1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="iam_v1.html">Identity and Access Management (IAM) API</a> . <a href="iam_v1.projects.html">projects</a> . <a href="iam_v1.projects.serviceAccounts.html">serviceAccounts</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="iam_v1.projects.serviceAccounts.keys.html">keys()</a></code> 79</p> 80<p class="firstline">Returns the keys Resource.</p> 81 82<p class="toc_element"> 83 <code><a href="#create">create(name, body, x__xgafv=None)</a></code></p> 84<p class="firstline">Creates a ServiceAccount</p> 85<p class="toc_element"> 86 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p> 87<p class="firstline">Deletes a ServiceAccount.</p> 88<p class="toc_element"> 89 <code><a href="#disable">disable(name, body=None, x__xgafv=None)</a></code></p> 90<p class="firstline">DisableServiceAccount is currently in the alpha launch stage.</p> 91<p class="toc_element"> 92 <code><a href="#enable">enable(name, body=None, x__xgafv=None)</a></code></p> 93<p class="firstline">EnableServiceAccount is currently in the alpha launch stage.</p> 94<p class="toc_element"> 95 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 96<p class="firstline">Gets a ServiceAccount.</p> 97<p class="toc_element"> 98 <code><a href="#getIamPolicy">getIamPolicy(resource, x__xgafv=None)</a></code></p> 99<p class="firstline">Returns the Cloud IAM access control policy for a</p> 100<p class="toc_element"> 101 <code><a href="#list">list(name, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p> 102<p class="firstline">Lists ServiceAccounts for a project.</p> 103<p class="toc_element"> 104 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 105<p class="firstline">Retrieves the next page of results.</p> 106<p class="toc_element"> 107 <code><a href="#patch">patch(name, body, x__xgafv=None)</a></code></p> 108<p class="firstline">Patches a ServiceAccount.</p> 109<p class="toc_element"> 110 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 111<p class="firstline">Sets the Cloud IAM access control policy for a</p> 112<p class="toc_element"> 113 <code><a href="#signBlob">signBlob(name, body, x__xgafv=None)</a></code></p> 114<p class="firstline">**Note**: This method is in the process of being deprecated. Call the</p> 115<p class="toc_element"> 116 <code><a href="#signJwt">signJwt(name, body, x__xgafv=None)</a></code></p> 117<p class="firstline">**Note**: This method is in the process of being deprecated. Call the</p> 118<p class="toc_element"> 119 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 120<p class="firstline">Tests the specified permissions against the IAM access control policy</p> 121<p class="toc_element"> 122 <code><a href="#undelete">undelete(name, body=None, x__xgafv=None)</a></code></p> 123<p class="firstline">Restores a deleted ServiceAccount.</p> 124<p class="toc_element"> 125 <code><a href="#update">update(name, body, x__xgafv=None)</a></code></p> 126<p class="firstline">Note: This method is in the process of being deprecated. Use</p> 127<h3>Method Details</h3> 128<div class="method"> 129 <code class="details" id="create">create(name, body, x__xgafv=None)</code> 130 <pre>Creates a ServiceAccount 131and returns it. 132 133Args: 134 name: string, Required. The resource name of the project associated with the service 135accounts, such as `projects/my-project-123`. (required) 136 body: object, The request body. (required) 137 The object takes the form of: 138 139{ # The service account create request. 140 "serviceAccount": { # A service account in the Identity and Access Management API. # The ServiceAccount resource to 141 # create. Currently, only the following values are user assignable: 142 # `display_name` . 143 # 144 # To create a service account, specify the `project_id` and the `account_id` 145 # for the account. The `account_id` is unique within the project, and is used 146 # to generate the service account email address and a stable 147 # `unique_id`. 148 # 149 # If the account already exists, the account's resource name is returned 150 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 151 # can use the name in other methods to access the account. 152 # 153 # All other methods can identify the service account using the format 154 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 155 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 156 # the account. The `ACCOUNT` value can be the `email` address or the 157 # `unique_id` of the service account. 158 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 159 # This is used in conjunction with the OAuth2 clientconfig API to make 160 # three legged OAuth2 (3LO) flows to access the data of Google users. 161 "displayName": "A String", # Optional. A user-specified name for the service account. 162 # Must be less than or equal to 100 UTF-8 bytes. 163 "description": "A String", # Optional. A user-specified opaque description of the service account. 164 # Must be less than or equal to 256 UTF-8 bytes. 165 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 166 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 167 # The field is currently in alpha phase. 168 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 169 # for backwards compatibility. 170 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 171 "email": "A String", # @OutputOnly The email address of the service account. 172 "name": "A String", # The resource name of the service account in the following format: 173 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 174 # 175 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 176 # project from the `account` and the `ACCOUNT` value can be the `email` 177 # address or the `unique_id` of the service account. 178 # 179 # In responses the resource name will always be in the format 180 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 181 }, 182 "accountId": "A String", # Required. The account id that is used to generate the service account 183 # email address and a stable unique id. It is unique within a project, 184 # must be 6-30 characters long, and match the regular expression 185 # `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. 186 } 187 188 x__xgafv: string, V1 error format. 189 Allowed values 190 1 - v1 error format 191 2 - v2 error format 192 193Returns: 194 An object of the form: 195 196 { # A service account in the Identity and Access Management API. 197 # 198 # To create a service account, specify the `project_id` and the `account_id` 199 # for the account. The `account_id` is unique within the project, and is used 200 # to generate the service account email address and a stable 201 # `unique_id`. 202 # 203 # If the account already exists, the account's resource name is returned 204 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 205 # can use the name in other methods to access the account. 206 # 207 # All other methods can identify the service account using the format 208 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 209 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 210 # the account. The `ACCOUNT` value can be the `email` address or the 211 # `unique_id` of the service account. 212 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 213 # This is used in conjunction with the OAuth2 clientconfig API to make 214 # three legged OAuth2 (3LO) flows to access the data of Google users. 215 "displayName": "A String", # Optional. A user-specified name for the service account. 216 # Must be less than or equal to 100 UTF-8 bytes. 217 "description": "A String", # Optional. A user-specified opaque description of the service account. 218 # Must be less than or equal to 256 UTF-8 bytes. 219 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 220 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 221 # The field is currently in alpha phase. 222 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 223 # for backwards compatibility. 224 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 225 "email": "A String", # @OutputOnly The email address of the service account. 226 "name": "A String", # The resource name of the service account in the following format: 227 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 228 # 229 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 230 # project from the `account` and the `ACCOUNT` value can be the `email` 231 # address or the `unique_id` of the service account. 232 # 233 # In responses the resource name will always be in the format 234 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 235 }</pre> 236</div> 237 238<div class="method"> 239 <code class="details" id="delete">delete(name, x__xgafv=None)</code> 240 <pre>Deletes a ServiceAccount. 241 242Args: 243 name: string, The resource name of the service account in the following format: 244`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 245Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 246the account. The `ACCOUNT` value can be the `email` address or the 247`unique_id` of the service account. (required) 248 x__xgafv: string, V1 error format. 249 Allowed values 250 1 - v1 error format 251 2 - v2 error format 252 253Returns: 254 An object of the form: 255 256 { # A generic empty message that you can re-use to avoid defining duplicated 257 # empty messages in your APIs. A typical example is to use it as the request 258 # or the response type of an API method. For instance: 259 # 260 # service Foo { 261 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 262 # } 263 # 264 # The JSON representation for `Empty` is empty JSON object `{}`. 265 }</pre> 266</div> 267 268<div class="method"> 269 <code class="details" id="disable">disable(name, body=None, x__xgafv=None)</code> 270 <pre>DisableServiceAccount is currently in the alpha launch stage. 271 272Disables a ServiceAccount, 273which immediately prevents the service account from authenticating and 274gaining access to APIs. 275 276Disabled service accounts can be safely restored by using 277EnableServiceAccount at any point. Deleted service accounts cannot be 278restored using this method. 279 280Disabling a service account that is bound to VMs, Apps, Functions, or 281other jobs will cause those jobs to lose access to resources if they are 282using the disabled service account. 283 284To improve reliability of your services and avoid unexpected outages, it 285is recommended to first disable a service account rather than delete it. 286After disabling the service account, wait at least 24 hours to verify there 287are no unintended consequences, and then delete the service account. 288 289Args: 290 name: string, The resource name of the service account in the following format: 291`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 292Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 293the account. The `ACCOUNT` value can be the `email` address or the 294`unique_id` of the service account. (required) 295 body: object, The request body. 296 The object takes the form of: 297 298{ # The service account disable request. 299 } 300 301 x__xgafv: string, V1 error format. 302 Allowed values 303 1 - v1 error format 304 2 - v2 error format 305 306Returns: 307 An object of the form: 308 309 { # A generic empty message that you can re-use to avoid defining duplicated 310 # empty messages in your APIs. A typical example is to use it as the request 311 # or the response type of an API method. For instance: 312 # 313 # service Foo { 314 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 315 # } 316 # 317 # The JSON representation for `Empty` is empty JSON object `{}`. 318 }</pre> 319</div> 320 321<div class="method"> 322 <code class="details" id="enable">enable(name, body=None, x__xgafv=None)</code> 323 <pre>EnableServiceAccount is currently in the alpha launch stage. 324 325 Restores a disabled ServiceAccount 326 that has been manually disabled by using DisableServiceAccount. Service 327 accounts that have been disabled by other means or for other reasons, 328 such as abuse, cannot be restored using this method. 329 330 EnableServiceAccount will have no effect on a service account that is 331 not disabled. Enabling an already enabled service account will have no 332 effect. 333 334Args: 335 name: string, The resource name of the service account in the following format: 336`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}'. 337Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 338the account. (required) 339 body: object, The request body. 340 The object takes the form of: 341 342{ # The service account enable request. 343 } 344 345 x__xgafv: string, V1 error format. 346 Allowed values 347 1 - v1 error format 348 2 - v2 error format 349 350Returns: 351 An object of the form: 352 353 { # A generic empty message that you can re-use to avoid defining duplicated 354 # empty messages in your APIs. A typical example is to use it as the request 355 # or the response type of an API method. For instance: 356 # 357 # service Foo { 358 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 359 # } 360 # 361 # The JSON representation for `Empty` is empty JSON object `{}`. 362 }</pre> 363</div> 364 365<div class="method"> 366 <code class="details" id="get">get(name, x__xgafv=None)</code> 367 <pre>Gets a ServiceAccount. 368 369Args: 370 name: string, The resource name of the service account in the following format: 371`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 372Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 373the account. The `ACCOUNT` value can be the `email` address or the 374`unique_id` of the service account. (required) 375 x__xgafv: string, V1 error format. 376 Allowed values 377 1 - v1 error format 378 2 - v2 error format 379 380Returns: 381 An object of the form: 382 383 { # A service account in the Identity and Access Management API. 384 # 385 # To create a service account, specify the `project_id` and the `account_id` 386 # for the account. The `account_id` is unique within the project, and is used 387 # to generate the service account email address and a stable 388 # `unique_id`. 389 # 390 # If the account already exists, the account's resource name is returned 391 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 392 # can use the name in other methods to access the account. 393 # 394 # All other methods can identify the service account using the format 395 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 396 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 397 # the account. The `ACCOUNT` value can be the `email` address or the 398 # `unique_id` of the service account. 399 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 400 # This is used in conjunction with the OAuth2 clientconfig API to make 401 # three legged OAuth2 (3LO) flows to access the data of Google users. 402 "displayName": "A String", # Optional. A user-specified name for the service account. 403 # Must be less than or equal to 100 UTF-8 bytes. 404 "description": "A String", # Optional. A user-specified opaque description of the service account. 405 # Must be less than or equal to 256 UTF-8 bytes. 406 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 407 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 408 # The field is currently in alpha phase. 409 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 410 # for backwards compatibility. 411 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 412 "email": "A String", # @OutputOnly The email address of the service account. 413 "name": "A String", # The resource name of the service account in the following format: 414 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 415 # 416 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 417 # project from the `account` and the `ACCOUNT` value can be the `email` 418 # address or the `unique_id` of the service account. 419 # 420 # In responses the resource name will always be in the format 421 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 422 }</pre> 423</div> 424 425<div class="method"> 426 <code class="details" id="getIamPolicy">getIamPolicy(resource, x__xgafv=None)</code> 427 <pre>Returns the Cloud IAM access control policy for a 428ServiceAccount. 429 430Note: Service accounts are both 431[resources and 432identities](/iam/docs/service-accounts#service_account_permissions). This 433method treats the service account as a resource. It returns the Cloud IAM 434policy that reflects what members have access to the service account. 435 436This method does not return what resources the service account has access 437to. To see if a service account has access to a resource, call the 438`getIamPolicy` method on the target resource. For example, to view grants 439for a project, call the 440[projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy) 441method. 442 443Args: 444 resource: string, REQUIRED: The resource for which the policy is being requested. 445See the operation documentation for the appropriate value for this field. (required) 446 x__xgafv: string, V1 error format. 447 Allowed values 448 1 - v1 error format 449 2 - v2 error format 450 451Returns: 452 An object of the form: 453 454 { # Defines an Identity and Access Management (IAM) policy. It is used to 455 # specify access control policies for Cloud Platform resources. 456 # 457 # 458 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 459 # `members` to a `role`, where the members can be user accounts, Google groups, 460 # Google domains, and service accounts. A `role` is a named list of permissions 461 # defined by IAM. 462 # 463 # **JSON Example** 464 # 465 # { 466 # "bindings": [ 467 # { 468 # "role": "roles/owner", 469 # "members": [ 470 # "user:mike@example.com", 471 # "group:admins@example.com", 472 # "domain:google.com", 473 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 474 # ] 475 # }, 476 # { 477 # "role": "roles/viewer", 478 # "members": ["user:sean@example.com"] 479 # } 480 # ] 481 # } 482 # 483 # **YAML Example** 484 # 485 # bindings: 486 # - members: 487 # - user:mike@example.com 488 # - group:admins@example.com 489 # - domain:google.com 490 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 491 # role: roles/owner 492 # - members: 493 # - user:sean@example.com 494 # role: roles/viewer 495 # 496 # 497 # For a description of IAM and its features, see the 498 # [IAM developer's guide](https://cloud.google.com/iam/docs). 499 "bindings": [ # Associates a list of `members` to a `role`. 500 # `bindings` with no members will result in an error. 501 { # Associates `members` with a `role`. 502 "role": "A String", # Role that is assigned to `members`. 503 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 504 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 505 # `members` can have the following values: 506 # 507 # * `allUsers`: A special identifier that represents anyone who is 508 # on the internet; with or without a Google account. 509 # 510 # * `allAuthenticatedUsers`: A special identifier that represents anyone 511 # who is authenticated with a Google account or a service account. 512 # 513 # * `user:{emailid}`: An email address that represents a specific Google 514 # account. For example, `alice@gmail.com` . 515 # 516 # 517 # * `serviceAccount:{emailid}`: An email address that represents a service 518 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 519 # 520 # * `group:{emailid}`: An email address that represents a Google group. 521 # For example, `admins@example.com`. 522 # 523 # 524 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 525 # users of that domain. For example, `google.com` or `example.com`. 526 # 527 "A String", 528 ], 529 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 530 # NOTE: An unsatisfied condition will not allow user access via current 531 # binding. Different bindings, including their conditions, are examined 532 # independently. 533 # 534 # title: "User account presence" 535 # description: "Determines whether the request has a user account" 536 # expression: "size(request.user) > 0" 537 "location": "A String", # An optional string indicating the location of the expression for error 538 # reporting, e.g. a file name and a position in the file. 539 "expression": "A String", # Textual representation of an expression in 540 # Common Expression Language syntax. 541 # 542 # The application context of the containing message determines which 543 # well-known feature set of CEL is supported. 544 "description": "A String", # An optional description of the expression. This is a longer text which 545 # describes the expression, e.g. when hovered over it in a UI. 546 "title": "A String", # An optional title for the expression, i.e. a short string describing 547 # its purpose. This can be used e.g. in UIs which allow to enter the 548 # expression. 549 }, 550 }, 551 ], 552 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 553 { # Specifies the audit configuration for a service. 554 # The configuration determines which permission types are logged, and what 555 # identities, if any, are exempted from logging. 556 # An AuditConfig must have one or more AuditLogConfigs. 557 # 558 # If there are AuditConfigs for both `allServices` and a specific service, 559 # the union of the two AuditConfigs is used for that service: the log_types 560 # specified in each AuditConfig are enabled, and the exempted_members in each 561 # AuditLogConfig are exempted. 562 # 563 # Example Policy with multiple AuditConfigs: 564 # 565 # { 566 # "audit_configs": [ 567 # { 568 # "service": "allServices" 569 # "audit_log_configs": [ 570 # { 571 # "log_type": "DATA_READ", 572 # "exempted_members": [ 573 # "user:foo@gmail.com" 574 # ] 575 # }, 576 # { 577 # "log_type": "DATA_WRITE", 578 # }, 579 # { 580 # "log_type": "ADMIN_READ", 581 # } 582 # ] 583 # }, 584 # { 585 # "service": "fooservice.googleapis.com" 586 # "audit_log_configs": [ 587 # { 588 # "log_type": "DATA_READ", 589 # }, 590 # { 591 # "log_type": "DATA_WRITE", 592 # "exempted_members": [ 593 # "user:bar@gmail.com" 594 # ] 595 # } 596 # ] 597 # } 598 # ] 599 # } 600 # 601 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 602 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 603 # bar@gmail.com from DATA_WRITE logging. 604 "auditLogConfigs": [ # The configuration for logging of each type of permission. 605 { # Provides the configuration for logging a type of permissions. 606 # Example: 607 # 608 # { 609 # "audit_log_configs": [ 610 # { 611 # "log_type": "DATA_READ", 612 # "exempted_members": [ 613 # "user:foo@gmail.com" 614 # ] 615 # }, 616 # { 617 # "log_type": "DATA_WRITE", 618 # } 619 # ] 620 # } 621 # 622 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 623 # foo@gmail.com from DATA_READ logging. 624 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 625 # permission. 626 # Follows the same format of Binding.members. 627 "A String", 628 ], 629 "logType": "A String", # The log type that this config enables. 630 }, 631 ], 632 "service": "A String", # Specifies a service that will be enabled for audit logging. 633 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 634 # `allServices` is a special value that covers all services. 635 }, 636 ], 637 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 638 # prevent simultaneous updates of a policy from overwriting each other. 639 # It is strongly suggested that systems make use of the `etag` in the 640 # read-modify-write cycle to perform policy updates in order to avoid race 641 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 642 # systems are expected to put that etag in the request to `setIamPolicy` to 643 # ensure that their change will be applied to the same version of the policy. 644 # 645 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 646 # policy is overwritten blindly. 647 "version": 42, # Deprecated. 648 }</pre> 649</div> 650 651<div class="method"> 652 <code class="details" id="list">list(name, pageToken=None, x__xgafv=None, pageSize=None)</code> 653 <pre>Lists ServiceAccounts for a project. 654 655Args: 656 name: string, Required. The resource name of the project associated with the service 657accounts, such as `projects/my-project-123`. (required) 658 pageToken: string, Optional pagination token returned in an earlier 659ListServiceAccountsResponse.next_page_token. 660 x__xgafv: string, V1 error format. 661 Allowed values 662 1 - v1 error format 663 2 - v2 error format 664 pageSize: integer, Optional limit on the number of service accounts to include in the 665response. Further accounts can subsequently be obtained by including the 666ListServiceAccountsResponse.next_page_token 667in a subsequent request. 668 669Returns: 670 An object of the form: 671 672 { # The service account list response. 673 "nextPageToken": "A String", # To retrieve the next page of results, set 674 # ListServiceAccountsRequest.page_token 675 # to this value. 676 "accounts": [ # The list of matching service accounts. 677 { # A service account in the Identity and Access Management API. 678 # 679 # To create a service account, specify the `project_id` and the `account_id` 680 # for the account. The `account_id` is unique within the project, and is used 681 # to generate the service account email address and a stable 682 # `unique_id`. 683 # 684 # If the account already exists, the account's resource name is returned 685 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 686 # can use the name in other methods to access the account. 687 # 688 # All other methods can identify the service account using the format 689 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 690 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 691 # the account. The `ACCOUNT` value can be the `email` address or the 692 # `unique_id` of the service account. 693 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 694 # This is used in conjunction with the OAuth2 clientconfig API to make 695 # three legged OAuth2 (3LO) flows to access the data of Google users. 696 "displayName": "A String", # Optional. A user-specified name for the service account. 697 # Must be less than or equal to 100 UTF-8 bytes. 698 "description": "A String", # Optional. A user-specified opaque description of the service account. 699 # Must be less than or equal to 256 UTF-8 bytes. 700 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 701 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 702 # The field is currently in alpha phase. 703 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 704 # for backwards compatibility. 705 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 706 "email": "A String", # @OutputOnly The email address of the service account. 707 "name": "A String", # The resource name of the service account in the following format: 708 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 709 # 710 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 711 # project from the `account` and the `ACCOUNT` value can be the `email` 712 # address or the `unique_id` of the service account. 713 # 714 # In responses the resource name will always be in the format 715 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 716 }, 717 ], 718 }</pre> 719</div> 720 721<div class="method"> 722 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 723 <pre>Retrieves the next page of results. 724 725Args: 726 previous_request: The request for the previous page. (required) 727 previous_response: The response from the request for the previous page. (required) 728 729Returns: 730 A request object that you can call 'execute()' on to request the next 731 page. Returns None if there are no more items in the collection. 732 </pre> 733</div> 734 735<div class="method"> 736 <code class="details" id="patch">patch(name, body, x__xgafv=None)</code> 737 <pre>Patches a ServiceAccount. 738 739Currently, only the following fields are updatable: 740`display_name` and `description`. 741 742Only fields specified in the request are guaranteed to be returned in 743the response. Other fields in the response may be empty. 744 745Note: The field mask is required. 746 747Args: 748 name: string, The resource name of the service account in the following format: 749`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 750 751Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 752project from the `account` and the `ACCOUNT` value can be the `email` 753address or the `unique_id` of the service account. 754 755In responses the resource name will always be in the format 756`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. (required) 757 body: object, The request body. (required) 758 The object takes the form of: 759 760{ # The patch service account request. 761 "serviceAccount": { # A service account in the Identity and Access Management API. 762 # 763 # To create a service account, specify the `project_id` and the `account_id` 764 # for the account. The `account_id` is unique within the project, and is used 765 # to generate the service account email address and a stable 766 # `unique_id`. 767 # 768 # If the account already exists, the account's resource name is returned 769 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 770 # can use the name in other methods to access the account. 771 # 772 # All other methods can identify the service account using the format 773 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 774 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 775 # the account. The `ACCOUNT` value can be the `email` address or the 776 # `unique_id` of the service account. 777 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 778 # This is used in conjunction with the OAuth2 clientconfig API to make 779 # three legged OAuth2 (3LO) flows to access the data of Google users. 780 "displayName": "A String", # Optional. A user-specified name for the service account. 781 # Must be less than or equal to 100 UTF-8 bytes. 782 "description": "A String", # Optional. A user-specified opaque description of the service account. 783 # Must be less than or equal to 256 UTF-8 bytes. 784 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 785 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 786 # The field is currently in alpha phase. 787 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 788 # for backwards compatibility. 789 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 790 "email": "A String", # @OutputOnly The email address of the service account. 791 "name": "A String", # The resource name of the service account in the following format: 792 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 793 # 794 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 795 # project from the `account` and the `ACCOUNT` value can be the `email` 796 # address or the `unique_id` of the service account. 797 # 798 # In responses the resource name will always be in the format 799 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 800 }, 801 "updateMask": "A String", 802 } 803 804 x__xgafv: string, V1 error format. 805 Allowed values 806 1 - v1 error format 807 2 - v2 error format 808 809Returns: 810 An object of the form: 811 812 { # A service account in the Identity and Access Management API. 813 # 814 # To create a service account, specify the `project_id` and the `account_id` 815 # for the account. The `account_id` is unique within the project, and is used 816 # to generate the service account email address and a stable 817 # `unique_id`. 818 # 819 # If the account already exists, the account's resource name is returned 820 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 821 # can use the name in other methods to access the account. 822 # 823 # All other methods can identify the service account using the format 824 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 825 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 826 # the account. The `ACCOUNT` value can be the `email` address or the 827 # `unique_id` of the service account. 828 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 829 # This is used in conjunction with the OAuth2 clientconfig API to make 830 # three legged OAuth2 (3LO) flows to access the data of Google users. 831 "displayName": "A String", # Optional. A user-specified name for the service account. 832 # Must be less than or equal to 100 UTF-8 bytes. 833 "description": "A String", # Optional. A user-specified opaque description of the service account. 834 # Must be less than or equal to 256 UTF-8 bytes. 835 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 836 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 837 # The field is currently in alpha phase. 838 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 839 # for backwards compatibility. 840 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 841 "email": "A String", # @OutputOnly The email address of the service account. 842 "name": "A String", # The resource name of the service account in the following format: 843 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 844 # 845 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 846 # project from the `account` and the `ACCOUNT` value can be the `email` 847 # address or the `unique_id` of the service account. 848 # 849 # In responses the resource name will always be in the format 850 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 851 }</pre> 852</div> 853 854<div class="method"> 855 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 856 <pre>Sets the Cloud IAM access control policy for a 857ServiceAccount. 858 859Note: Service accounts are both 860[resources and 861identities](/iam/docs/service-accounts#service_account_permissions). This 862method treats the service account as a resource. Use it to grant members 863access to the service account, such as when they need to impersonate it. 864 865This method does not grant the service account access to other resources, 866such as projects. To grant a service account access to resources, include 867the service account in the Cloud IAM policy for the desired resource, then 868call the appropriate `setIamPolicy` method on the target resource. For 869example, to grant a service account access to a project, call the 870[projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy) 871method. 872 873Args: 874 resource: string, REQUIRED: The resource for which the policy is being specified. 875See the operation documentation for the appropriate value for this field. (required) 876 body: object, The request body. (required) 877 The object takes the form of: 878 879{ # Request message for `SetIamPolicy` method. 880 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 881 # the policy is limited to a few 10s of KB. An empty policy is a 882 # valid policy but certain Cloud Platform services (such as Projects) 883 # might reject them. 884 # specify access control policies for Cloud Platform resources. 885 # 886 # 887 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 888 # `members` to a `role`, where the members can be user accounts, Google groups, 889 # Google domains, and service accounts. A `role` is a named list of permissions 890 # defined by IAM. 891 # 892 # **JSON Example** 893 # 894 # { 895 # "bindings": [ 896 # { 897 # "role": "roles/owner", 898 # "members": [ 899 # "user:mike@example.com", 900 # "group:admins@example.com", 901 # "domain:google.com", 902 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 903 # ] 904 # }, 905 # { 906 # "role": "roles/viewer", 907 # "members": ["user:sean@example.com"] 908 # } 909 # ] 910 # } 911 # 912 # **YAML Example** 913 # 914 # bindings: 915 # - members: 916 # - user:mike@example.com 917 # - group:admins@example.com 918 # - domain:google.com 919 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 920 # role: roles/owner 921 # - members: 922 # - user:sean@example.com 923 # role: roles/viewer 924 # 925 # 926 # For a description of IAM and its features, see the 927 # [IAM developer's guide](https://cloud.google.com/iam/docs). 928 "bindings": [ # Associates a list of `members` to a `role`. 929 # `bindings` with no members will result in an error. 930 { # Associates `members` with a `role`. 931 "role": "A String", # Role that is assigned to `members`. 932 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 933 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 934 # `members` can have the following values: 935 # 936 # * `allUsers`: A special identifier that represents anyone who is 937 # on the internet; with or without a Google account. 938 # 939 # * `allAuthenticatedUsers`: A special identifier that represents anyone 940 # who is authenticated with a Google account or a service account. 941 # 942 # * `user:{emailid}`: An email address that represents a specific Google 943 # account. For example, `alice@gmail.com` . 944 # 945 # 946 # * `serviceAccount:{emailid}`: An email address that represents a service 947 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 948 # 949 # * `group:{emailid}`: An email address that represents a Google group. 950 # For example, `admins@example.com`. 951 # 952 # 953 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 954 # users of that domain. For example, `google.com` or `example.com`. 955 # 956 "A String", 957 ], 958 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 959 # NOTE: An unsatisfied condition will not allow user access via current 960 # binding. Different bindings, including their conditions, are examined 961 # independently. 962 # 963 # title: "User account presence" 964 # description: "Determines whether the request has a user account" 965 # expression: "size(request.user) > 0" 966 "location": "A String", # An optional string indicating the location of the expression for error 967 # reporting, e.g. a file name and a position in the file. 968 "expression": "A String", # Textual representation of an expression in 969 # Common Expression Language syntax. 970 # 971 # The application context of the containing message determines which 972 # well-known feature set of CEL is supported. 973 "description": "A String", # An optional description of the expression. This is a longer text which 974 # describes the expression, e.g. when hovered over it in a UI. 975 "title": "A String", # An optional title for the expression, i.e. a short string describing 976 # its purpose. This can be used e.g. in UIs which allow to enter the 977 # expression. 978 }, 979 }, 980 ], 981 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 982 { # Specifies the audit configuration for a service. 983 # The configuration determines which permission types are logged, and what 984 # identities, if any, are exempted from logging. 985 # An AuditConfig must have one or more AuditLogConfigs. 986 # 987 # If there are AuditConfigs for both `allServices` and a specific service, 988 # the union of the two AuditConfigs is used for that service: the log_types 989 # specified in each AuditConfig are enabled, and the exempted_members in each 990 # AuditLogConfig are exempted. 991 # 992 # Example Policy with multiple AuditConfigs: 993 # 994 # { 995 # "audit_configs": [ 996 # { 997 # "service": "allServices" 998 # "audit_log_configs": [ 999 # { 1000 # "log_type": "DATA_READ", 1001 # "exempted_members": [ 1002 # "user:foo@gmail.com" 1003 # ] 1004 # }, 1005 # { 1006 # "log_type": "DATA_WRITE", 1007 # }, 1008 # { 1009 # "log_type": "ADMIN_READ", 1010 # } 1011 # ] 1012 # }, 1013 # { 1014 # "service": "fooservice.googleapis.com" 1015 # "audit_log_configs": [ 1016 # { 1017 # "log_type": "DATA_READ", 1018 # }, 1019 # { 1020 # "log_type": "DATA_WRITE", 1021 # "exempted_members": [ 1022 # "user:bar@gmail.com" 1023 # ] 1024 # } 1025 # ] 1026 # } 1027 # ] 1028 # } 1029 # 1030 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1031 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1032 # bar@gmail.com from DATA_WRITE logging. 1033 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1034 { # Provides the configuration for logging a type of permissions. 1035 # Example: 1036 # 1037 # { 1038 # "audit_log_configs": [ 1039 # { 1040 # "log_type": "DATA_READ", 1041 # "exempted_members": [ 1042 # "user:foo@gmail.com" 1043 # ] 1044 # }, 1045 # { 1046 # "log_type": "DATA_WRITE", 1047 # } 1048 # ] 1049 # } 1050 # 1051 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1052 # foo@gmail.com from DATA_READ logging. 1053 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1054 # permission. 1055 # Follows the same format of Binding.members. 1056 "A String", 1057 ], 1058 "logType": "A String", # The log type that this config enables. 1059 }, 1060 ], 1061 "service": "A String", # Specifies a service that will be enabled for audit logging. 1062 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1063 # `allServices` is a special value that covers all services. 1064 }, 1065 ], 1066 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1067 # prevent simultaneous updates of a policy from overwriting each other. 1068 # It is strongly suggested that systems make use of the `etag` in the 1069 # read-modify-write cycle to perform policy updates in order to avoid race 1070 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1071 # systems are expected to put that etag in the request to `setIamPolicy` to 1072 # ensure that their change will be applied to the same version of the policy. 1073 # 1074 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1075 # policy is overwritten blindly. 1076 "version": 42, # Deprecated. 1077 }, 1078 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 1079 # the fields in the mask will be modified. If no mask is provided, the 1080 # following default mask is used: 1081 # paths: "bindings, etag" 1082 # This field is only used by Cloud IAM. 1083 } 1084 1085 x__xgafv: string, V1 error format. 1086 Allowed values 1087 1 - v1 error format 1088 2 - v2 error format 1089 1090Returns: 1091 An object of the form: 1092 1093 { # Defines an Identity and Access Management (IAM) policy. It is used to 1094 # specify access control policies for Cloud Platform resources. 1095 # 1096 # 1097 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 1098 # `members` to a `role`, where the members can be user accounts, Google groups, 1099 # Google domains, and service accounts. A `role` is a named list of permissions 1100 # defined by IAM. 1101 # 1102 # **JSON Example** 1103 # 1104 # { 1105 # "bindings": [ 1106 # { 1107 # "role": "roles/owner", 1108 # "members": [ 1109 # "user:mike@example.com", 1110 # "group:admins@example.com", 1111 # "domain:google.com", 1112 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 1113 # ] 1114 # }, 1115 # { 1116 # "role": "roles/viewer", 1117 # "members": ["user:sean@example.com"] 1118 # } 1119 # ] 1120 # } 1121 # 1122 # **YAML Example** 1123 # 1124 # bindings: 1125 # - members: 1126 # - user:mike@example.com 1127 # - group:admins@example.com 1128 # - domain:google.com 1129 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 1130 # role: roles/owner 1131 # - members: 1132 # - user:sean@example.com 1133 # role: roles/viewer 1134 # 1135 # 1136 # For a description of IAM and its features, see the 1137 # [IAM developer's guide](https://cloud.google.com/iam/docs). 1138 "bindings": [ # Associates a list of `members` to a `role`. 1139 # `bindings` with no members will result in an error. 1140 { # Associates `members` with a `role`. 1141 "role": "A String", # Role that is assigned to `members`. 1142 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1143 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1144 # `members` can have the following values: 1145 # 1146 # * `allUsers`: A special identifier that represents anyone who is 1147 # on the internet; with or without a Google account. 1148 # 1149 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1150 # who is authenticated with a Google account or a service account. 1151 # 1152 # * `user:{emailid}`: An email address that represents a specific Google 1153 # account. For example, `alice@gmail.com` . 1154 # 1155 # 1156 # * `serviceAccount:{emailid}`: An email address that represents a service 1157 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1158 # 1159 # * `group:{emailid}`: An email address that represents a Google group. 1160 # For example, `admins@example.com`. 1161 # 1162 # 1163 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 1164 # users of that domain. For example, `google.com` or `example.com`. 1165 # 1166 "A String", 1167 ], 1168 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1169 # NOTE: An unsatisfied condition will not allow user access via current 1170 # binding. Different bindings, including their conditions, are examined 1171 # independently. 1172 # 1173 # title: "User account presence" 1174 # description: "Determines whether the request has a user account" 1175 # expression: "size(request.user) > 0" 1176 "location": "A String", # An optional string indicating the location of the expression for error 1177 # reporting, e.g. a file name and a position in the file. 1178 "expression": "A String", # Textual representation of an expression in 1179 # Common Expression Language syntax. 1180 # 1181 # The application context of the containing message determines which 1182 # well-known feature set of CEL is supported. 1183 "description": "A String", # An optional description of the expression. This is a longer text which 1184 # describes the expression, e.g. when hovered over it in a UI. 1185 "title": "A String", # An optional title for the expression, i.e. a short string describing 1186 # its purpose. This can be used e.g. in UIs which allow to enter the 1187 # expression. 1188 }, 1189 }, 1190 ], 1191 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1192 { # Specifies the audit configuration for a service. 1193 # The configuration determines which permission types are logged, and what 1194 # identities, if any, are exempted from logging. 1195 # An AuditConfig must have one or more AuditLogConfigs. 1196 # 1197 # If there are AuditConfigs for both `allServices` and a specific service, 1198 # the union of the two AuditConfigs is used for that service: the log_types 1199 # specified in each AuditConfig are enabled, and the exempted_members in each 1200 # AuditLogConfig are exempted. 1201 # 1202 # Example Policy with multiple AuditConfigs: 1203 # 1204 # { 1205 # "audit_configs": [ 1206 # { 1207 # "service": "allServices" 1208 # "audit_log_configs": [ 1209 # { 1210 # "log_type": "DATA_READ", 1211 # "exempted_members": [ 1212 # "user:foo@gmail.com" 1213 # ] 1214 # }, 1215 # { 1216 # "log_type": "DATA_WRITE", 1217 # }, 1218 # { 1219 # "log_type": "ADMIN_READ", 1220 # } 1221 # ] 1222 # }, 1223 # { 1224 # "service": "fooservice.googleapis.com" 1225 # "audit_log_configs": [ 1226 # { 1227 # "log_type": "DATA_READ", 1228 # }, 1229 # { 1230 # "log_type": "DATA_WRITE", 1231 # "exempted_members": [ 1232 # "user:bar@gmail.com" 1233 # ] 1234 # } 1235 # ] 1236 # } 1237 # ] 1238 # } 1239 # 1240 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1241 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1242 # bar@gmail.com from DATA_WRITE logging. 1243 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1244 { # Provides the configuration for logging a type of permissions. 1245 # Example: 1246 # 1247 # { 1248 # "audit_log_configs": [ 1249 # { 1250 # "log_type": "DATA_READ", 1251 # "exempted_members": [ 1252 # "user:foo@gmail.com" 1253 # ] 1254 # }, 1255 # { 1256 # "log_type": "DATA_WRITE", 1257 # } 1258 # ] 1259 # } 1260 # 1261 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1262 # foo@gmail.com from DATA_READ logging. 1263 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1264 # permission. 1265 # Follows the same format of Binding.members. 1266 "A String", 1267 ], 1268 "logType": "A String", # The log type that this config enables. 1269 }, 1270 ], 1271 "service": "A String", # Specifies a service that will be enabled for audit logging. 1272 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1273 # `allServices` is a special value that covers all services. 1274 }, 1275 ], 1276 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1277 # prevent simultaneous updates of a policy from overwriting each other. 1278 # It is strongly suggested that systems make use of the `etag` in the 1279 # read-modify-write cycle to perform policy updates in order to avoid race 1280 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1281 # systems are expected to put that etag in the request to `setIamPolicy` to 1282 # ensure that their change will be applied to the same version of the policy. 1283 # 1284 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1285 # policy is overwritten blindly. 1286 "version": 42, # Deprecated. 1287 }</pre> 1288</div> 1289 1290<div class="method"> 1291 <code class="details" id="signBlob">signBlob(name, body, x__xgafv=None)</code> 1292 <pre>**Note**: This method is in the process of being deprecated. Call the 1293[`signBlob()`](/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlob) 1294method of the Cloud IAM Service Account Credentials API instead. 1295 1296Signs a blob using a service account's system-managed private key. 1297 1298Args: 1299 name: string, The resource name of the service account in the following format: 1300`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1301Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1302the account. The `ACCOUNT` value can be the `email` address or the 1303`unique_id` of the service account. (required) 1304 body: object, The request body. (required) 1305 The object takes the form of: 1306 1307{ # The service account sign blob request. 1308 "bytesToSign": "A String", # The bytes to sign. 1309 } 1310 1311 x__xgafv: string, V1 error format. 1312 Allowed values 1313 1 - v1 error format 1314 2 - v2 error format 1315 1316Returns: 1317 An object of the form: 1318 1319 { # The service account sign blob response. 1320 "keyId": "A String", # The id of the key used to sign the blob. 1321 "signature": "A String", # The signed blob. 1322 }</pre> 1323</div> 1324 1325<div class="method"> 1326 <code class="details" id="signJwt">signJwt(name, body, x__xgafv=None)</code> 1327 <pre>**Note**: This method is in the process of being deprecated. Call the 1328[`signJwt()`](/iam/credentials/reference/rest/v1/projects.serviceAccounts/signJwt) 1329method of the Cloud IAM Service Account Credentials API instead. 1330 1331Signs a JWT using a service account's system-managed private key. 1332 1333If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an 1334an expiry time of one hour by default. If you request an expiry time of 1335more than one hour, the request will fail. 1336 1337Args: 1338 name: string, The resource name of the service account in the following format: 1339`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1340Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1341the account. The `ACCOUNT` value can be the `email` address or the 1342`unique_id` of the service account. (required) 1343 body: object, The request body. (required) 1344 The object takes the form of: 1345 1346{ # The service account sign JWT request. 1347 "payload": "A String", # The JWT payload to sign, a JSON JWT Claim set. 1348 } 1349 1350 x__xgafv: string, V1 error format. 1351 Allowed values 1352 1 - v1 error format 1353 2 - v2 error format 1354 1355Returns: 1356 An object of the form: 1357 1358 { # The service account sign JWT response. 1359 "keyId": "A String", # The id of the key used to sign the JWT. 1360 "signedJwt": "A String", # The signed JWT. 1361 }</pre> 1362</div> 1363 1364<div class="method"> 1365 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 1366 <pre>Tests the specified permissions against the IAM access control policy 1367for a ServiceAccount. 1368 1369Args: 1370 resource: string, REQUIRED: The resource for which the policy detail is being requested. 1371See the operation documentation for the appropriate value for this field. (required) 1372 body: object, The request body. (required) 1373 The object takes the form of: 1374 1375{ # Request message for `TestIamPermissions` method. 1376 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 1377 # wildcards (such as '*' or 'storage.*') are not allowed. For more 1378 # information see 1379 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 1380 "A String", 1381 ], 1382 } 1383 1384 x__xgafv: string, V1 error format. 1385 Allowed values 1386 1 - v1 error format 1387 2 - v2 error format 1388 1389Returns: 1390 An object of the form: 1391 1392 { # Response message for `TestIamPermissions` method. 1393 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 1394 # allowed. 1395 "A String", 1396 ], 1397 }</pre> 1398</div> 1399 1400<div class="method"> 1401 <code class="details" id="undelete">undelete(name, body=None, x__xgafv=None)</code> 1402 <pre>Restores a deleted ServiceAccount. 1403This is to be used as an action of last resort. A service account may 1404not always be restorable. 1405 1406Args: 1407 name: string, The resource name of the service account in the following format: 1408`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}'. 1409Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1410the account. (required) 1411 body: object, The request body. 1412 The object takes the form of: 1413 1414{ # The service account undelete request. 1415 } 1416 1417 x__xgafv: string, V1 error format. 1418 Allowed values 1419 1 - v1 error format 1420 2 - v2 error format 1421 1422Returns: 1423 An object of the form: 1424 1425 { 1426 "restoredAccount": { # A service account in the Identity and Access Management API. # Metadata for the restored service account. 1427 # 1428 # To create a service account, specify the `project_id` and the `account_id` 1429 # for the account. The `account_id` is unique within the project, and is used 1430 # to generate the service account email address and a stable 1431 # `unique_id`. 1432 # 1433 # If the account already exists, the account's resource name is returned 1434 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 1435 # can use the name in other methods to access the account. 1436 # 1437 # All other methods can identify the service account using the format 1438 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1439 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1440 # the account. The `ACCOUNT` value can be the `email` address or the 1441 # `unique_id` of the service account. 1442 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 1443 # This is used in conjunction with the OAuth2 clientconfig API to make 1444 # three legged OAuth2 (3LO) flows to access the data of Google users. 1445 "displayName": "A String", # Optional. A user-specified name for the service account. 1446 # Must be less than or equal to 100 UTF-8 bytes. 1447 "description": "A String", # Optional. A user-specified opaque description of the service account. 1448 # Must be less than or equal to 256 UTF-8 bytes. 1449 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 1450 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 1451 # The field is currently in alpha phase. 1452 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 1453 # for backwards compatibility. 1454 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 1455 "email": "A String", # @OutputOnly The email address of the service account. 1456 "name": "A String", # The resource name of the service account in the following format: 1457 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1458 # 1459 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 1460 # project from the `account` and the `ACCOUNT` value can be the `email` 1461 # address or the `unique_id` of the service account. 1462 # 1463 # In responses the resource name will always be in the format 1464 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1465 }, 1466 }</pre> 1467</div> 1468 1469<div class="method"> 1470 <code class="details" id="update">update(name, body, x__xgafv=None)</code> 1471 <pre>Note: This method is in the process of being deprecated. Use 1472PatchServiceAccount instead. 1473 1474Updates a ServiceAccount. 1475 1476Currently, only the following fields are updatable: 1477`display_name` and `description`. 1478 1479Args: 1480 name: string, The resource name of the service account in the following format: 1481`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1482 1483Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 1484project from the `account` and the `ACCOUNT` value can be the `email` 1485address or the `unique_id` of the service account. 1486 1487In responses the resource name will always be in the format 1488`projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. (required) 1489 body: object, The request body. (required) 1490 The object takes the form of: 1491 1492{ # A service account in the Identity and Access Management API. 1493 # 1494 # To create a service account, specify the `project_id` and the `account_id` 1495 # for the account. The `account_id` is unique within the project, and is used 1496 # to generate the service account email address and a stable 1497 # `unique_id`. 1498 # 1499 # If the account already exists, the account's resource name is returned 1500 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 1501 # can use the name in other methods to access the account. 1502 # 1503 # All other methods can identify the service account using the format 1504 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1505 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1506 # the account. The `ACCOUNT` value can be the `email` address or the 1507 # `unique_id` of the service account. 1508 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 1509 # This is used in conjunction with the OAuth2 clientconfig API to make 1510 # three legged OAuth2 (3LO) flows to access the data of Google users. 1511 "displayName": "A String", # Optional. A user-specified name for the service account. 1512 # Must be less than or equal to 100 UTF-8 bytes. 1513 "description": "A String", # Optional. A user-specified opaque description of the service account. 1514 # Must be less than or equal to 256 UTF-8 bytes. 1515 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 1516 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 1517 # The field is currently in alpha phase. 1518 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 1519 # for backwards compatibility. 1520 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 1521 "email": "A String", # @OutputOnly The email address of the service account. 1522 "name": "A String", # The resource name of the service account in the following format: 1523 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1524 # 1525 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 1526 # project from the `account` and the `ACCOUNT` value can be the `email` 1527 # address or the `unique_id` of the service account. 1528 # 1529 # In responses the resource name will always be in the format 1530 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1531} 1532 1533 x__xgafv: string, V1 error format. 1534 Allowed values 1535 1 - v1 error format 1536 2 - v2 error format 1537 1538Returns: 1539 An object of the form: 1540 1541 { # A service account in the Identity and Access Management API. 1542 # 1543 # To create a service account, specify the `project_id` and the `account_id` 1544 # for the account. The `account_id` is unique within the project, and is used 1545 # to generate the service account email address and a stable 1546 # `unique_id`. 1547 # 1548 # If the account already exists, the account's resource name is returned 1549 # in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller 1550 # can use the name in other methods to access the account. 1551 # 1552 # All other methods can identify the service account using the format 1553 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1554 # Using `-` as a wildcard for the `PROJECT_ID` will infer the project from 1555 # the account. The `ACCOUNT` value can be the `email` address or the 1556 # `unique_id` of the service account. 1557 "oauth2ClientId": "A String", # @OutputOnly The OAuth2 client id for the service account. 1558 # This is used in conjunction with the OAuth2 clientconfig API to make 1559 # three legged OAuth2 (3LO) flows to access the data of Google users. 1560 "displayName": "A String", # Optional. A user-specified name for the service account. 1561 # Must be less than or equal to 100 UTF-8 bytes. 1562 "description": "A String", # Optional. A user-specified opaque description of the service account. 1563 # Must be less than or equal to 256 UTF-8 bytes. 1564 "projectId": "A String", # @OutputOnly The id of the project that owns the service account. 1565 "disabled": True or False, # @OutputOnly A bool indicate if the service account is disabled. 1566 # The field is currently in alpha phase. 1567 "etag": "A String", # Optional. Note: `etag` is an inoperable legacy field that is only returned 1568 # for backwards compatibility. 1569 "uniqueId": "A String", # @OutputOnly The unique and stable id of the service account. 1570 "email": "A String", # @OutputOnly The email address of the service account. 1571 "name": "A String", # The resource name of the service account in the following format: 1572 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1573 # 1574 # Requests using `-` as a wildcard for the `PROJECT_ID` will infer the 1575 # project from the `account` and the `ACCOUNT` value can be the `email` 1576 # address or the `unique_id` of the service account. 1577 # 1578 # In responses the resource name will always be in the format 1579 # `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. 1580 }</pre> 1581</div> 1582 1583</body></html>