| { |
| "auth": { |
| "oauth2": { |
| "scopes": { |
| "https://www.googleapis.com/auth/cloud-platform": { |
| "description": "View and manage your data across Google Cloud Platform services" |
| } |
| } |
| } |
| }, |
| "basePath": "", |
| "baseUrl": "https://iamcredentials.googleapis.com/", |
| "batchPath": "batch", |
| "canonicalName": "IAM Credentials", |
| "description": "Creates short-lived, limited-privilege credentials for IAM service accounts.", |
| "discoveryVersion": "v1", |
| "documentationLink": "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials", |
| "fullyEncodeReservedExpansion": true, |
| "icons": { |
| "x16": "http://www.google.com/images/icons/product/search-16.gif", |
| "x32": "http://www.google.com/images/icons/product/search-32.gif" |
| }, |
| "id": "iamcredentials:v1", |
| "kind": "discovery#restDescription", |
| "name": "iamcredentials", |
| "ownerDomain": "google.com", |
| "ownerName": "Google", |
| "parameters": { |
| "$.xgafv": { |
| "description": "V1 error format.", |
| "enum": [ |
| "1", |
| "2" |
| ], |
| "enumDescriptions": [ |
| "v1 error format", |
| "v2 error format" |
| ], |
| "location": "query", |
| "type": "string" |
| }, |
| "access_token": { |
| "description": "OAuth access token.", |
| "location": "query", |
| "type": "string" |
| }, |
| "alt": { |
| "default": "json", |
| "description": "Data format for response.", |
| "enum": [ |
| "json", |
| "media", |
| "proto" |
| ], |
| "enumDescriptions": [ |
| "Responses with Content-Type of application/json", |
| "Media download with context-dependent Content-Type", |
| "Responses with Content-Type of application/x-protobuf" |
| ], |
| "location": "query", |
| "type": "string" |
| }, |
| "callback": { |
| "description": "JSONP", |
| "location": "query", |
| "type": "string" |
| }, |
| "fields": { |
| "description": "Selector specifying which fields to include in a partial response.", |
| "location": "query", |
| "type": "string" |
| }, |
| "key": { |
| "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.", |
| "location": "query", |
| "type": "string" |
| }, |
| "oauth_token": { |
| "description": "OAuth 2.0 token for the current user.", |
| "location": "query", |
| "type": "string" |
| }, |
| "prettyPrint": { |
| "default": "true", |
| "description": "Returns response with indentations and line breaks.", |
| "location": "query", |
| "type": "boolean" |
| }, |
| "quotaUser": { |
| "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.", |
| "location": "query", |
| "type": "string" |
| }, |
| "uploadType": { |
| "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").", |
| "location": "query", |
| "type": "string" |
| }, |
| "upload_protocol": { |
| "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").", |
| "location": "query", |
| "type": "string" |
| } |
| }, |
| "protocol": "rest", |
| "resources": { |
| "projects": { |
| "resources": { |
| "serviceAccounts": { |
| "methods": { |
| "generateAccessToken": { |
| "description": "Generates an OAuth 2.0 access token for a service account.", |
| "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateAccessToken", |
| "httpMethod": "POST", |
| "id": "iamcredentials.projects.serviceAccounts.generateAccessToken", |
| "parameterOrder": [ |
| "name" |
| ], |
| "parameters": { |
| "name": { |
| "description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.", |
| "location": "path", |
| "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", |
| "required": true, |
| "type": "string" |
| } |
| }, |
| "path": "v1/{+name}:generateAccessToken", |
| "request": { |
| "$ref": "GenerateAccessTokenRequest" |
| }, |
| "response": { |
| "$ref": "GenerateAccessTokenResponse" |
| }, |
| "scopes": [ |
| "https://www.googleapis.com/auth/cloud-platform" |
| ] |
| }, |
| "generateIdToken": { |
| "description": "Generates an OpenID Connect ID token for a service account.", |
| "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateIdToken", |
| "httpMethod": "POST", |
| "id": "iamcredentials.projects.serviceAccounts.generateIdToken", |
| "parameterOrder": [ |
| "name" |
| ], |
| "parameters": { |
| "name": { |
| "description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.", |
| "location": "path", |
| "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", |
| "required": true, |
| "type": "string" |
| } |
| }, |
| "path": "v1/{+name}:generateIdToken", |
| "request": { |
| "$ref": "GenerateIdTokenRequest" |
| }, |
| "response": { |
| "$ref": "GenerateIdTokenResponse" |
| }, |
| "scopes": [ |
| "https://www.googleapis.com/auth/cloud-platform" |
| ] |
| }, |
| "generateIdentityBindingAccessToken": { |
| "description": "", |
| "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateIdentityBindingAccessToken", |
| "httpMethod": "POST", |
| "id": "iamcredentials.projects.serviceAccounts.generateIdentityBindingAccessToken", |
| "parameterOrder": [ |
| "name" |
| ], |
| "parameters": { |
| "name": { |
| "description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.", |
| "location": "path", |
| "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", |
| "required": true, |
| "type": "string" |
| } |
| }, |
| "path": "v1/{+name}:generateIdentityBindingAccessToken", |
| "request": { |
| "$ref": "GenerateIdentityBindingAccessTokenRequest" |
| }, |
| "response": { |
| "$ref": "GenerateIdentityBindingAccessTokenResponse" |
| } |
| }, |
| "signBlob": { |
| "description": "Signs a blob using a service account's system-managed private key.", |
| "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signBlob", |
| "httpMethod": "POST", |
| "id": "iamcredentials.projects.serviceAccounts.signBlob", |
| "parameterOrder": [ |
| "name" |
| ], |
| "parameters": { |
| "name": { |
| "description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.", |
| "location": "path", |
| "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", |
| "required": true, |
| "type": "string" |
| } |
| }, |
| "path": "v1/{+name}:signBlob", |
| "request": { |
| "$ref": "SignBlobRequest" |
| }, |
| "response": { |
| "$ref": "SignBlobResponse" |
| }, |
| "scopes": [ |
| "https://www.googleapis.com/auth/cloud-platform" |
| ] |
| }, |
| "signJwt": { |
| "description": "Signs a JWT using a service account's system-managed private key.", |
| "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signJwt", |
| "httpMethod": "POST", |
| "id": "iamcredentials.projects.serviceAccounts.signJwt", |
| "parameterOrder": [ |
| "name" |
| ], |
| "parameters": { |
| "name": { |
| "description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.", |
| "location": "path", |
| "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", |
| "required": true, |
| "type": "string" |
| } |
| }, |
| "path": "v1/{+name}:signJwt", |
| "request": { |
| "$ref": "SignJwtRequest" |
| }, |
| "response": { |
| "$ref": "SignJwtResponse" |
| }, |
| "scopes": [ |
| "https://www.googleapis.com/auth/cloud-platform" |
| ] |
| } |
| } |
| } |
| } |
| } |
| }, |
| "revision": "20181013", |
| "rootUrl": "https://iamcredentials.googleapis.com/", |
| "schemas": { |
| "GenerateAccessTokenRequest": { |
| "id": "GenerateAccessTokenRequest", |
| "properties": { |
| "delegates": { |
| "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`", |
| "items": { |
| "type": "string" |
| }, |
| "type": "array" |
| }, |
| "lifetime": { |
| "description": "The desired lifetime duration of the access token in seconds.\nMust be set to a value less than or equal to 3600 (1 hour). If a value is\nnot specified, the token's lifetime will be set to a default value of one\nhour.", |
| "format": "google-duration", |
| "type": "string" |
| }, |
| "scope": { |
| "description": "Code to identify the scopes to be included in the OAuth 2.0 access token.\nSee https://developers.google.com/identity/protocols/googlescopes for more\ninformation.\nAt least one value required.", |
| "items": { |
| "type": "string" |
| }, |
| "type": "array" |
| } |
| }, |
| "type": "object" |
| }, |
| "GenerateAccessTokenResponse": { |
| "id": "GenerateAccessTokenResponse", |
| "properties": { |
| "accessToken": { |
| "description": "The OAuth 2.0 access token.", |
| "type": "string" |
| }, |
| "expireTime": { |
| "description": "Token expiration time.\nThe expiration time is always set.", |
| "format": "google-datetime", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| }, |
| "GenerateIdTokenRequest": { |
| "id": "GenerateIdTokenRequest", |
| "properties": { |
| "audience": { |
| "description": "The audience for the token, such as the API or account that this token\ngrants access to.", |
| "type": "string" |
| }, |
| "delegates": { |
| "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`", |
| "items": { |
| "type": "string" |
| }, |
| "type": "array" |
| }, |
| "includeEmail": { |
| "description": "Include the service account email in the token. If set to `true`, the\ntoken will contain `email` and `email_verified` claims.", |
| "type": "boolean" |
| } |
| }, |
| "type": "object" |
| }, |
| "GenerateIdTokenResponse": { |
| "id": "GenerateIdTokenResponse", |
| "properties": { |
| "token": { |
| "description": "The OpenId Connect ID token.", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| }, |
| "GenerateIdentityBindingAccessTokenRequest": { |
| "id": "GenerateIdentityBindingAccessTokenRequest", |
| "properties": { |
| "jwt": { |
| "description": "Required. Input token.\nMust be in JWT format according to\nRFC7523 (https://tools.ietf.org/html/rfc7523)\nand must have 'kid' field in the header.\nSupported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).\nMandatory payload fields (along the lines of RFC 7523, section 3):\n- iss: issuer of the token. Must provide a discovery document at\n $iss/.well-known/openid-configuration . The document needs to be\n formatted according to section 4.2 of the OpenID Connect Discovery\n 1.0 specification.\n- iat: Issue time in seconds since epoch. Must be in the past.\n- exp: Expiration time in seconds since epoch. Must be less than 48 hours\n after iat. We recommend to create tokens that last shorter than 6\n hours to improve security unless business reasons mandate longer\n expiration times. Shorter token lifetimes are generally more secure\n since tokens that have been exfiltrated by attackers can be used for\n a shorter time. you can configure the maximum lifetime of the\n incoming token in the configuration of the mapper.\n The resulting Google token will expire within an hour or at \"exp\",\n whichever is earlier.\n- sub: JWT subject, identity asserted in the JWT.\n- aud: Configured in the mapper policy. By default the service account\n email.\n\nClaims from the incoming token can be transferred into the output token\naccoding to the mapper configuration. The outgoing claim size is limited.\nOutgoing claims size must be less than 4kB serialized as JSON without\nwhitespace.\n\nExample header:\n{\n \"alg\": \"RS256\",\n \"kid\": \"92a4265e14ab04d4d228a48d10d4ca31610936f8\"\n}\nExample payload:\n{\n \"iss\": \"https://accounts.google.com\",\n \"iat\": 1517963104,\n \"exp\": 1517966704,\n \"aud\": \"https://iamcredentials.googleapis.com/google.iam.credentials.v1.CloudGaia\",\n \"sub\": \"113475438248934895348\",\n \"my_claims\": {\n \"additional_claim\": \"value\"\n }\n}", |
| "type": "string" |
| }, |
| "scope": { |
| "description": "Code to identify the scopes to be included in the OAuth 2.0 access token.\nSee https://developers.google.com/identity/protocols/googlescopes for more\ninformation.\nAt least one value required.", |
| "items": { |
| "type": "string" |
| }, |
| "type": "array" |
| } |
| }, |
| "type": "object" |
| }, |
| "GenerateIdentityBindingAccessTokenResponse": { |
| "id": "GenerateIdentityBindingAccessTokenResponse", |
| "properties": { |
| "accessToken": { |
| "description": "The OAuth 2.0 access token.", |
| "type": "string" |
| }, |
| "expireTime": { |
| "description": "Token expiration time.\nThe expiration time is always set.", |
| "format": "google-datetime", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| }, |
| "SignBlobRequest": { |
| "id": "SignBlobRequest", |
| "properties": { |
| "delegates": { |
| "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`", |
| "items": { |
| "type": "string" |
| }, |
| "type": "array" |
| }, |
| "payload": { |
| "description": "The bytes to sign.", |
| "format": "byte", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| }, |
| "SignBlobResponse": { |
| "id": "SignBlobResponse", |
| "properties": { |
| "keyId": { |
| "description": "The ID of the key used to sign the blob.", |
| "type": "string" |
| }, |
| "signedBlob": { |
| "description": "The signed blob.", |
| "format": "byte", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| }, |
| "SignJwtRequest": { |
| "id": "SignJwtRequest", |
| "properties": { |
| "delegates": { |
| "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`", |
| "items": { |
| "type": "string" |
| }, |
| "type": "array" |
| }, |
| "payload": { |
| "description": "The JWT payload to sign: a JSON object that contains a JWT Claims Set.", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| }, |
| "SignJwtResponse": { |
| "id": "SignJwtResponse", |
| "properties": { |
| "keyId": { |
| "description": "The ID of the key used to sign the JWT.", |
| "type": "string" |
| }, |
| "signedJwt": { |
| "description": "The signed JWT.", |
| "type": "string" |
| } |
| }, |
| "type": "object" |
| } |
| }, |
| "servicePath": "", |
| "title": "IAM Service Account Credentials API", |
| "version": "v1", |
| "version_module": true |
| } |
