1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5  margin: 0;
6  padding: 0;
7  border: 0;
8  font-weight: inherit;
9  font-style: inherit;
10  font-size: 100%;
11  font-family: inherit;
12  vertical-align: baseline;
13}
14
15body {
16  font-size: 13px;
17  padding: 1em;
18}
19
20h1 {
21  font-size: 26px;
22  margin-bottom: 1em;
23}
24
25h2 {
26  font-size: 24px;
27  margin-bottom: 1em;
28}
29
30h3 {
31  font-size: 20px;
32  margin-bottom: 1em;
33  margin-top: 1em;
34}
35
36pre, code {
37  line-height: 1.5;
38  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42  margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46  font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50  border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54  margin-top: 0.5em;
55}
56
57.firstline {
58  margin-left: 2 em;
59}
60
61.method  {
62  margin-top: 1em;
63  border: solid 1px #CCC;
64  padding: 1em;
65  background: #EEE;
66}
67
68.details {
69  font-weight: bold;
70  font-size: 14px;
71}
72
73</style>
74
75<h1><a href="iamcredentials_v1.html">IAM Service Account Credentials API</a> . <a href="iamcredentials_v1.projects.html">projects</a> . <a href="iamcredentials_v1.projects.serviceAccounts.html">serviceAccounts</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78  <code><a href="#generateAccessToken">generateAccessToken(name, body, x__xgafv=None)</a></code></p>
79<p class="firstline">Generates an OAuth 2.0 access token for a service account.</p>
80<p class="toc_element">
81  <code><a href="#generateIdToken">generateIdToken(name, body, x__xgafv=None)</a></code></p>
82<p class="firstline">Generates an OpenID Connect ID token for a service account.</p>
83<p class="toc_element">
84  <code><a href="#generateIdentityBindingAccessToken">generateIdentityBindingAccessToken(name, body, x__xgafv=None)</a></code></p>
85<p class="firstline"></p>
86<p class="toc_element">
87  <code><a href="#signBlob">signBlob(name, body, x__xgafv=None)</a></code></p>
88<p class="firstline">Signs a blob using a service account's system-managed private key.</p>
89<p class="toc_element">
90  <code><a href="#signJwt">signJwt(name, body, x__xgafv=None)</a></code></p>
91<p class="firstline">Signs a JWT using a service account's system-managed private key.</p>
92<h3>Method Details</h3>
93<div class="method">
94    <code class="details" id="generateAccessToken">generateAccessToken(name, body, x__xgafv=None)</code>
95  <pre>Generates an OAuth 2.0 access token for a service account.
96
97Args:
98  name: string, The resource name of the service account for which the credentials
99are requested, in the following format:
100`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
101character is required; replacing it with a project ID is invalid. (required)
102  body: object, The request body. (required)
103    The object takes the form of:
104
105{
106    "lifetime": "A String", # The desired lifetime duration of the access token in seconds.
107        # Must be set to a value less than or equal to 3600 (1 hour). If a value is
108        # not specified, the token's lifetime will be set to a default value of one
109        # hour.
110    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
111        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
112        # on its next service account in the chain. The last service account in the
113        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
114        # on the service account that is specified in the `name` field of the
115        # request.
116        #
117        # The delegates must have the following format:
118        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
119        # character is required; replacing it with a project ID is invalid.
120      "A String",
121    ],
122    "scope": [ # Code to identify the scopes to be included in the OAuth 2.0 access token.
123        # See https://developers.google.com/identity/protocols/googlescopes for more
124        # information.
125        # At least one value required.
126      "A String",
127    ],
128  }
129
130  x__xgafv: string, V1 error format.
131    Allowed values
132      1 - v1 error format
133      2 - v2 error format
134
135Returns:
136  An object of the form:
137
138    {
139    "expireTime": "A String", # Token expiration time.
140        # The expiration time is always set.
141    "accessToken": "A String", # The OAuth 2.0 access token.
142  }</pre>
143</div>
144
145<div class="method">
146    <code class="details" id="generateIdToken">generateIdToken(name, body, x__xgafv=None)</code>
147  <pre>Generates an OpenID Connect ID token for a service account.
148
149Args:
150  name: string, The resource name of the service account for which the credentials
151are requested, in the following format:
152`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
153character is required; replacing it with a project ID is invalid. (required)
154  body: object, The request body. (required)
155    The object takes the form of:
156
157{
158    "includeEmail": True or False, # Include the service account email in the token. If set to `true`, the
159        # token will contain `email` and `email_verified` claims.
160    "audience": "A String", # The audience for the token, such as the API or account that this token
161        # grants access to.
162    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
163        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
164        # on its next service account in the chain. The last service account in the
165        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
166        # on the service account that is specified in the `name` field of the
167        # request.
168        #
169        # The delegates must have the following format:
170        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
171        # character is required; replacing it with a project ID is invalid.
172      "A String",
173    ],
174  }
175
176  x__xgafv: string, V1 error format.
177    Allowed values
178      1 - v1 error format
179      2 - v2 error format
180
181Returns:
182  An object of the form:
183
184    {
185    "token": "A String", # The OpenId Connect ID token.
186  }</pre>
187</div>
188
189<div class="method">
190    <code class="details" id="generateIdentityBindingAccessToken">generateIdentityBindingAccessToken(name, body, x__xgafv=None)</code>
191  <pre>
192
193Args:
194  name: string, The resource name of the service account for which the credentials
195are requested, in the following format:
196`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
197character is required; replacing it with a project ID is invalid. (required)
198  body: object, The request body. (required)
199    The object takes the form of:
200
201{
202    "scope": [ # Code to identify the scopes to be included in the OAuth 2.0 access token.
203        # See https://developers.google.com/identity/protocols/googlescopes for more
204        # information.
205        # At least one value required.
206      "A String",
207    ],
208    "jwt": "A String", # Required. Input token.
209        # Must be in JWT format according to
210        # RFC7523 (https://tools.ietf.org/html/rfc7523)
211        # and must have 'kid' field in the header.
212        # Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
213        # Mandatory payload fields (along the lines of RFC 7523, section 3):
214        # - iss: issuer of the token. Must provide a discovery document at
215        #        $iss/.well-known/openid-configuration . The document needs to be
216        #        formatted according to section 4.2 of the OpenID Connect Discovery
217        #        1.0 specification.
218        # - iat: Issue time in seconds since epoch. Must be in the past.
219        # - exp: Expiration time in seconds since epoch. Must be less than 48 hours
220        #        after iat. We recommend to create tokens that last shorter than 6
221        #        hours to improve security unless business reasons mandate longer
222        #        expiration times. Shorter token lifetimes are generally more secure
223        #        since tokens that have been exfiltrated by attackers can be used for
224        #        a shorter time. you can configure the maximum lifetime of the
225        #        incoming token in the configuration of the mapper.
226        #        The resulting Google token will expire within an hour or at "exp",
227        #        whichever is earlier.
228        # - sub: JWT subject, identity asserted in the JWT.
229        # - aud: Configured in the mapper policy. By default the service account
230        #        email.
231        #
232        # Claims from the incoming token can be transferred into the output token
233        # accoding to the mapper configuration. The outgoing claim size is limited.
234        # Outgoing claims size must be less than 4kB serialized as JSON without
235        # whitespace.
236        #
237        # Example header:
238        # {
239        #   "alg": "RS256",
240        #   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
241        # }
242        # Example payload:
243        # {
244        #   "iss": "https://accounts.google.com",
245        #   "iat": 1517963104,
246        #   "exp": 1517966704,
247        #   "aud":
248        #   "https://iamcredentials.googleapis.com/google.iam.credentials.v1.CloudGaia",
249        #   "sub": "113475438248934895348",
250        #   "my_claims": {
251        #     "additional_claim": "value"
252        #   }
253        # }
254  }
255
256  x__xgafv: string, V1 error format.
257    Allowed values
258      1 - v1 error format
259      2 - v2 error format
260
261Returns:
262  An object of the form:
263
264    {
265    "expireTime": "A String", # Token expiration time.
266        # The expiration time is always set.
267    "accessToken": "A String", # The OAuth 2.0 access token.
268  }</pre>
269</div>
270
271<div class="method">
272    <code class="details" id="signBlob">signBlob(name, body, x__xgafv=None)</code>
273  <pre>Signs a blob using a service account's system-managed private key.
274
275Args:
276  name: string, The resource name of the service account for which the credentials
277are requested, in the following format:
278`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
279character is required; replacing it with a project ID is invalid. (required)
280  body: object, The request body. (required)
281    The object takes the form of:
282
283{
284    "payload": "A String", # The bytes to sign.
285    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
286        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
287        # on its next service account in the chain. The last service account in the
288        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
289        # on the service account that is specified in the `name` field of the
290        # request.
291        #
292        # The delegates must have the following format:
293        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
294        # character is required; replacing it with a project ID is invalid.
295      "A String",
296    ],
297  }
298
299  x__xgafv: string, V1 error format.
300    Allowed values
301      1 - v1 error format
302      2 - v2 error format
303
304Returns:
305  An object of the form:
306
307    {
308    "signedBlob": "A String", # The signed blob.
309    "keyId": "A String", # The ID of the key used to sign the blob.
310  }</pre>
311</div>
312
313<div class="method">
314    <code class="details" id="signJwt">signJwt(name, body, x__xgafv=None)</code>
315  <pre>Signs a JWT using a service account's system-managed private key.
316
317Args:
318  name: string, The resource name of the service account for which the credentials
319are requested, in the following format:
320`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
321character is required; replacing it with a project ID is invalid. (required)
322  body: object, The request body. (required)
323    The object takes the form of:
324
325{
326    "payload": "A String", # The JWT payload to sign: a JSON object that contains a JWT Claims Set.
327    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
328        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
329        # on its next service account in the chain. The last service account in the
330        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
331        # on the service account that is specified in the `name` field of the
332        # request.
333        #
334        # The delegates must have the following format:
335        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
336        # character is required; replacing it with a project ID is invalid.
337      "A String",
338    ],
339  }
340
341  x__xgafv: string, V1 error format.
342    Allowed values
343      1 - v1 error format
344      2 - v2 error format
345
346Returns:
347  An object of the form:
348
349    {
350    "keyId": "A String", # The ID of the key used to sign the JWT.
351    "signedJwt": "A String", # The signed JWT.
352  }</pre>
353</div>
354
355</body></html>