1"""Generated message classes for iamcredentials version v1. 2 3Creates short-lived credentials for impersonating IAM service accounts. To 4enable this API, you must enable the IAM API (iam.googleapis.com). 5""" 6# NOTE: This file is autogenerated and should not be edited by hand. 7 8from __future__ import absolute_import 9 10from apitools.base.protorpclite import messages as _messages 11from apitools.base.py import encoding 12 13 14package = 'iamcredentials' 15 16 17class GenerateAccessTokenRequest(_messages.Message): 18 r"""A GenerateAccessTokenRequest object. 19 20 Fields: 21 delegates: The sequence of service accounts in a delegation chain. Each 22 service account must be granted the 23 `roles/iam.serviceAccountTokenCreator` role on its next service account 24 in the chain. The last service account in the chain must be granted the 25 `roles/iam.serviceAccountTokenCreator` role on the service account that 26 is specified in the `name` field of the request. The delegates must have 27 the following format: 28 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 29 wildcard character is required; replacing it with a project ID is 30 invalid. 31 lifetime: The desired lifetime duration of the access token in seconds. By 32 default, the maximum allowed value is 1 hour. To set a lifetime of up to 33 12 hours, you can add the service account as an allowed value in an 34 Organization Policy that enforces the 35 `constraints/iam.allowServiceAccountCredentialLifetimeExtension` 36 constraint. See detailed instructions at 37 https://cloud.google.com/iam/help/credentials/lifetime If a value is not 38 specified, the token's lifetime will be set to a default value of 1 39 hour. 40 scope: Required. Code to identify the scopes to be included in the OAuth 41 2.0 access token. See 42 https://developers.google.com/identity/protocols/googlescopes for more 43 information. At least one value required. 44 """ 45 46 delegates = _messages.StringField(1, repeated=True) 47 lifetime = _messages.StringField(2) 48 scope = _messages.StringField(3, repeated=True) 49 50 51class GenerateAccessTokenResponse(_messages.Message): 52 r"""A GenerateAccessTokenResponse object. 53 54 Fields: 55 accessToken: The OAuth 2.0 access token. 56 expireTime: Token expiration time. The expiration time is always set. 57 """ 58 59 accessToken = _messages.StringField(1) 60 expireTime = _messages.StringField(2) 61 62 63class GenerateIdTokenRequest(_messages.Message): 64 r"""A GenerateIdTokenRequest object. 65 66 Fields: 67 audience: Required. The audience for the token, such as the API or account 68 that this token grants access to. 69 delegates: The sequence of service accounts in a delegation chain. Each 70 service account must be granted the 71 `roles/iam.serviceAccountTokenCreator` role on its next service account 72 in the chain. The last service account in the chain must be granted the 73 `roles/iam.serviceAccountTokenCreator` role on the service account that 74 is specified in the `name` field of the request. The delegates must have 75 the following format: 76 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 77 wildcard character is required; replacing it with a project ID is 78 invalid. 79 includeEmail: Include the service account email in the token. If set to 80 `true`, the token will contain `email` and `email_verified` claims. 81 """ 82 83 audience = _messages.StringField(1) 84 delegates = _messages.StringField(2, repeated=True) 85 includeEmail = _messages.BooleanField(3) 86 87 88class GenerateIdTokenResponse(_messages.Message): 89 r"""A GenerateIdTokenResponse object. 90 91 Fields: 92 token: The OpenId Connect ID token. 93 """ 94 95 token = _messages.StringField(1) 96 97 98class IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest(_messages.Message): 99 r"""A IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest 100 object. 101 102 Fields: 103 generateAccessTokenRequest: A GenerateAccessTokenRequest resource to be 104 passed as the request body. 105 name: Required. The resource name of the service account for which the 106 credentials are requested, in the following format: 107 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 108 wildcard character is required; replacing it with a project ID is 109 invalid. 110 """ 111 112 generateAccessTokenRequest = _messages.MessageField('GenerateAccessTokenRequest', 1) 113 name = _messages.StringField(2, required=True) 114 115 116class IamcredentialsProjectsServiceAccountsGenerateIdTokenRequest(_messages.Message): 117 r"""A IamcredentialsProjectsServiceAccountsGenerateIdTokenRequest object. 118 119 Fields: 120 generateIdTokenRequest: A GenerateIdTokenRequest resource to be passed as 121 the request body. 122 name: Required. The resource name of the service account for which the 123 credentials are requested, in the following format: 124 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 125 wildcard character is required; replacing it with a project ID is 126 invalid. 127 """ 128 129 generateIdTokenRequest = _messages.MessageField('GenerateIdTokenRequest', 1) 130 name = _messages.StringField(2, required=True) 131 132 133class IamcredentialsProjectsServiceAccountsSignBlobRequest(_messages.Message): 134 r"""A IamcredentialsProjectsServiceAccountsSignBlobRequest object. 135 136 Fields: 137 name: Required. The resource name of the service account for which the 138 credentials are requested, in the following format: 139 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 140 wildcard character is required; replacing it with a project ID is 141 invalid. 142 signBlobRequest: A SignBlobRequest resource to be passed as the request 143 body. 144 """ 145 146 name = _messages.StringField(1, required=True) 147 signBlobRequest = _messages.MessageField('SignBlobRequest', 2) 148 149 150class IamcredentialsProjectsServiceAccountsSignJwtRequest(_messages.Message): 151 r"""A IamcredentialsProjectsServiceAccountsSignJwtRequest object. 152 153 Fields: 154 name: Required. The resource name of the service account for which the 155 credentials are requested, in the following format: 156 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 157 wildcard character is required; replacing it with a project ID is 158 invalid. 159 signJwtRequest: A SignJwtRequest resource to be passed as the request 160 body. 161 """ 162 163 name = _messages.StringField(1, required=True) 164 signJwtRequest = _messages.MessageField('SignJwtRequest', 2) 165 166 167class SignBlobRequest(_messages.Message): 168 r"""A SignBlobRequest object. 169 170 Fields: 171 delegates: The sequence of service accounts in a delegation chain. Each 172 service account must be granted the 173 `roles/iam.serviceAccountTokenCreator` role on its next service account 174 in the chain. The last service account in the chain must be granted the 175 `roles/iam.serviceAccountTokenCreator` role on the service account that 176 is specified in the `name` field of the request. The delegates must have 177 the following format: 178 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 179 wildcard character is required; replacing it with a project ID is 180 invalid. 181 payload: Required. The bytes to sign. 182 """ 183 184 delegates = _messages.StringField(1, repeated=True) 185 payload = _messages.BytesField(2) 186 187 188class SignBlobResponse(_messages.Message): 189 r"""A SignBlobResponse object. 190 191 Fields: 192 keyId: The ID of the key used to sign the blob. The key used for signing 193 will remain valid for at least 12 hours after the blob is signed. To 194 verify the signature, you can retrieve the public key in several formats 195 from the following endpoints: - RSA public key wrapped in an X.509 v3 196 certificate: `https://www.googleapis.com/service_accounts/v1/metadata/x5 197 09/{ACCOUNT_EMAIL}` - Raw key in JSON format: `https://www.googleapis.co 198 m/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` - JSON Web Key 199 (JWK): `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACC 200 OUNT_EMAIL}` 201 signedBlob: The signature for the blob. Does not include the original 202 blob. After the key pair referenced by the `key_id` response field 203 expires, Google no longer exposes the public key that can be used to 204 verify the blob. As a result, the receiver can no longer verify the 205 signature. 206 """ 207 208 keyId = _messages.StringField(1) 209 signedBlob = _messages.BytesField(2) 210 211 212class SignJwtRequest(_messages.Message): 213 r"""A SignJwtRequest object. 214 215 Fields: 216 delegates: The sequence of service accounts in a delegation chain. Each 217 service account must be granted the 218 `roles/iam.serviceAccountTokenCreator` role on its next service account 219 in the chain. The last service account in the chain must be granted the 220 `roles/iam.serviceAccountTokenCreator` role on the service account that 221 is specified in the `name` field of the request. The delegates must have 222 the following format: 223 `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` 224 wildcard character is required; replacing it with a project ID is 225 invalid. 226 payload: Required. The JWT payload to sign. Must be a serialized JSON 227 object that contains a JWT Claims Set. For example: `{"sub": 228 "user@example.com", "iat": 313435}` If the JWT Claims Set contains an 229 expiration time (`exp`) claim, it must be an integer timestamp that is 230 not in the past and no more than 12 hours in the future. 231 """ 232 233 delegates = _messages.StringField(1, repeated=True) 234 payload = _messages.StringField(2) 235 236 237class SignJwtResponse(_messages.Message): 238 r"""A SignJwtResponse object. 239 240 Fields: 241 keyId: The ID of the key used to sign the JWT. The key used for signing 242 will remain valid for at least 12 hours after the JWT is signed. To 243 verify the signature, you can retrieve the public key in several formats 244 from the following endpoints: - RSA public key wrapped in an X.509 v3 245 certificate: `https://www.googleapis.com/service_accounts/v1/metadata/x5 246 09/{ACCOUNT_EMAIL}` - Raw key in JSON format: `https://www.googleapis.co 247 m/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` - JSON Web Key 248 (JWK): `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACC 249 OUNT_EMAIL}` 250 signedJwt: The signed JWT. Contains the automatically generated header; 251 the client-supplied payload; and the signature, which is generated using 252 the key referenced by the `kid` field in the header. After the key pair 253 referenced by the `key_id` response field expires, Google no longer 254 exposes the public key that can be used to verify the JWT. As a result, 255 the receiver can no longer verify the signature. 256 """ 257 258 keyId = _messages.StringField(1) 259 signedJwt = _messages.StringField(2) 260 261 262class StandardQueryParameters(_messages.Message): 263 r"""Query parameters accepted by all methods. 264 265 Enums: 266 FXgafvValueValuesEnum: V1 error format. 267 AltValueValuesEnum: Data format for response. 268 269 Fields: 270 f__xgafv: V1 error format. 271 access_token: OAuth access token. 272 alt: Data format for response. 273 callback: JSONP 274 fields: Selector specifying which fields to include in a partial response. 275 key: API key. Your API key identifies your project and provides you with 276 API access, quota, and reports. Required unless you provide an OAuth 2.0 277 token. 278 oauth_token: OAuth 2.0 token for the current user. 279 prettyPrint: Returns response with indentations and line breaks. 280 quotaUser: Available to use for quota purposes for server-side 281 applications. Can be any arbitrary string assigned to a user, but should 282 not exceed 40 characters. 283 trace: A tracing token of the form "token:<tokenid>" to include in api 284 requests. 285 uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). 286 upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). 287 """ 288 289 class AltValueValuesEnum(_messages.Enum): 290 r"""Data format for response. 291 292 Values: 293 json: Responses with Content-Type of application/json 294 media: Media download with context-dependent Content-Type 295 proto: Responses with Content-Type of application/x-protobuf 296 """ 297 json = 0 298 media = 1 299 proto = 2 300 301 class FXgafvValueValuesEnum(_messages.Enum): 302 r"""V1 error format. 303 304 Values: 305 _1: v1 error format 306 _2: v2 error format 307 """ 308 _1 = 0 309 _2 = 1 310 311 f__xgafv = _messages.EnumField('FXgafvValueValuesEnum', 1) 312 access_token = _messages.StringField(2) 313 alt = _messages.EnumField('AltValueValuesEnum', 3, default='json') 314 callback = _messages.StringField(4) 315 fields = _messages.StringField(5) 316 key = _messages.StringField(6) 317 oauth_token = _messages.StringField(7) 318 prettyPrint = _messages.BooleanField(8, default=True) 319 quotaUser = _messages.StringField(9) 320 trace = _messages.StringField(10) 321 uploadType = _messages.StringField(11) 322 upload_protocol = _messages.StringField(12) 323 324 325encoding.AddCustomJsonFieldMapping( 326 StandardQueryParameters, 'f__xgafv', '$.xgafv') 327encoding.AddCustomJsonEnumMapping( 328 StandardQueryParameters.FXgafvValueValuesEnum, '_1', '1') 329encoding.AddCustomJsonEnumMapping( 330 StandardQueryParameters.FXgafvValueValuesEnum, '_2', '2') 331