Creates and manages Identity and Access Management (IAM) resources.
You can use this service to work with all of the following resources:
- Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
- Service account keys, which service accounts use to authenticate with Google APIs
- IAM policies for service accounts, which specify the roles that a principal has for the service account
- IAM custom roles, which help you limit the number of permissions that you grant to principals
In addition, you can use this service to complete the following tasks, among others:
- Test whether a service account can use specific permissions
- Check which roles you can grant for a specific resource
- Lint, or validate, condition expressions in an IAM policy
When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.
In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.
Equality
Instances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal std::shared_ptr<*Connection>
objects compare equal. Objects that compare equal share the same underlying resources.
Performance
Creating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.
Thread Safety
Concurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.
Constructors
IAMClient(IAMClient const &)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
IAMClient const &
|
IAMClient(IAMClient &&)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
IAMClient &&
|
IAMClient(std::shared_ptr< IAMConnection >, Options)
Parameters | |
---|---|
Name | Description |
connection |
std::shared_ptr< IAMConnection >
|
opts |
Options
|
Operators
operator=(IAMClient const &)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
IAMClient const &
|
Returns | |
---|---|
Type | Description |
IAMClient & |
operator=(IAMClient &&)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
IAMClient &&
|
Returns | |
---|---|
Type | Description |
IAMClient & |
Functions
ListServiceAccounts(std::string const &, Options)
Lists every ServiceAccount that belongs to a specific project.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the project associated with the service accounts, such as |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::iam::admin::v1::ServiceAccount > | a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
ListServiceAccounts(google::iam::admin::v1::ListServiceAccountsRequest, Options)
Lists every ServiceAccount that belongs to a specific project.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::ListServiceAccountsRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::iam::admin::v1::ServiceAccount > | a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
GetServiceAccount(std::string const &, Options)
Gets a ServiceAccount.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account in the following format: |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccount > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccount) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
GetServiceAccount(google::iam::admin::v1::GetServiceAccountRequest const &, Options)
Gets a ServiceAccount.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::GetServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccount > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccount) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateServiceAccount(std::string const &, std::string const &, google::iam::admin::v1::ServiceAccount const &, Options)
Creates a ServiceAccount.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the project associated with the service accounts, such as |
account_id |
std::string const &
Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression |
service_account |
google::iam::admin::v1::ServiceAccount const &
The ServiceAccount resource to create. Currently, only the following values are user assignable: |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccount > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccount) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateServiceAccount(google::iam::admin::v1::CreateServiceAccountRequest const &, Options)
Creates a ServiceAccount.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::CreateServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccount > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccount) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
PatchServiceAccount(google::iam::admin::v1::PatchServiceAccountRequest const &, Options)
Patches a ServiceAccount.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::PatchServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccount > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccount) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
DeleteServiceAccount(std::string const &, Options)
Deletes a ServiceAccount.
Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.
If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account in the following format: |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
DeleteServiceAccount(google::iam::admin::v1::DeleteServiceAccountRequest const &, Options)
Deletes a ServiceAccount.
Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.
If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::DeleteServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
UndeleteServiceAccount(google::iam::admin::v1::UndeleteServiceAccountRequest const &, Options)
Restores a deleted ServiceAccount.
Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.
After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::UndeleteServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::UndeleteServiceAccountResponse > | the result of the RPC. The response message type (google.iam.admin.v1.UndeleteServiceAccountResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
EnableServiceAccount(google::iam::admin::v1::EnableServiceAccountRequest const &, Options)
Enables a ServiceAccount that was disabled by DisableServiceAccount.
If the service account is already enabled, then this method has no effect.
If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::EnableServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
DisableServiceAccount(google::iam::admin::v1::DisableServiceAccountRequest const &, Options)
Disables a ServiceAccount immediately.
If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.
To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.
To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::DisableServiceAccountRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
ListServiceAccountKeys(std::string const &, std::vector< google::iam::admin::v1::ListServiceAccountKeysRequest::KeyType > const &, Options)
Lists every ServiceAccountKey for a service account.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account in the following format: |
key_types |
std::vector< google::iam::admin::v1::ListServiceAccountKeysRequest::KeyType > const &
Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ListServiceAccountKeysResponse > | the result of the RPC. The response message type (google.iam.admin.v1.ListServiceAccountKeysResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
ListServiceAccountKeys(google::iam::admin::v1::ListServiceAccountKeysRequest const &, Options)
Lists every ServiceAccountKey for a service account.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::ListServiceAccountKeysRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ListServiceAccountKeysResponse > | the result of the RPC. The response message type (google.iam.admin.v1.ListServiceAccountKeysResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
GetServiceAccountKey(std::string const &, google::iam::admin::v1::ServiceAccountPublicKeyType, Options)
Gets a ServiceAccountKey.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account key in the following format: |
public_key_type |
google::iam::admin::v1::ServiceAccountPublicKeyType
Optional. The output format of the public key. The default is |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccountKey > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccountKey) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
GetServiceAccountKey(google::iam::admin::v1::GetServiceAccountKeyRequest const &, Options)
Gets a ServiceAccountKey.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::GetServiceAccountKeyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccountKey > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccountKey) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateServiceAccountKey(std::string const &, google::iam::admin::v1::ServiceAccountPrivateKeyType, google::iam::admin::v1::ServiceAccountKeyAlgorithm, Options)
Creates a ServiceAccountKey.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account in the following format: |
private_key_type |
google::iam::admin::v1::ServiceAccountPrivateKeyType
The output format of the private key. The default value is |
key_algorithm |
google::iam::admin::v1::ServiceAccountKeyAlgorithm
Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccountKey > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccountKey) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateServiceAccountKey(google::iam::admin::v1::CreateServiceAccountKeyRequest const &, Options)
Creates a ServiceAccountKey.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::CreateServiceAccountKeyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccountKey > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccountKey) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
UploadServiceAccountKey(google::iam::admin::v1::UploadServiceAccountKeyRequest const &, Options)
Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.
After you upload the public key, you can use the private key from the key pair as a service account key.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::UploadServiceAccountKeyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::ServiceAccountKey > | the result of the RPC. The response message type (google.iam.admin.v1.ServiceAccountKey) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
DeleteServiceAccountKey(std::string const &, Options)
Deletes a ServiceAccountKey.
Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account key in the following format: |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
DeleteServiceAccountKey(google::iam::admin::v1::DeleteServiceAccountKeyRequest const &, Options)
Deletes a ServiceAccountKey.
Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::DeleteServiceAccountKeyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
DisableServiceAccountKey(std::string const &, Options)
Disable a ServiceAccountKey.
A disabled service account key can be re-enabled with EnableServiceAccountKey.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account key in the following format: |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
DisableServiceAccountKey(google::iam::admin::v1::DisableServiceAccountKeyRequest const &, Options)
Disable a ServiceAccountKey.
A disabled service account key can be re-enabled with EnableServiceAccountKey.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::DisableServiceAccountKeyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
EnableServiceAccountKey(std::string const &, Options)
Enable a ServiceAccountKey.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. The resource name of the service account key in the following format: |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
EnableServiceAccountKey(google::iam::admin::v1::EnableServiceAccountKeyRequest const &, Options)
Enable a ServiceAccountKey.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::EnableServiceAccountKeyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
Status | a |
GetIamPolicy(std::string const &, Options)
Gets the IAM policy that is attached to a ServiceAccount.
This IAM policy specifies which principals have access to the service account.
This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy
method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy
method.
Parameters | |
---|---|
Name | Description |
resource |
std::string const &
REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::Policy > | the result of the RPC. The response message type (google.iam.v1.Policy) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
GetIamPolicy(google::iam::v1::GetIamPolicyRequest const &, Options)
Gets the IAM policy that is attached to a ServiceAccount.
This IAM policy specifies which principals have access to the service account.
This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy
method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy
method.
Parameters | |
---|---|
Name | Description |
request |
google::iam::v1::GetIamPolicyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::Policy > | the result of the RPC. The response message type (google.iam.v1.Policy) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
SetIamPolicy(std::string const &, google::iam::v1::Policy const &, Options)
Sets the IAM policy that is attached to a ServiceAccount.
Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.
This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:
- Call the resource's
getIamPolicy
method to get its current IAM policy. - Edit the policy so that it binds the service account to an IAM role for the resource.
- Call the resource's
setIamPolicy
method to update its IAM policy.
For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.
Parameters | |
---|---|
Name | Description |
resource |
std::string const &
REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field. |
policy |
google::iam::v1::Policy const &
REQUIRED: The complete policy to be applied to the |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::Policy > | the result of the RPC. The response message type (google.iam.v1.Policy) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
SetIamPolicy(std::string const &, IamUpdater const &, Options)
Updates the IAM policy for resource
using an optimistic concurrency control loop.
The loop fetches the current policy for resource
, and passes it to updater
, which should return the new policy. This new policy should use the current etag so that the read-modify-write cycle can detect races and rerun the update when there is a mismatch. If the new policy does not have an etag, the existing policy will be blindly overwritten. If updater
does not yield a policy, the control loop is terminated and kCancelled is returned.
Parameters | |
---|---|
Name | Description |
resource |
std::string const &
Required. The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field. |
updater |
IamUpdater const &
Required. Functor to map the current policy to a new one. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::Policy > | google::iam::v1::Policy |
SetIamPolicy(google::iam::v1::SetIamPolicyRequest const &, Options)
Sets the IAM policy that is attached to a ServiceAccount.
Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.
This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:
- Call the resource's
getIamPolicy
method to get its current IAM policy. - Edit the policy so that it binds the service account to an IAM role for the resource.
- Call the resource's
setIamPolicy
method to update its IAM policy.
For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.
Parameters | |
---|---|
Name | Description |
request |
google::iam::v1::SetIamPolicyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::Policy > | the result of the RPC. The response message type (google.iam.v1.Policy) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
TestIamPermissions(std::string const &, std::vector< std::string > const &, Options)
Tests whether the caller has the specified permissions on a ServiceAccount.
Parameters | |
---|---|
Name | Description |
resource |
std::string const &
REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field. |
permissions |
std::vector< std::string > const &
The set of permissions to check for the |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::TestIamPermissionsResponse > | the result of the RPC. The response message type (google.iam.v1.TestIamPermissionsResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
TestIamPermissions(google::iam::v1::TestIamPermissionsRequest const &, Options)
Tests whether the caller has the specified permissions on a ServiceAccount.
Parameters | |
---|---|
Name | Description |
request |
google::iam::v1::TestIamPermissionsRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::v1::TestIamPermissionsResponse > | the result of the RPC. The response message type (google.iam.v1.TestIamPermissionsResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
QueryGrantableRoles(std::string const &, Options)
Lists roles that can be granted on a Google Cloud resource.
A role is grantable if the IAM policy for the resource can contain bindings to the role.
Parameters | |
---|---|
Name | Description |
full_resource_name |
std::string const &
Required. The full resource name to query from the list of grantable roles. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::iam::admin::v1::Role > | a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
QueryGrantableRoles(google::iam::admin::v1::QueryGrantableRolesRequest, Options)
Lists roles that can be granted on a Google Cloud resource.
A role is grantable if the IAM policy for the resource can contain bindings to the role.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::QueryGrantableRolesRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::iam::admin::v1::Role > | a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
ListRoles(google::iam::admin::v1::ListRolesRequest, Options)
Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::ListRolesRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::iam::admin::v1::Role > | a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
GetRole(google::iam::admin::v1::GetRoleRequest const &, Options)
Gets the definition of a Role.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::GetRoleRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::Role > | the result of the RPC. The response message type (google.iam.admin.v1.Role) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateRole(google::iam::admin::v1::CreateRoleRequest const &, Options)
Creates a new custom Role.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::CreateRoleRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::Role > | the result of the RPC. The response message type (google.iam.admin.v1.Role) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
UpdateRole(google::iam::admin::v1::UpdateRoleRequest const &, Options)
Updates the definition of a custom Role.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::UpdateRoleRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::Role > | the result of the RPC. The response message type (google.iam.admin.v1.Role) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
DeleteRole(google::iam::admin::v1::DeleteRoleRequest const &, Options)
Deletes a custom Role.
When you delete a custom role, the following changes occur immediately:
- You cannot bind a principal to the custom role in an IAM Policy.
- Existing bindings to the custom role are not changed, but they have no effect.
- By default, the response from ListRoles does not include the custom role.
You have 7 days to undelete the custom role. After 7 days, the following changes occur:
- The custom role is permanently deleted and cannot be recovered.
- If an IAM policy contains a binding to the custom role, the binding is permanently removed.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::DeleteRoleRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::Role > | the result of the RPC. The response message type (google.iam.admin.v1.Role) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
UndeleteRole(google::iam::admin::v1::UndeleteRoleRequest const &, Options)
Undeletes a custom Role.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::UndeleteRoleRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::Role > | the result of the RPC. The response message type (google.iam.admin.v1.Role) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
QueryTestablePermissions(google::iam::admin::v1::QueryTestablePermissionsRequest, Options)
Lists every permission that you can test on a resource.
A permission is testable if you can check whether a principal has that permission on the resource.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::QueryTestablePermissionsRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::iam::admin::v1::Permission > | a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
QueryAuditableServices(google::iam::admin::v1::QueryAuditableServicesRequest const &, Options)
Returns a list of services that allow you to opt into audit logs that are not generated by default.
To learn more about audit logs, see the Logging documentation.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::QueryAuditableServicesRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::QueryAuditableServicesResponse > | the result of the RPC. The response message type (google.iam.admin.v1.QueryAuditableServicesResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
LintPolicy(google::iam::admin::v1::LintPolicyRequest const &, Options)
Lints, or validates, an IAM policy.
Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.
Successful calls to this method always return an HTTP 200 OK
status code, even if the linter detects an issue in the IAM policy.
Parameters | |
---|---|
Name | Description |
request |
google::iam::admin::v1::LintPolicyRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::iam::admin::v1::LintPolicyResponse > | the result of the RPC. The response message type (google.iam.admin.v1.LintPolicyResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |