

• ListRolesResponse object: The response containing the roles defined under a resource.
  • nextPageToken string: To retrieve the next page of results, set ListRolesRequest.page_token to this value.
  • roles array: The Roles defined on this resource.
    • items Role

ListServiceAccountKeysResponse

• ListServiceAccountKeysResponse object: The service account keys list response.
  • keys array: The public keys for the service account.
    • items ServiceAccountKey

ListServiceAccountsResponse

• ListServiceAccountsResponse object: The service account list response.
  • accounts array: The list of matching service accounts.
    • items ServiceAccount
  • nextPageToken string: To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value.

Operation

• Operation object: This resource represents a long-running operation that is the result of a network API call.
  • done boolean: If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
  • error Status
  • metadata object: Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.
  • name string: The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the name should be a resource name ending with operations/{unique_id}.
  • response object: The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is standard Get/Create/Update, the response should be the resource. For other methods, the response should have the type XxxResponse, where Xxx is the original method name. For example, if the original method name is TakeSnapshot(), the inferred response type is TakeSnapshotResponse.

PatchServiceAccountRequest

• PatchServiceAccountRequest object: The request for PatchServiceAccount. You can patch only the display_name and description fields. You must use the update_mask field to specify which of these fields you want to patch. Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.
  • serviceAccount ServiceAccount
  • updateMask string

Permission

• Permission object: A permission which can be included by a role.
  • apiDisabled boolean: The service API associated with the permission is not enabled.
  • customRolesSupportLevel string (values: SUPPORTED, TESTING, NOT_SUPPORTED): The current custom role support level.
  • description string: A brief description of what this Permission is used for. This permission can ONLY be used in predefined roles.
  • name string: The name of this Permission.
  • onlyInPredefinedRoles boolean
  • primaryPermission string: The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission.
  • stage string (values: ALPHA, BETA, GA, DEPRECATED): The current launch stage of the permission.
  • title string: The title of this Permission.

PermissionDelta

• PermissionDelta object: A PermissionDelta message to record the added_permissions and removed_permissions inside a role.
  • addedPermissions array: Added permissions.
    • items string
  • removedPermissions array: Removed permissions.
    • items string

Policy

• Policy object: An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:[email protected]", "group:[email protected]", "domain:google.com", "serviceAccount:[email protected]" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:[email protected]" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:[email protected] - group:[email protected] - domain:google.com - serviceAccount:[email protected] role: roles/resourcemanager.organizationAdmin - members: - user:[email protected] role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - ve