Summary of entries of Classes for iam.
Classes
IAMAsyncClient
Creates and manages Identity and Access Management (IAM) resources.
You can use this service to work with all of the following resources:
- Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
- Service account keys, which service accounts use to authenticate with Google APIs
- IAM policies for service accounts, which specify the roles that a principal has for the service account
- IAM custom roles, which help you limit the number of permissions that you grant to principals
In addition, you can use this service to complete the following tasks, among others:
- Test whether a service account can use specific permissions
- Check which roles you can grant for a specific resource
- Lint, or validate, condition expressions in an IAM policy
When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.
In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.
IAMClient
Creates and manages Identity and Access Management (IAM) resources.
You can use this service to work with all of the following resources:
- Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
- Service account keys, which service accounts use to authenticate with Google APIs
- IAM policies for service accounts, which specify the roles that a principal has for the service account
- IAM custom roles, which help you limit the number of permissions that you grant to principals
In addition, you can use this service to complete the following tasks, among others:
- Test whether a service account can use specific permissions
- Check which roles you can grant for a specific resource
- Lint, or validate, condition expressions in an IAM policy
When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.
In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.
ListRolesAsyncPager
A pager for iterating through list_roles
requests.
This class thinly wraps an initial
ListRolesResponse object, and
provides an __aiter__
method to iterate through its
roles
field.
If there are more pages, the __aiter__
method will make additional
ListRoles
requests and continue to iterate
through the roles
field on the
corresponding responses.
All the usual ListRolesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
ListRolesPager
A pager for iterating through list_roles
requests.
This class thinly wraps an initial
ListRolesResponse object, and
provides an __iter__
method to iterate through its
roles
field.
If there are more pages, the __iter__
method will make additional
ListRoles
requests and continue to iterate
through the roles
field on the
corresponding responses.
All the usual ListRolesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
ListServiceAccountsAsyncPager
A pager for iterating through list_service_accounts
requests.
This class thinly wraps an initial
ListServiceAccountsResponse object, and
provides an __aiter__
method to iterate through its
accounts
field.
If there are more pages, the __aiter__
method will make additional
ListServiceAccounts
requests and continue to iterate
through the accounts
field on the
corresponding responses.
All the usual ListServiceAccountsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
ListServiceAccountsPager
A pager for iterating through list_service_accounts
requests.
This class thinly wraps an initial
ListServiceAccountsResponse object, and
provides an __iter__
method to iterate through its
accounts
field.
If there are more pages, the __iter__
method will make additional
ListServiceAccounts
requests and continue to iterate
through the accounts
field on the
corresponding responses.
All the usual ListServiceAccountsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
QueryGrantableRolesAsyncPager
A pager for iterating through query_grantable_roles
requests.
This class thinly wraps an initial
QueryGrantableRolesResponse object, and
provides an __aiter__
method to iterate through its
roles
field.
If there are more pages, the __aiter__
method will make additional
QueryGrantableRoles
requests and continue to iterate
through the roles
field on the
corresponding responses.
All the usual QueryGrantableRolesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
QueryGrantableRolesPager
A pager for iterating through query_grantable_roles
requests.
This class thinly wraps an initial
QueryGrantableRolesResponse object, and
provides an __iter__
method to iterate through its
roles
field.
If there are more pages, the __iter__
method will make additional
QueryGrantableRoles
requests and continue to iterate
through the roles
field on the
corresponding responses.
All the usual QueryGrantableRolesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
QueryTestablePermissionsAsyncPager
A pager for iterating through query_testable_permissions
requests.
This class thinly wraps an initial
QueryTestablePermissionsResponse object, and
provides an __aiter__
method to iterate through its
permissions
field.
If there are more pages, the __aiter__
method will make additional
QueryTestablePermissions
requests and continue to iterate
through the permissions
field on the
corresponding responses.
All the usual QueryTestablePermissionsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
QueryTestablePermissionsPager
A pager for iterating through query_testable_permissions
requests.
This class thinly wraps an initial
QueryTestablePermissionsResponse object, and
provides an __iter__
method to iterate through its
permissions
field.
If there are more pages, the __iter__
method will make additional
QueryTestablePermissions
requests and continue to iterate
through the permissions
field on the
corresponding responses.
All the usual QueryTestablePermissionsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
AuditData
Audit log information specific to Cloud IAM admin APIs. This message
is serialized as an Any
type in the ServiceData
message of
an AuditLog
message.
PermissionDelta
A PermissionDelta message to record the added_permissions and removed_permissions inside a role.
CreateRoleRequest
The request to create a new role.
CreateServiceAccountKeyRequest
The service account key create request.
CreateServiceAccountRequest
The service account create request.
DeleteRoleRequest
The request to delete an existing role.
DeleteServiceAccountKeyRequest
The service account key delete request.
DeleteServiceAccountRequest
The service account delete request.
DisableServiceAccountKeyRequest
The service account key disable request.
DisableServiceAccountRequest
The service account disable request.
EnableServiceAccountKeyRequest
The service account key enable request.
EnableServiceAccountRequest
The service account enable request.
GetRoleRequest
The request to get the definition of an existing role.
GetServiceAccountKeyRequest
The service account key get by id request.
GetServiceAccountRequest
The service account get request.
LintPolicyRequest
The request to lint a Cloud IAM policy object.
.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
LintPolicyResponse
The response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found.
LintResult
Structured response of a single validation unit.
Level
Possible Level values of a validation unit corresponding to its domain of discourse.
Values: LEVEL_UNSPECIFIED (0): Level is unspecified. CONDITION (3): A validation unit which operates on an individual condition within a binding.
Severity
Possible Severity values of an issued result.
Values:
SEVERITY_UNSPECIFIED (0):
Severity is unspecified.
ERROR (1):
A validation unit returns an error only for critical issues.
If an attempt is made to set the problematic policy without
rectifying the critical issue, it causes the setPolicy
operation to fail.
WARNING (2):
Any issue which is severe enough but does not cause an
error. For example, suspicious constructs in the input
object will not necessarily fail setPolicy
, but there is
a high likelihood that they won't behave as expected during
policy evaluation in checkPolicy
. This includes the
following common scenarios:
- Unsatisfiable condition: Expired timestamp in date/time
condition.
- Ineffective condition: Condition on a <principal, role>
pair which is granted unconditionally in another binding
of the same policy.
NOTICE (3):
Reserved for the issues that are not severe as
`ERROR`/`WARNING`, but need special handling. For
instance, messages about skipped validation units are issued
as `NOTICE`.
INFO (4):
Any informative statement which is not severe enough to
raise `ERROR`/`WARNING`/`NOTICE`, like auto-correction
recommendations on the input content. Note that current
version of the linter does not utilize `INFO`.
DEPRECATED (5):
Deprecated severity level.
ListRolesRequest
The request to get all roles defined under a resource.
ListRolesResponse
The response containing the roles defined under a resource.
ListServiceAccountKeysRequest
The service account keys list request.
KeyType
KeyType
filters to selectively retrieve certain varieties of
keys.
Values: KEY_TYPE_UNSPECIFIED (0): Unspecified key type. The presence of this in the message will immediately result in an error. USER_MANAGED (1): User-managed keys (managed and rotated by the user). SYSTEM_MANAGED (2): System-managed keys (managed and rotated by Google).
ListServiceAccountKeysResponse
The service account keys list response.
ListServiceAccountsRequest
The service account list request.
ListServiceAccountsResponse
The service account list response.
PatchServiceAccountRequest
The service account patch request.
You can patch only the display_name
and description
fields.
You must use the update_mask
field to specify which of these
fields you want to patch.
Only the fields specified in the request are guaranteed to be returned in the response. Other fields may be empty in the response.
Permission
A permission which can be included by a role.
CustomRolesSupportLevel
The state of the permission with regards to custom roles.
Values: SUPPORTED (0): Default state. Permission is fully supported for custom role use. TESTING (1): Permission is being tested to check custom role compatibility. NOT_SUPPORTED (2): Permission is not supported for custom role use.
PermissionLaunchStage
A stage representing a permission's lifecycle phase.
Values: ALPHA (0): The permission is currently in an alpha phase. BETA (1): The permission is currently in a beta phase. GA (2): The permission is generally available. DEPRECATED (3): The permission is being deprecated.
QueryAuditableServicesRequest
A request to get the list of auditable services for a resource.
QueryAuditableServicesResponse
A response containing a list of auditable services for a resource.
AuditableService
Contains information about an auditable service.
QueryGrantableRolesRequest
The grantable role query request.
QueryGrantableRolesResponse
The grantable role query response.
QueryTestablePermissionsRequest
A request to get permissions which can be tested on a resource.
QueryTestablePermissionsResponse
The response containing permissions which can be tested on a resource.
Role
A role in the Identity and Access Management API.
RoleLaunchStage
A stage representing a role's lifecycle phase.
Values:
ALPHA (0):
The user has indicated this role is currently in an Alpha
phase. If this launch stage is selected, the stage
field
will not be included when requesting the definition for a
given role.
BETA (1):
The user has indicated this role is currently
in a Beta phase.
GA (2):
The user has indicated this role is generally
available.
DEPRECATED (4):
The user has indicated this role is being
deprecated.
DISABLED (5):
This role is disabled and will not contribute
permissions to any principals it is granted to
in policies.
EAP (6):
The user has indicated this role is currently
in an EAP phase.
RoleView
A view for Role objects.
Values:
BASIC (0):
Omits the included_permissions
field. This is the
default value.
FULL (1):
Returns all fields.
ServiceAccount
An IAM service account.
A service account is an account for an application or a virtual
machine (VM) instance, not a person. You can use a service account
to call Google APIs. To learn more, read the overview of service
accounts <https://cloud.google.com/iam/help/service-accounts/overview>
__.
When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account.
ServiceAccountKey
Represents a service account key.
A service account has two sets of key-pairs: user-managed, and system-managed.
User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.
System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime.
If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing.
Public keys for all service accounts are also published at the OAuth2 Service Account API.
ServiceAccountKeyAlgorithm
Supported key algorithms.
Values: KEY_ALG_UNSPECIFIED (0): An unspecified key algorithm. KEY_ALG_RSA_1024 (1): 1k RSA Key. KEY_ALG_RSA_2048 (2): 2k RSA Key.
ServiceAccountKeyOrigin
Service Account Key Origin.
Values: ORIGIN_UNSPECIFIED (0): Unspecified key origin. USER_PROVIDED (1): Key is provided by user. GOOGLE_PROVIDED (2): Key is provided by Google.
ServiceAccountPrivateKeyType
Supported private key output formats.
Values:
TYPE_UNSPECIFIED (0):
Unspecified. Equivalent to TYPE_GOOGLE_CREDENTIALS_FILE
.
TYPE_PKCS12_FILE (1):
PKCS12 format. The password for the PKCS12 file is
notasecret
. For more information, see
https://tools.ietf.org/html/rfc7292.
TYPE_GOOGLE_CREDENTIALS_FILE (2):
Google Credentials File format.
ServiceAccountPublicKeyType
Supported public key output formats.
Values: TYPE_NONE (0): Do not return the public key. TYPE_X509_PEM_FILE (1): X509 PEM format. TYPE_RAW_PUBLIC_KEY (2): Raw public key.
SignBlobRequest
Deprecated. Migrate to Service Account Credentials
API <https://cloud.google.com/iam/help/credentials/migrate-api>
__.
The service account sign blob request.
SignBlobResponse
Deprecated. Migrate to Service Account Credentials
API <https://cloud.google.com/iam/help/credentials/migrate-api>
__.
The service account sign blob response.
SignJwtRequest
Deprecated. Migrate to Service Account Credentials
API <https://cloud.google.com/iam/help/credentials/migrate-api>
__.
The service account sign JWT request.
SignJwtResponse
Deprecated. Migrate to Service Account Credentials
API <https://cloud.google.com/iam/help/credentials/migrate-api>
__.
The service account sign JWT response.
UndeleteRoleRequest
The request to undelete an existing role.
UndeleteServiceAccountRequest
The service account undelete request.
UndeleteServiceAccountResponse
UpdateRoleRequest
The request to update a role.
UploadServiceAccountKeyRequest
The service account key upload request.
IAMCredentialsAsyncClient
A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
IAMCredentialsClient
A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.
Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.
GenerateAccessTokenRequest
GenerateAccessTokenResponse
GenerateIdTokenRequest
GenerateIdTokenResponse
SignBlobRequest
SignBlobResponse
SignJwtRequest
SignJwtResponse
PoliciesAsyncClient
An interface for managing Identity and Access Management (IAM) policies.
PoliciesClient
An interface for managing Identity and Access Management (IAM) policies.
ListPoliciesAsyncPager
A pager for iterating through list_policies
requests.
This class thinly wraps an initial
ListPoliciesResponse object, and
provides an __aiter__
method to iterate through its
policies
field.
If there are more pages, the __aiter__
method will make additional
ListPolicies
requests and continue to iterate
through the policies
field on the
corresponding responses.
All the usual ListPoliciesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
ListPoliciesPager
A pager for iterating through list_policies
requests.
This class thinly wraps an initial
ListPoliciesResponse object, and
provides an __iter__
method to iterate through its
policies
field.
If there are more pages, the __iter__
method will make additional
ListPolicies
requests and continue to iterate
through the policies
field on the
corresponding responses.
All the usual ListPoliciesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
CreatePolicyRequest
Request message for CreatePolicy
.
DeletePolicyRequest
Request message for DeletePolicy
.
DenyRule
A deny rule in an IAM deny policy.
GetPolicyRequest
Request message for GetPolicy
.
ListPoliciesRequest
Request message for ListPolicies
.
ListPoliciesResponse
Response message for ListPolicies
.
Policy
Data for an IAM policy.
AnnotationsEntry
The abstract base class for a message.
PolicyOperationMetadata
Metadata for long-running Policy
operations.
PolicyRule
A single rule in a Policy
.
.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
UpdatePolicyRequest
Request message for UpdatePolicy
.
PoliciesAsyncClient
An interface for managing Identity and Access Management (IAM) policies.
PoliciesClient
An interface for managing Identity and Access Management (IAM) policies.
ListPoliciesAsyncPager
A pager for iterating through list_policies
requests.
This class thinly wraps an initial
ListPoliciesResponse object, and
provides an __aiter__
method to iterate through its
policies
field.
If there are more pages, the __aiter__
method will make additional
ListPolicies
requests and continue to iterate
through the policies
field on the
corresponding responses.
All the usual ListPoliciesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
ListPoliciesPager
A pager for iterating through list_policies
requests.
This class thinly wraps an initial
ListPoliciesResponse object, and
provides an __iter__
method to iterate through its
policies
field.
If there are more pages, the __iter__
method will make additional
ListPolicies
requests and continue to iterate
through the policies
field on the
corresponding responses.
All the usual ListPoliciesResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.
CreatePolicyRequest
Request message for CreatePolicy
.
DeletePolicyRequest
Request message for DeletePolicy
.
DenyRule
A deny rule in an IAM deny policy.
GetPolicyRequest
Request message for GetPolicy
.
ListPoliciesRequest
Request message for ListPolicies
.
ListPoliciesResponse
Response message for ListPolicies
.
Policy
Data for an IAM policy.
AnnotationsEntry
The abstract base class for a message.
PolicyOperationMetadata
Metadata for long-running Policy
operations.
PolicyRule
A single rule in a Policy
.
.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
UpdatePolicyRequest
Request message for UpdatePolicy
.
Modules
pagers
API documentation for iam_admin_v1.services.iam.pagers
module.
pagers
API documentation for iam_v2.services.policies.pagers
module.
pagers
API documentation for iam_v2beta.services.policies.pagers
module.