E1SrSSKJr SSKJr SSKJr SSKJr Sr "SS\R5r "S S \R5r "S S \R5r "S S\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS \R5r"S!S"\R5r"S#S$\R5r"S%S&\R5r"S'S(\R5r"S)S*\R5r"S+S,\R5r"S-S.\R5r"S/S0\R5r"S1S2\R5r "S3S4\R5r!"S5S6\R5r""S7S8\R5r#"S9S:\R5r$"S;S<\R5r%"S=S>\R5r&"S?S@\R5r'"SASB\R5r("SCSD\R5r)"SESF\R5r*"SGSH\R5r+"SISJ\R5r,"SKSL\R5r-"SMSN\R5r."SOSP\R5r/"SQSR\R5r0"SSST\R5r1"SUSV\R5r2"SWSX\R5r3"SYSZ\R5r4"S[S\\R5r5"S]S^\R5r6"S_S`\R5r7"SaSb\R5r8"ScSd\R5r9"SeSf\R5r:"SgSh\R5r;"SiSj\R5r<"SkSl\R5r="SmSn\R5r>"SoSp\R5r?"SqSr\R5r@"SsSt\R5rA"SuSv\R5rB"SwSx\R5rC"SySz\R5rD"S{S|\R5rE"S}S~\R5rF"SS\R5rG"SS\R5rH"SS\R5rI"SS\R5rJ"SS\R5rK"SS\R5rL"SS\R5rM"SS\R5rN"SS\R5rO"SS\R5rP"SS\R5rQ"SS\R5rR"SS\R5rS"SS\R5rT"SS\R5rU"SS\R5rV"SS\R5rW"SS\R5rX"SS\R5rY"SS\R5rZ"SS\R5r["SS\R5r\"SS\R5r]"SS\R5r^"SS\R5r_"SS\R5r`"SS\R5ra"SS\R5rb"SS\R5rc"SS\R5rd"SS\R5re"SS\R5rf"SS\R5rg"SS\R5rh"SS\R5ri"SS\R5rj"SS\R5rk"SS\R5rl"SS\R5rm"SS\R5rn"SS\R5ro"SS\R5rp"SS\R5rq"SS\R5rr"SS\R5rs"SS\R5rt"SS\R5ru"SS\R5rv"SS\R5rw"SS\R5rx"SS\R5ry"SS\R5rz"SS\R5r{"SS\R5r|"SS\R5r}"SS\R5r~"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GS GS \R5r"GS GS \R5r"GS GS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS \R5r"GS!GS"\R5r"GS#GS$\R5r"GS%GS&\R5r"GS'GS(\R5r"GS)GS*\R5r"GS+GS,\R5r"GS-GS.\R5r"GS/GS0\R5r"GS1GS2\R5r"GS3GS4\R5r"GS5GS6\R5r"GS7GS8\R5r"GS9GS:\R5r"GS;GS<\R5r"GS=GS>\R5r"GS?GS@\R5r"GSAGSB\R5r"GSCGSD\R5r"GSEGSF\R5r"GSGGSH\R5r"GSIGSJ\R5r"GSKGSL\R5r"GSMGSN\R5r"GSOGSP\R5r"GSQGSR\R5r"GSSGST\R5r"GSUGSV\R5r"GSWGSX\R5r"GSYGSZ\R5r"GS[GS\\R5r"GS]GS^\R5r"GS_GS`\R5r"GSaGSb\R5r"GScGSd\R5r"GSeGSf\R5r"GSgGSh\R5r"GSiGSj\R5r"GSkGSl\R5r"GSmGSn\R5r"GSoGSp\R5r"GSqGSr\R5r"GSsGSt\R5r"GSuGSv\R5r"GSwGSx\R5r"GSyGSz\R5r"GS{GS|\R5r"GS}GS~\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr "GSGS\R5Gr "GSGS\R5Gr "GS GS \R5Gr "GS GS \R5Gr "GS GS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS\R5Gr"GSGS \R5Gr"GS!GS"\R5Gr"GS#GS$\R5Gr"GS%GS&\R5Gr"GS'GS(\R5Gr"GS)GS*\R5Gr"GS+GS,\R5Gr"GS-GS.\R5Gr"GS/GS0\R5Gr"GS1GS2\R5Gr "GS3GS4\R5Gr!"GS5GS6\R5Gr""GS7GS8\R5Gr#\GRH"\GS9GS:5 \GRJ"\GRLGS;GS<5 \GRJ"\GRLGS=GS>5 \GRH"\GS?GS@5 GgA(BaGenerated message classes for iam version v1. Manages identity and access control for Google Cloud resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls. Enabling this API also enables the IAM Service Account Credentials API (iamcredentials.googleapis.com). However, disabling this API doesn't disable the IAM Service Account Credentials API. )absolute_import)messages)encoding) extra_typesiamc`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) AccessRestrictionsaAccess related restrictions on the workforce pool. Fields: allowedServices: Optional. Immutable. Services allowed for web sign-in with the workforce pool. If not set by default there are no restrictions. disableProgrammaticSignin: Optional. Disable programmatic sign-in by disabling token issue via the Security Token API endpoint. See [Security Token Service API] (https://cloud.google.com/iam/docs/reference/sts/rest). ServiceConfigTrepeatedN) __name__ __module__ __qualname____firstlineno____doc__ _messages MessageFieldallowedServices BooleanFielddisableProgrammaticSignin__static_attributes__rClib/googlecloudsdk/generated_clients/apis/iam/v1/iam_v1_messages.pyr r s. **?AM/'44Q7rr c>\rSrSrSr\R "SS5rSrg)AddAttestationRuleRequest&zpRequest message for AddAttestationRule. Fields: attestationRule: Required. The attestation rule to be added. AttestationRuler rN rrrrrrrattestationRulerrrrrr& **+\rSrSrSr\R "SS5rSrg)AdminAuditData0zAudit log information specific to Cloud IAM admin APIs. This message is serialized as an `Any` type in the `ServiceData` message of an `AuditLog` message. Fields: permissionDelta: The permission_delta when when creating or updating a Role. PermissionDeltar rN) rrrrrrrpermissionDeltarrrrr&r&0s**+\rSrSrSr\R "SS5rSrg) AuditDatazAudit log information specific to Cloud IAM. This message is serialized as an `Any` type in the `ServiceData` message of an `AuditLog` message. Fields: policyDelta: Policy delta between the original policy and the newly set policy. PolicyDeltar rN) rrrrrrr policyDeltarrrrrHrHs&&}a8+rrHc\rSrSrSr"SS\R 5r\R"SSS9r \R"SS5r S r g ) rDaRProvides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging. Enums: LogTypeValueValuesEnum: The log type that this config enables. Fields: exemptedMembers: Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members. logType: The log type that this config enables. c(\rSrSrSrSrSrSrSrSr g) %AuditLogConfig.LogTypeValueValuesEnumaThe log type that this config enables. Values: LOG_TYPE_UNSPECIFIED: Default case. Should never be this. ADMIN_READ: Admin reads. Example: CloudIAM getIamPolicy DATA_WRITE: Data writes. Example: CloudSQL Users create DATA_READ: Data reads. Example: CloudSQL Users list rr rr5rN) rrrrrLOG_TYPE_UNSPECIFIED ADMIN_READ DATA_WRITE DATA_READrrrrLogTypeValueValuesEnumrOsJJIrrUr Tr rrN) rrrrrrr7rUr9exemptedMembersr;logTyperrrrrDrDs>  y~~ ))!d;/    8! <'rrDc<\rSrSrSr\R "S5rSrg)AuditableServicezContains information about an auditable service. Fields: name: Public name of the service. For example, the service name for IAM is 'iam.googleapis.com'. r rN rrrrrrr9r:rrrrrYrYs   q !$rrYc<\rSrSrSr\R "S5rSrg)AwsziRepresents an Amazon Web Services identity provider. Fields: accountId: Required. The AWS account ID. r rN) rrrrrrr9 accountIdrrrrr]r]s ##A&)rr]c\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) BindingatAssociates `members`, or principals, with a `role`. Fields: condition: The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource- policies). members: Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `my-other- app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how- to/kubernetes-service-accounts). For example, `my- project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locatio ns/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workforce identity pool. * `principalSet://iam.goog leapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: All workforce identities in a group. * `principalSet://iam.googleapis.co m/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{ attribute_value}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePo ols/{pool_id}/*`: All identities in a workforce identity pool. * `princi pal://iam.googleapis.com/projects/{project_number}/locations/global/work loadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.c om/projects/{project_number}/locations/global/workloadIdentityPools/{poo l_id}/group/{group_id}`: A workload identity pool group. * `principalSet ://iam.googleapis.com/projects/{project_number}/locations/global/workloa dIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All identities in a workload identity pool with a certain attribute. * ` principalSet://iam.googleapis.com/projects/{project_number}/locations/gl obal/workloadIdentityPools/{pool_id}/*`: All identities in a workload identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other- app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `deleted:principal://iam.google apis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attr ibute_value}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workfo rcePools/my-pool-id/subject/my-subject-attribute-value`. role: Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles). Exprr rTr r5rN) rrrrrrr conditionr9membersrolerrrrraras?Ob$$VQ/)  ! !!d 3'   q !$rrac\rSrSrSr"SS\R 5r\R"SS5r \R"SS5r \R"S5r \R"S 5rS rg ) BindingDeltai$aZOne delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry. Enums: ActionValueValuesEnum: The action that was performed on a Binding. Required Fields: action: The action that was performed on a Binding. Required condition: The condition that is associated with this binding. member: A single identity requesting access for a Google Cloud resource. Follows the same format of Binding.members. Required role: Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. Required c$\rSrSrSrSrSrSrSrg)"BindingDelta.ActionValueValuesEnumi5zThe action that was performed on a Binding. Required Values: ACTION_UNSPECIFIED: Unspecified. ADD: Addition of a Binding. REMOVE: Removal of a Binding. rr rrN) rrrrrACTION_UNSPECIFIEDADDREMOVErrrrActionValueValuesEnumrj5s C Frrnr rcrr5r6rN)rrrrrrr7rnr;actionrrdr9memberrfrrrrrhrh$s^ inn    6 :&$$VQ/)   #&   q !$rrhcb\rSrSrSr\R "SS5r\R"S5r Sr g)CreateRoleRequestiGa#The request to create a new role. Fields: role: The Role resource to create. roleId: The role ID to use for this role. A role ID may contain alphanumeric characters, underscores (`_`), and periods (`.`). It must contain a minimum of 3 characters and a maximum of 64 characters. Roler rrN) rrrrrrrrfr9roleIdrrrrrrrrGs+    *$   #&rrrc\rSrSrSr"SS\R 5r"SS\R 5r\R"SS5r \R"SS5r S r g ) CreateServiceAccountKeyRequestiUaThe service account key create request. Enums: KeyAlgorithmValueValuesEnum: Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. PrivateKeyTypeValueValuesEnum: The output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format. Fields: keyAlgorithm: Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. privateKeyType: The output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format. c$\rSrSrSrSrSrSrSrg):CreateServiceAccountKeyRequest.KeyAlgorithmValueValuesEnumiiaWhich type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. Values: KEY_ALG_UNSPECIFIED: An unspecified key algorithm. KEY_ALG_RSA_1024: 1k RSA Key. KEY_ALG_RSA_2048: 2k RSA Key. rr rrN rrrrrKEY_ALG_UNSPECIFIEDKEY_ALG_RSA_1024KEY_ALG_RSA_2048rrrrKeyAlgorithmValueValuesEnumrxisrr}c$\rSrSrSrSrSrSrSrg).rrc\rSrSrSr"SS\R 5r\R"S5r \R"SS5r Sr g) DisableServiceAccountKeyRequestiaThe service account key disable request. Enums: ServiceAccountKeyDisableReasonValueValuesEnum: Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used. Fields: extendedStatusMessage: Optional. Usable by internal google services only. An extended_status_message can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub. serviceAccountKeyDisableReason: Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used. c(\rSrSrSrSrSrSrSrSr g) MDisableServiceAccountKeyRequest.ServiceAccountKeyDisableReasonValueValuesEnumiaOptional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used. Values: SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED: Unspecified disable reason SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED: Disabled by the user SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED: Google detected this Service Account external key's private key data as exposed, typically in a public repository on GitHub or similar. SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED: This service account external key was detected as compromised and used by an attacker. rr rr5rN rrrrr.SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED1SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED*SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED6SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTEDrrrr-ServiceAccountKeyDisableReasonValueValuesEnumrs!67289512.=>:rrr rrN) rrrrrrr7rr9extendedStatusMessager;serviceAccountKeyDisableReasonrrrrrrs?"?inn?*$//2#,#6#67fhi#j rrc\rSrSrSrSrg)DisableServiceAccountRequestiz$The service account disable request.rNrrrrrrrrrrrs-rrc\rSrSrSrSrg)EmptyiaA generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } rNrrrrrrsrrc\rSrSrSrSrg)EnableServiceAccountKeyRequestiz'The service account key enable request.rNrrrrrrs0rrc\rSrSrSrSrg)EnableServiceAccountRequestiz#The service account enable request.rNrrrrrrs,rrc\rSrSrSr\R "S5r\R "S5r\R "S5r \R "S5r Sr g) rciaqRepresents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Fields: description: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. expression: Textual representation of an expression in Common Expression Language syntax. location: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. title: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. r rr5r6rN) rrrrrrr9 description expressionlocationtitlerrrrrcrcsI:%%a(+$$Q'*  " "1 %(    "%rrcc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r Sr g) ExtendedStatusia\Extended status can store additional metadata. For example, for keys disabled due to their private key data being expoesed we may include a message with more information about the exposure. Enums: KeyValueValuesEnum: The key for this extended status. Fields: key: The key for this extended status. value: The value for the extended status. c$\rSrSrSrSrSrSrSrg)!ExtendedStatus.KeyValueValuesEnumi a/The key for this extended status. Values: SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_UNSPECIFIED: Unspecified extended status, should not be used. SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED: This key has been detected as exposed. extended_status_value may contain information about the exposure (public GitHub repo, open internet, etc.) SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_COMPROMISE_DETECTED: This key was implicated in a compromise or other attack. extended_status_value may contain information about the abuse perpetrated. rr rrN) rrrrr3SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_UNSPECIFIED/SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED;SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_COMPROMISE_DETECTEDrrrrKeyValueValuesEnumr s ;<7673BC?rrr rrN) rrrrrrr7rr;keyr9valuerrrrrrs> D9>>D" 0!4#    "%rrc>\rSrSrSr\R "SS5rSrg)GetIamPolicyRequesti!zRequest message for `GetIamPolicy` method. Fields: options: OPTIONAL: A `GetPolicyOptions` object for specifying options to `GetIamPolicy`. GetPolicyOptionsr rN) rrrrrrroptionsrrrrrr!s  " "#5q 9'rrcb\rSrSrSr\R "S\RRS9r Sr g)ri,a]Encapsulates settings provided to GetIamPolicy. Fields: requestedPolicyVersion: Optional. The maximum policy version that will be used to format the policy. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional role bindings must specify version 3. Policies with no conditional role bindings may specify any valid value or leave the field unset. The policy in the response might use the policy version that you specified, or it might use a lower policy version. For example, if you specify version 3, but the policy has no conditional role bindings, the response uses version 1. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource- policies). r variantrN) rrrrrr IntegerFieldVariantINT32requestedPolicyVersionrrrrrr,s("%11!Y=N=N=T=TUrrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"SS5r \R"S 5r\R"S S 5rS rg )@GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientiAaRepresents the OAuth 2.0 client credential configuration for retrieving additional user attributes that are not present in the initial authentication credentials from the identity provider, e.g. groups. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4 for more details on client credentials grant flow. Enums: AttributesTypeValueValuesEnum: Required. Represents the IdP and type of claims that should be fetched. Fields: attributesType: Required. Represents the IdP and type of claims that should be fetched. clientId: Required. The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. clientSecret: Required. The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. issuerUri: Required. The OIDC identity provider's issuer URI. Must be a valid URI using the `https` scheme. Required to get the OIDC discovery document. queryParameters: Optional. Represents the parameters to control which claims are fetched from an IdP. c(\rSrSrSrSrSrSrSrSr g) ^GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client.AttributesTypeValueValuesEnumi\aRequired. Represents the IdP and type of claims that should be fetched. Values: ATTRIBUTES_TYPE_UNSPECIFIED: No AttributesType specified. AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The `mail` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en- us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The group mail addresses of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes: * OIDC: `assertion.groups` * SAML: `assertion.attributes.groups` AZURE_AD_GROUPS_ID: Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The `id` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en- us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The group IDs of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes: * OIDC: `assertion.groups` * SAML: `assertion.attributes.groups` AZURE_AD_GROUPS_DISPLAY_NAME: Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The `displayName` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en- us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The display names of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes: * OIDC: `assertion.groups` * SAML: `assertion.attributes.groups` rr rr5rN) rrrrrATTRIBUTES_TYPE_UNSPECIFIEDAZURE_AD_GROUPS_MAILAZURE_AD_GROUPS_IDAZURE_AD_GROUPS_DISPLAY_NAMErrrrAttributesTypeValueValuesEnumr\s"#H#$#$ rrr r5GoogleIamAdminV1WorkforcePoolProviderOidcClientSecretr5r6OGoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2ClientQueryParametersrN)rrrrrrr7rr;attributesTyper9clientIdr clientSecret issuerUriqueryParametersrrrrrrAsx4(%inn(%T&&'FJ.  " "1 %(''(_abc,##A&)**+|~A/rrc<\rSrSrSr\R "S5rSrg)riaRepresents the parameters to control which claims are fetched from an IdP. Fields: filter: Optional. The filter used to request specific records from the IdP. By default, all of the groups that are associated with a user are fetched. For Microsoft Entra ID, you can add `$search` query parameters using [Keyword Query Language] (https://learn.microsoft.com/en- us/sharepoint/dev/general-development/keyword-query-language-kql-syntax- reference). To learn more about `$search` querying in Microsoft Entra ID, see [Use the `$search` query parameter] (https://learn.microsoft.com/en-us/graph/search-query-parameter). Additionally, Workforce Identity Federation automatically adds the following [`$filter` query parameters] (https://learn.microsoft.com/en- us/graph/filter-query-parameter), based on the value of `attributes_type`. Values passed to `filter` are converted to `$search` query parameters. Additional `$filter` query parameters cannot be added using this field. * `AZURE_AD_GROUPS_MAIL`: `mailEnabled` and `securityEnabled` filters are applied. * `AZURE_AD_GROUPS_ID`: `securityEnabled` filter is applied. r rN) rrrrrrr9filterrrrrrrs,   #&rrc\rSrSrSr\R "S5r\R"SS5r \R "S5r \R "S5r \R"SS 5r S r g ) )GoogleIamAdminV1WorkforcePoolProviderOidciaLRepresents an OpenId Connect 1.0 identity provider. Fields: clientId: Required. The client ID. Must match the audience claim of the JWT issued by the identity provider. clientSecret: Optional. The optional client secret. Required to enable Authorization Code flow for web sign-in. issuerUri: Required. The OIDC issuer URI. Must be a valid URI using the `https` scheme. jwksJson: Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from the discovery document(fetched from the .well- known path of the `issuer_uri`) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } webSsoConfig: Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. r rrr5r65GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfigrrN)rrrrrrr9rrrrjwksJson webSsoConfigrrrrrrsa, " "1 %(''(_abc,##A&)  " "1 %(''(_abc,rrc>\rSrSrSr\R "SS5rSrg)rizvRepresentation of a client secret configured for the OIDC provider. Fields: value: The value of the client secret. :GoogleIamAdminV1WorkforcePoolProviderOidcClientSecretValuer rN) rrrrrrrrrrrrrrs  !]_` a%rrc`\rSrSrSr\R "S5r\R "S5rSr g)riaPRepresentation of the value of the client secret. Fields: plainText: Optional. Input only. The plain text of the client secret value. For security reasons, this field is only used for input and will never be populated in any response. thumbprint: Output only. A thumbprint to represent the current client secret value. r rrN) rrrrrrr9 plainText thumbprintrrrrrrs)##A&)$$Q'*rrc\rSrSrSr"SS\R 5r"SS\R 5r\R"SSS 9r \R"SS 5r \R"SS 5r S rg )riaConfiguration for web single sign-on for the OIDC provider. Enums: AssertionClaimsBehaviorValueValuesEnum: Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition. ResponseTypeValueValuesEnum: Required. The Response Type to request for in the OIDC Authorization Request for web sign-in. The `CODE` Response Type is recommended to avoid the Implicit Flow, for security reasons. Fields: additionalScopes: Optional. Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured. assertionClaimsBehavior: Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition. responseType: Required. The Response Type to request for in the OIDC Authorization Request for web sign-in. The `CODE` Response Type is recommended to avoid the Implicit Flow, for security reasons. c$\rSrSrSrSrSrSrSrg)\GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig.AssertionClaimsBehaviorValueValuesEnumiaRequired. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition. Values: ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED: No assertion claims behavior specified. MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow. ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. rr rrN) rrrrr%ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED$MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMSONLY_ID_TOKEN_CLAIMSrrrr&AssertionClaimsBehaviorValueValuesEnumrs -.)+,(rrc$\rSrSrSrSrSrSrSrg)QGoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig.ResponseTypeValueValuesEnumi aRequired. The Response Type to request for in the OIDC Authorization Request for web sign-in. The `CODE` Response Type is recommended to avoid the Implicit Flow, for security reasons. Values: RESPONSE_TYPE_UNSPECIFIED: No Response Type specified. CODE: The `response_type=code` selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. ID_TOKEN: The `response_type=id_token` selection uses the Implicit Flow for web sign-in. rr rrN) rrrrrRESPONSE_TYPE_UNSPECIFIEDCODEID_TOKENrrrrResponseTypeValueValuesEnumr s !" DHrrr Tr rr5rN)rrrrrrr7rrr9additionalScopesr;assertionClaimsBehavior responseTyperrrrrrsd2y~~"INN **1t<%//0XZ[\$$%BAF,rrc<\rSrSrSr\R "S5rSrg))GoogleIamAdminV1WorkforcePoolProviderSamliaRepresents a SAML identity provider. Fields: idpMetadataXml: Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml- metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 25 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. r rN rrrrrrr9idpMetadataXmlrrrrrr$((+.rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) 'IamLocationsWorkforcePoolsCreateRequesti4aLA IamLocationsWorkforcePoolsCreateRequest object. Fields: location: Optional. The location of the pool to create. Format: `locations/{location}`. workforcePool: A WorkforcePool resource to be passed as the request body. workforcePoolId: Optional. The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. r Trequired WorkforcePoolrr5rN) rrrrrrr9rr workforcePoolworkforcePoolIdrrrrrr4s=  " "1t 4(((!<-))!,/rrc:\rSrSrSr\R "SSS9rSrg)'IamLocationsWorkforcePoolsDeleteRequestiGzA IamLocationsWorkforcePoolsDeleteRequest object. Fields: name: Required. The name of the pool to delete. Format: `locations/{location}/workforcePools/{workforce_pool_id}` r TrrNr[rrrrrG   q4 0$rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) -IamLocationsWorkforcePoolsGetIamPolicyRequestiRaiA IamLocationsWorkforcePoolsGetIamPolicyRequest object. Fields: getIamPolicyRequest: A GetIamPolicyRequest resource to be passed as the request body. resource: REQUIRED: The resource for which the policy is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. rr rTrrN rrrrrrrgetIamPolicyRequestr9resourcerrrrrrR/ "../DaH  " "1t 4(rrc:\rSrSrSr\R "SSS9rSrg)$IamLocationsWorkforcePoolsGetRequestibzA IamLocationsWorkforcePoolsGetRequest object. Fields: name: Required. The name of the pool to retrieve. Format: `locations/{location}/workforcePools/{workforce_pool_id}` r TrrNr[rrrrrbrrrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) 4IamLocationsWorkforcePoolsInstalledAppsCreateRequestimaA IamLocationsWorkforcePoolsInstalledAppsCreateRequest object. Fields: parent: Required. The pool to create this workforce pool installed app in. Format: `locations/{location}/workforcePools/{workforce_pool}` workforcePoolInstalledApp: A WorkforcePoolInstalledApp resource to be passed as the request body. workforcePoolInstalledAppId: Required. The ID to use for the workforce pool installed app, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. r TrWorkforcePoolInstalledApprr5rN) rrrrrrr9parentrworkforcePoolInstalledAppworkforcePoolInstalledAppIdrrrrrrmsA   T 2&'445PRST ) 5 5a 8rrc^\rSrSrSr\R "SSS9r\R"S5r Sr g) 4IamLocationsWorkforcePoolsInstalledAppsDeleteRequestiajA IamLocationsWorkforcePoolsInstalledAppsDeleteRequest object. Fields: name: Required. The name of the workforce pool installed app to delete. Format: `locations/{location}/workforcePools/{workforce_pool}/installedA pps/{installed_app}` validateOnly: Optional. If set, validate the request and preview the response, but do not actually post it. r TrrrN rrrrrrr9r:r validateOnlyrrrrrr+   q4 0$''*,rrc:\rSrSrSr\R "SSS9rSrg)1IamLocationsWorkforcePoolsInstalledAppsGetRequestizA IamLocationsWorkforcePoolsInstalledAppsGetRequest object. Fields: name: Required. The name of the workforce pool installed app to retrieve. Format: `locations/{location}/workforcePools/{workforce_pool}/installedA pps/{installed_app}` r TrrNr[rrrr r    q4 0$rr c\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) 2IamLocationsWorkforcePoolsInstalledAppsListRequestiaA IamLocationsWorkforcePoolsInstalledAppsListRequest object. Fields: pageSize: Optional. The maximum number of workforce pool installed apps to return. If unspecified, at most 50 workforce pool installed apps will be returned. The maximum value is 100; values above 100 are truncated to 100. pageToken: Optional. A page token, received from a previous `ListWorkforcePoolInstalledApps` call. Provide this to retrieve the subsequent page. parent: Required. The parent to list installed apps, format: 'locations/{location}/workforcePools/{workforce_pool}' showDeleted: Optional. Whether to return soft-deleted workforce pool installed apps. r rrr5Trr6rNrrrrrrrrrpageSizer9 pageTokenrr showDeletedrrrrr r Y  # #Ay/@/@/F/F G(##A&)  T 2&&&q)+rr c\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) 3IamLocationsWorkforcePoolsInstalledAppsPatchRequestiaA IamLocationsWorkforcePoolsInstalledAppsPatchRequest object. Fields: name: Identifier. The resource name of the workforce pool installed app. Format: `locations/{location}/workforcePools/{workforce_pool}/installedA pps/{installed_app}` updateMask: Required. The list of fields to update. workforcePoolInstalledApp: A WorkforcePoolInstalledApp resource to be passed as the request body. r Trrrr5rN) rrrrrrr9r: updateMaskrrrrrrrrs@    q4 0$$$Q'*'445PRSTrrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 6IamLocationsWorkforcePoolsInstalledAppsUndeleteRequestiaA IamLocationsWorkforcePoolsInstalledAppsUndeleteRequest object. Fields: name: Required. The name of the workforce pool installed app to undelete. Format: `locations/{location}/workforcePools/{workforce_pool}/installedA pps/{installed_app}` undeleteWorkforcePoolInstalledAppRequest: A UndeleteWorkforcePoolInstalledAppRequest resource to be passed as the request body. r Tr(UndeleteWorkforcePoolInstalledAppRequestrrN) rrrrrrr9r:r(undeleteWorkforcePoolInstalledAppRequestrrrrrrs0    q4 0$-6-C-CDnpq-r*rrc\rSrSrSr\R "SSS9r\R"S\RRS9r \R "S5r \R "S 5r \R"S 5rS rg ) %IamLocationsWorkforcePoolsListRequestiaA IamLocationsWorkforcePoolsListRequest object. Fields: location: The location of the pool. Format: `locations/{location}`. pageSize: The maximum number of pools to return. The default value is 50. The maximum value is 100. pageToken: A page token, received from a previous `ListWorkforcePools` call. Provide this to retrieve the subsequent page. parent: Required. The parent resource to list pools for. Format: `organizations/{org-id}`. showDeleted: Whether to return soft-deleted pools. r Trrrr5r6rrN)rrrrrrr9rrrrrrrrrrrrrrrsi  " "1t 4(  # #Ay/@/@/F/F G(##A&)   #&&&q)+rrc:\rSrSrSr\R "SSS9rSrg).IamLocationsWorkforcePoolsOperationsGetRequestiznA IamLocationsWorkforcePoolsOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrr   q4 0$rrc\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) &IamLocationsWorkforcePoolsPatchRequestia5A IamLocationsWorkforcePoolsPatchRequest object. Fields: name: Identifier. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}` updateMask: Required. The list of fields to update. workforcePool: A WorkforcePool resource to be passed as the request body. r Trrrr5rN) rrrrrrr9r:rrrrrrrr r s=   q4 0$$$Q'*((!<-rr c\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) 0IamLocationsWorkforcePoolsProvidersCreateRequestia>A IamLocationsWorkforcePoolsProvidersCreateRequest object. Fields: parent: Required. The pool to create this provider in. Format: `locations/{location}/workforcePools/{workforce_pool_id}` workforcePoolProvider: A WorkforcePoolProvider resource to be passed as the request body. workforcePoolProviderId: Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. r TrWorkforcePoolProviderrr5rN) rrrrrrr9rrworkforcePoolProviderworkforcePoolProviderIdrrrrr"r"s@   T 2&#001H!L%11!4rr"c:\rSrSrSr\R "SSS9rSrg)0IamLocationsWorkforcePoolsProvidersDeleteRequestizA IamLocationsWorkforcePoolsProvidersDeleteRequest object. Fields: name: Required. The name of the provider to delete. Format: `locations/{lo cation}/workforcePools/{workforce_pool_id}/providers/{provider_id}` r TrrNr[rrrr'r'rrr'c:\rSrSrSr\R "SSS9rSrg)-IamLocationsWorkforcePoolsProvidersGetRequesti zA IamLocationsWorkforcePoolsProvidersGetRequest object. Fields: name: Required. The name of the provider to retrieve. Format: `locations/{ location}/workforcePools/{workforce_pool_id}/providers/{provider_id}` r TrrNr[rrrr)r) rrr)c\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) 4IamLocationsWorkforcePoolsProvidersKeysCreateRequesti+aA IamLocationsWorkforcePoolsProvidersKeysCreateRequest object. Fields: parent: Required. The provider to create this key in. workforcePoolProviderKey: A WorkforcePoolProviderKey resource to be passed as the request body. workforcePoolProviderKeyId: Required. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. r TrWorkforcePoolProviderKeyrr5rN) rrrrrrr9rrworkforcePoolProviderKeyworkforcePoolProviderKeyIdrrrrr+r++sA   T 2&&334NPQR(44Q7rr+c:\rSrSrSr\R "SSS9rSrg)4IamLocationsWorkforcePoolsProvidersKeysDeleteRequesti<zyA IamLocationsWorkforcePoolsProvidersKeysDeleteRequest object. Fields: name: Required. The name of the key to delete. r TrrNr[rrrr0r0<rrr0c:\rSrSrSr\R "SSS9rSrg)1IamLocationsWorkforcePoolsProvidersKeysGetRequestiFzxA IamLocationsWorkforcePoolsProvidersKeysGetRequest object. Fields: name: Required. The name of the key to retrieve. r TrrNr[rrrr2r2Frrr2c\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) 2IamLocationsWorkforcePoolsProvidersKeysListRequestiPaSA IamLocationsWorkforcePoolsProvidersKeysListRequest object. Fields: pageSize: The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. pageToken: A page token, received from a previous `ListWorkforcePoolProviderKeys` call. Provide this to retrieve the subsequent page. parent: Required. The provider resource to list encryption keys for. Format: `locations/{location}/workforcePools/{workforce_pool_id}/provide rs/{provider_id}` showDeleted: Whether to return soft-deleted keys. r rrr5Trr6rNrrrrr4r4PY  # #Ay/@/@/F/F G(##A&)  T 2&&&q)+rr4c:\rSrSrSr\R "SSS9rSrg);IamLocationsWorkforcePoolsProvidersKeysOperationsGetRequestifz{A IamLocationsWorkforcePoolsProvidersKeysOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrr7r7frrr7c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 6IamLocationsWorkforcePoolsProvidersKeysUndeleteRequestipaA IamLocationsWorkforcePoolsProvidersKeysUndeleteRequest object. Fields: name: Required. The name of the key to undelete. undeleteWorkforcePoolProviderKeyRequest: A UndeleteWorkforcePoolProviderKeyRequest resource to be passed as the request body. r Tr'UndeleteWorkforcePoolProviderKeyRequestrrN) rrrrrrr9r:r'undeleteWorkforcePoolProviderKeyRequestrrrrr9r9ps0   q4 0$,5,B,BClno,p)rr9c\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) .IamLocationsWorkforcePoolsProvidersListRequesti~a5A IamLocationsWorkforcePoolsProvidersListRequest object. Fields: pageSize: The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. pageToken: A page token, received from a previous `ListWorkforcePoolProviders` call. Provide this to retrieve the subsequent page. parent: Required. The pool to list providers for. Format: `locations/{location}/workforcePools/{workforce_pool_id}` showDeleted: Whether to return soft-deleted providers. r rrr5Trr6rNrrrrr=r=~Y  # #Ay/@/@/F/F G(##A&)  T 2&&&q)+rr=c:\rSrSrSr\R "SSS9rSrg)7IamLocationsWorkforcePoolsProvidersOperationsGetRequestizwA IamLocationsWorkforcePoolsProvidersOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrr@r@rrr@c\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) /IamLocationsWorkforcePoolsProvidersPatchRequestiaoA IamLocationsWorkforcePoolsProvidersPatchRequest object. Fields: name: Identifier. The resource name of the provider. Format: `locations/{l ocation}/workforcePools/{workforce_pool_id}/providers/{provider_id}` updateMask: Required. The list of fields to update. workforcePoolProvider: A WorkforcePoolProvider resource to be passed as the request body. r Trrr#r5rN) rrrrrrr9r:rrr$rrrrrBrBs?   q4 0$$$Q'*#001H!LrrBc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) ;IamLocationsWorkforcePoolsProvidersScimTenantsCreateRequestiaYA IamLocationsWorkforcePoolsProvidersScimTenantsCreateRequest object. Fields: parent: Required. Agentspace only. The parent to create SCIM tenant. Format: 'locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}' workforcePoolProviderScimTenant: A WorkforcePoolProviderScimTenant resource to be passed as the request body. workforcePoolProviderScimTenantId: Required. Agentspace only. The ID to use for the SCIM tenant, which becomes the final component of the resource name. This value should be 4-32 characters, containing the characters [a-z0-9-]. r TrWorkforcePoolProviderScimTenantrr5rN) rrrrrrr9rrworkforcePoolProviderScimTenant!workforcePoolProviderScimTenantIdrrrrrDrDsA   T 2&$-$:$:;\^_$`!&/&;&;A&>#rrDc^\rSrSrSr\R "S5r\R"SSS9r Sr g) ;IamLocationsWorkforcePoolsProvidersScimTenantsDeleteRequestiarA IamLocationsWorkforcePoolsProvidersScimTenantsDeleteRequest object. Fields: hardDelete: Optional. Deletes the SCIM tenant immediately. This operation cannot be undone. name: Required. Agentspace only. The name of the scim tenant to delete. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}` r rTrrN) rrrrrrr hardDeleter9r:rrrrrIrIs+%%a(*   q4 0$rrIc:\rSrSrSr\R "SSS9rSrg)8IamLocationsWorkforcePoolsProvidersScimTenantsGetRequestiaA IamLocationsWorkforcePoolsProvidersScimTenantsGetRequest object. Fields: name: Required. Agentspace only. The name of the SCIM tenant to retrieve. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}` r TrrNr[rrrrLrLr rrLc\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) 9IamLocationsWorkforcePoolsProvidersScimTenantsListRequestiayA IamLocationsWorkforcePoolsProvidersScimTenantsListRequest object. Fields: pageSize: Optional. Agentspace only. The maximum number of SCIM tenants to return. If unspecified, at most 1 scim tenant will be returned. pageToken: Optional. Agentspace only. A page token, received from a previous `ListScimTenants` call. Provide this to retrieve the subsequent page. parent: Required. Agentspace only. The parent to list SCIM tenants. Format: 'locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}' showDeleted: Optional. Agentspace only. Whether to return soft-deleted SCIM tenants. r rrr5Trr6rNrrrrrNrNr5rrNc\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) :IamLocationsWorkforcePoolsProvidersScimTenantsPatchRequestiaA IamLocationsWorkforcePoolsProvidersScimTenantsPatchRequest object. Fields: name: Identifier. Agentspace only. The resource name of the SCIM Tenant. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}` updateMask: Optional. Agentspace only. The list of fields to update. workforcePoolProviderScimTenant: A WorkforcePoolProviderScimTenant resource to be passed as the request body. r TrrrEr5rN) rrrrrrr9r:rrrFrrrrrPrPs@    q4 0$$$Q'*$-$:$:;\^_$`!rrPc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) AIamLocationsWorkforcePoolsProvidersScimTenantsTokensCreateRequestiaA IamLocationsWorkforcePoolsProvidersScimTenantsTokensCreateRequest object. Fields: parent: Required. Agentspace only. The parent tenant to create SCIM token. Format: 'locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}' workforcePoolProviderScimToken: A WorkforcePoolProviderScimToken resource to be passed as the request body. workforcePoolProviderScimTokenId: Required. Agentspace only. The ID to use for the SCIM token, which becomes the final component of the resource name. This value should be 4-32 characters and follow the pattern: "([a-z]([a-z0-9\\-]{2,30}[a-z0-9]))" r TrWorkforcePoolProviderScimTokenrr5rN) rrrrrrr9rrworkforcePoolProviderScimToken workforcePoolProviderScimTokenIdrrrrrRrRsA   T 2&#,#9#9:Z\]#^ %.%:%:1%="rrRc:\rSrSrSr\R "SSS9rSrg)AIamLocationsWorkforcePoolsProvidersScimTenantsTokensDeleteRequestia$A IamLocationsWorkforcePoolsProvidersScimTenantsTokensDeleteRequest object. Fields: name: Required. Agentspace only. The name of the SCIM token to delete. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}/tokens/{token}` r TrrNr[rrrrWrWs   q4 0$rrWc:\rSrSrSr\R "SSS9rSrg)>IamLocationsWorkforcePoolsProvidersScimTenantsTokensGetRequesti%a#A IamLocationsWorkforcePoolsProvidersScimTenantsTokensGetRequest object. Fields: name: Required. Agentspace only. The name of the SCIM token to retrieve. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}/tokens/{token}` r TrrNr[rrrrYrY%r rrYc\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) ?IamLocationsWorkforcePoolsProvidersScimTenantsTokensListRequesti1aA IamLocationsWorkforcePoolsProvidersScimTenantsTokensListRequest object. Fields: pageSize: Optional. Agentspace only. The maximum number of scim tokens to return. If unspecified, at most 2 SCIM tokens will be returned. pageToken: Optional. Agentspace only. A page token, received from a previous `ListWorkforcePoolProviderScimTokens` call. Provide this to retrieve the subsequent page. parent: Required. Agentspace only. The parent to list SCIM tokens. Format: 'locations/{location}/workforcePools/{workforce_pool}/providers/{provide r}/scimTenants/{scim_tenant}' showDeleted: Optional. Agentspace only. Whether to return soft-deleted scim tokens. r rrr5Trr6rNrrrrr[r[1rrr[c\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) @IamLocationsWorkforcePoolsProvidersScimTenantsTokensPatchRequestiHaA IamLocationsWorkforcePoolsProvidersScimTenantsTokensPatchRequest object. Fields: name: Identifier. Agentspace only. The resource name of the SCIM Token. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}/tokens/{token}` updateMask: Optional. Agentspace only. The list of fields to update. workforcePoolProviderScimToken: A WorkforcePoolProviderScimToken resource to be passed as the request body. r TrrrSr5rN) rrrrrrr9r:rrrTrrrrr]r]Hs@    q4 0$$$Q'*#,#9#9:Z\]#^ rr]c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) CIamLocationsWorkforcePoolsProvidersScimTenantsTokensUndeleteRequestiZaA IamLocationsWorkforcePoolsProvidersScimTenantsTokensUndeleteRequest object. Fields: name: Required. Agentspace only. The name of the SCIM token to undelete. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}/tokens/{token}` undeleteWorkforcePoolProviderScimTokenRequest: A UndeleteWorkforcePoolProviderScimTokenRequest resource to be passed as the request body. r Tr-UndeleteWorkforcePoolProviderScimTokenRequestrrN) rrrrrrr9r:r-undeleteWorkforcePoolProviderScimTokenRequestrrrrr_r_Zs0    q4 0$2;2H2HIxz{2|/rr_c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) =IamLocationsWorkforcePoolsProvidersScimTenantsUndeleteRequestikaA IamLocationsWorkforcePoolsProvidersScimTenantsUndeleteRequest object. Fields: name: Required. Agentspace only. The name of the SCIM tenant to undelete. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {provider}/scimTenants/{scim_tenant}` undeleteWorkforcePoolProviderScimTenantRequest: A UndeleteWorkforcePoolProviderScimTenantRequest resource to be passed as the request body. r Tr.UndeleteWorkforcePoolProviderScimTenantRequestrrN) rrrrrrr9r:r.undeleteWorkforcePoolProviderScimTenantRequestrrrrrcrcks0    q4 0$3<3I3IJz|}3~0rrcc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 2IamLocationsWorkforcePoolsProvidersUndeleteRequesti{a_A IamLocationsWorkforcePoolsProvidersUndeleteRequest object. Fields: name: Required. The name of the provider to undelete. Format: `locations/{ location}/workforcePools/{workforce_pool_id}/providers/{provider_id}` undeleteWorkforcePoolProviderRequest: A UndeleteWorkforcePoolProviderRequest resource to be passed as the request body. r Tr$UndeleteWorkforcePoolProviderRequestrrN) rrrrrrr9r:r$undeleteWorkforcePoolProviderRequestrrrrrgrg{s0   q4 0$)2)?)?@fhi)j&rrgc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) -IamLocationsWorkforcePoolsSetIamPolicyRequestiaiA IamLocationsWorkforcePoolsSetIamPolicyRequest object. Fields: resource: REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the request body. r TrSetIamPolicyRequestrrN rrrrrrr9rrsetIamPolicyRequestrrrrrkrk/  " "1t 4(!../DaHrrkc:\rSrSrSr\R "SSS9rSrg)/IamLocationsWorkforcePoolsSubjectsDeleteRequestiaA IamLocationsWorkforcePoolsSubjectsDeleteRequest object. Fields: name: Required. The resource name of the WorkforcePoolSubject. Special characters, like `/` and `:`, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of [RFC3986](https://www.ietf.org/rfc/rfc2396.txt). Format: `locations/{loc ation}/workforcePools/{workforce_pool_id}/subjects/{subject_id}` r TrrNr[rrrrqrqs   q4 0$rrqc:\rSrSrSr\R "SSS9rSrg)6IamLocationsWorkforcePoolsSubjectsOperationsGetRequestizvA IamLocationsWorkforcePoolsSubjectsOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrsrsrrrsc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 1IamLocationsWorkforcePoolsSubjectsUndeleteRequestia$A IamLocationsWorkforcePoolsSubjectsUndeleteRequest object. Fields: name: Required. The resource name of the WorkforcePoolSubject. Special characters, like `/` and `:`, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of [RFC3986](https://www.ietf.org/rfc/rfc2396.txt). Format: `locations/{loc ation}/workforcePools/{workforce_pool_id}/subjects/{subject_id}` undeleteWorkforcePoolSubjectRequest: A UndeleteWorkforcePoolSubjectRequest resource to be passed as the request body. r Tr#UndeleteWorkforcePoolSubjectRequestrrN) rrrrrrr9r:r#undeleteWorkforcePoolSubjectRequestrrrrrurus0    q4 0$(1(>(>?dfg(h%rruc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 3IamLocationsWorkforcePoolsTestIamPermissionsRequestiaA IamLocationsWorkforcePoolsTestIamPermissionsRequest object. Fields: resource: REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. testIamPermissionsRequest: A TestIamPermissionsRequest resource to be passed as the request body. r TrTestIamPermissionsRequestrrN rrrrrrr9rrtestIamPermissionsRequestrrrrryry0  " "1t 4('445PRSTrryc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) )IamLocationsWorkforcePoolsUndeleteRequestia%A IamLocationsWorkforcePoolsUndeleteRequest object. Fields: name: Required. The name of the pool to undelete. Format: `locations/{location}/workforcePools/{workforce_pool_id}` undeleteWorkforcePoolRequest: A UndeleteWorkforcePoolRequest resource to be passed as the request body. r TrUndeleteWorkforcePoolRequestrrN) rrrrrrr9r:rundeleteWorkforcePoolRequestrrrrrrs0   q4 0$!*!7!78VXY!Zrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) "IamOrganizationsRolesCreateRequestia'A IamOrganizationsRolesCreateRequest object. Fields: createRoleRequest: A CreateRoleRequest resource to be passed as the request body. parent: The `parent` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/referen ce/rest/v1/projects.roles) or [organizations](https://cloud.google.com/i am/docs/reference/rest/v1/organizations.roles). Each resource type's `parent` value format is described below: * [projects.roles.create](http s://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/create): `projects/{PROJECT_ID}`. This method creates project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat ions.roles.create](https://cloud.google.com/iam/docs/reference/rest/v1/o rganizations.roles/create): `organizations/{ORGANIZATION_ID}`. This method creates organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. rrr rTrrN rrrrrrrcreateRoleRequestr9rrrrrrr/2 ,,-@!D  T 2&rrc^\rSrSrSr\R "S5r\R"SSS9r Sr g) "IamOrganizationsRolesDeleteRequestiaA IamOrganizationsRolesDeleteRequest object. Fields: etag: Used to perform a consistent read-modify-write. name: The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/r est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d ocs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.delete](https://cloud .google.com/iam/docs/reference/rest/v1/projects.roles/delete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom- roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ ID}` * [organizations.roles.delete](https://cloud.google.com/iam/docs/re ference/rest/v1/organizations.roles/delete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. r rTrrN rrrrrr BytesFieldetagr9r:rrrrrr+2   a $   q4 0$rrc:\rSrSrSr\R "SSS9rSrg)IamOrganizationsRolesGetRequestiaA IamOrganizationsRolesGetRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/ v1/organizations.roles). Each resource type's `name` value format is described below: * [roles.get](https://cloud.google.com/iam/docs/referen ce/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results from all [predefined roles](https://cloud.google.com/iam/docs/understanding- roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get] (https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get) : `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding- custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/ {CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/i am/docs/reference/rest/v1/organizations.roles/get): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. r TrrNr[rrrrr>   q4 0$rrc\rSrSrSr"SS\R 5r\R"S\RRS9r \R"S5r \R"SS S 9r\R"S 5r\R""SS 5rS rg) IamOrganizationsRolesListRequesti@a A IamOrganizationsRolesListRequest object. Enums: ViewValueValuesEnum: Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. Fields: pageSize: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. pageToken: Optional pagination token returned in an earlier ListRolesResponse. parent: The `parent` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/ v1/organizations.roles). Each resource type's `parent` value format is described below: * [roles.list](https://cloud.google.com/iam/docs/refere nce/rest/v1/roles/list): An empty string. This method doesn't require a resource; it simply returns all [predefined roles](https://cloud.google.com/iam/docs/understanding- roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cl oud.google.com/iam/docs/reference/rest/v1/projects.roles/list): `projects/{PROJECT_ID}`. This method lists all project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat ions.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/org anizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method lists all organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. showDeleted: Include Roles that have been deleted. view: Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. c \rSrSrSrSrSrSrg)4IamOrganizationsRolesListRequest.ViewValueValuesEnumintOptional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. Values: BASIC: Omits the `included_permissions` field. This is the default value. FULL: Returns all fields. rr rNrrrrrBASICFULLrrrrViewValueValuesEnumrn  E Drrr rrr5Trr6rrNrrrrrrr7rrrrrr9rrrrr;viewrrrrrr@}+Z  INN   # #Ay/@/@/F/F G(##A&)  T 2&&&q)+   2A 6$rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) !IamOrganizationsRolesPatchRequestiaA IamOrganizationsRolesPatchRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/r est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d ocs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.patch](https://cloud. google.com/iam/docs/reference/rest/v1/projects.roles/patch): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](https://cloud.google.com/iam/docs/understanding-custom- roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ ID}` * [organizations.roles.patch](https://cloud.google.com/iam/docs/ref erence/rest/v1/organizations.roles/patch): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. role: A Role resource to be passed as the request body. updateMask: A mask describing which fields in the Role have changed. r Trrsrr5rN rrrrrrr9r:rrfrrrrrrr=4   q4 0$    *$$$Q'*rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) $IamOrganizationsRolesUndeleteRequestiaA IamOrganizationsRolesUndeleteRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/r est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d ocs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.undelete](https://clo ud.google.com/iam/docs/reference/rest/v1/projects.roles/undelete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/understanding- custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/ {CUSTOM_ROLE_ID}` * [organizations.roles.undelete](https://cloud.google. com/iam/docs/reference/rest/v1/organizations.roles/undelete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. undeleteRoleRequest: A UndeleteRoleRequest resource to be passed as the request body. r TrUndeleteRoleRequestrrN rrrrrrr9r:rundeleteRoleRequestrrrrrr/4   q4 0$!../DaHrrc\rSrSrSr\R "SS5r\R"S5r \R"SSS9r S r g ) -IamProjectsLocationsOauthClientsCreateRequestia]A IamProjectsLocationsOauthClientsCreateRequest object. Fields: oauthClient: A OauthClient resource to be passed as the request body. oauthClientId: Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. parent: Required. The parent resource to create the OauthClient in. The only supported location is `global`. OauthClientr rr5TrrN) rrrrrrr oauthClientr9 oauthClientIdrrrrrrrs= &&}a8+''*-  T 2&rrc\rSrSrSr\R "SS5r\R"S5r \R"SSS9r S r g ) 8IamProjectsLocationsOauthClientsCredentialsCreateRequestia5A IamProjectsLocationsOauthClientsCredentialsCreateRequest object. Fields: oauthClientCredential: A OauthClientCredential resource to be passed as the request body. oauthClientCredentialId: Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. parent: Required. The parent resource to create the OauthClientCredential in. OauthClientCredentialr rr5TrrN) rrrrrrroauthClientCredentialr9oauthClientCredentialIdrrrrrrrs@ $001H!L%11!4  T 2&rrc^\rSrSrSr\R "SSS9r\R"S5r Sr g) 8IamProjectsLocationsOauthClientsCredentialsDeleteRequestiasA IamProjectsLocationsOauthClientsCredentialsDeleteRequest object. Fields: name: Required. The name of the OauthClientCredential to delete. Format: ` projects/{project}/locations/{location}/oauthClients/{oauth_client}/cred entials/{credential}`. validateOnly: Optional. If set, validate the request and preview the response, but do not actually post it. r TrrrNrrrrrrrrrc:\rSrSrSr\R "SSS9rSrg)5IamProjectsLocationsOauthClientsCredentialsGetRequestizA IamProjectsLocationsOauthClientsCredentialsGetRequest object. Fields: name: Required. The name of the OauthClientCredential to retrieve. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}/cre dentials/{credential}`. r TrrNr[rrrrrr rrc:\rSrSrSr\R "SSS9rSrg)6IamProjectsLocationsOauthClientsCredentialsListRequestizA IamProjectsLocationsOauthClientsCredentialsListRequest object. Fields: parent: Required. The parent to list OauthClientCredentials for. r TrrN) rrrrrrr9rrrrrrrs  T 2&rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) 7IamProjectsLocationsOauthClientsCredentialsPatchRequestiaA IamProjectsLocationsOauthClientsCredentialsPatchRequest object. Fields: name: Immutable. Identifier. The resource name of the OauthClientCredential. Format: `projects/{project}/locations/{location}/ oauthClients/{oauth_client}/credentials/{credential}` oauthClientCredential: A OauthClientCredential resource to be passed as the request body. updateMask: Required. The list of fields to update. r Trrrr5rN) rrrrrrr9r:rrrrrrrrrs?    q4 0$#001H!L$$Q'*rrc^\rSrSrSr\R "SSS9r\R"S5r Sr g) -IamProjectsLocationsOauthClientsDeleteRequestia?A IamProjectsLocationsOauthClientsDeleteRequest object. Fields: name: Required. The name of the OauthClient to delete. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}`. validateOnly: Optional. If set, validate the request and preview the response, but do not actually post it. r TrrrNrrrrrrs+   q4 0$''*,rrc:\rSrSrSr\R "SSS9rSrg)*IamProjectsLocationsOauthClientsGetRequesti-zA IamProjectsLocationsOauthClientsGetRequest object. Fields: name: Required. The name of the OauthClient to retrieve. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}`. r TrrNr[rrrrr-rrrc\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) +IamProjectsLocationsOauthClientsListRequesti8aA IamProjectsLocationsOauthClientsListRequest object. Fields: pageSize: Optional. The maximum number of OauthClients to return. If unspecified, at most 50 OauthClients will be returned. The maximum value is 100; values above 100 are truncated to 100. pageToken: Optional. A page token, received from a previous `ListOauthClients` call. Provide this to retrieve the subsequent page. parent: Required. The parent to list OauthClients for. showDeleted: Optional. Whether to return soft-deleted OauthClients. r rrr5Trr6rNrrrrrr8sY  # #Ay/@/@/F/F G(##A&)  T 2&&&q)+rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) ,IamProjectsLocationsOauthClientsPatchRequestiKaVA IamProjectsLocationsOauthClientsPatchRequest object. Fields: name: Immutable. Identifier. The resource name of the OauthClient. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}`. oauthClient: A OauthClient resource to be passed as the request body. updateMask: Required. The list of fields to update. r Trrrr5rN) rrrrrrr9r:rrrrrrrrrKs=   q4 0$&&}a8+$$Q'*rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) /IamProjectsLocationsOauthClientsUndeleteRequestiZa;A IamProjectsLocationsOauthClientsUndeleteRequest object. Fields: name: Required. The name of the OauthClient to undelete. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}`. undeleteOauthClientRequest: A UndeleteOauthClientRequest resource to be passed as the request body. r TrUndeleteOauthClientRequestrrN) rrrrrrr9r:rundeleteOauthClientRequestrrrrrrZs0   q4 0$(556RTUVrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) BIamProjectsLocationsWorkloadIdentityPoolsAddAttestationRuleRequestiha7A IamProjectsLocationsWorkloadIdentityPoolsAddAttestationRuleRequest object. Fields: addAttestationRuleRequest: A AddAttestationRuleRequest resource to be passed as the request body. resource: Required. The resource name of the managed identity or namespace resource to add an attestation rule to. rr rTrrN rrrrrrraddAttestationRuleRequestr9rrrrrrrh0(445PRST  " "1t 4(rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) 6IamProjectsLocationsWorkloadIdentityPoolsCreateRequestiwa3A IamProjectsLocationsWorkloadIdentityPoolsCreateRequest object. Fields: parent: Required. The parent resource to create the pool in. The only supported location is `global`. workloadIdentityPool: A WorkloadIdentityPool resource to be passed as the request body. workloadIdentityPoolId: Required. The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. r TrWorkloadIdentityPoolrr5rN) rrrrrrr9rrworkloadIdentityPoolworkloadIdentityPoolIdrrrrrrws@   T 2&"//0FJ$003rrc:\rSrSrSr\R "SSS9rSrg)6IamProjectsLocationsWorkloadIdentityPoolsDeleteRequestiz|A IamProjectsLocationsWorkloadIdentityPoolsDeleteRequest object. Fields: name: Required. The name of the pool to delete. r TrrNr[rrrrrrrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) IamProjectsLocationsWorkloadIdentityPoolsNamespacesListRequestiAaA IamProjectsLocationsWorkloadIdentityPoolsNamespacesListRequest object. Fields: pageSize: The maximum number of namespaces to return. If unspecified, at most 50 namespaces are returned. The maximum value is 1000; values above are 1000 truncated to 1000. pageToken: A page token, received from a previous `ListWorkloadIdentityPoolNamespaces` call. Provide this to retrieve the subsequent page. parent: Required. The parent resource to list namespaces for. showDeleted: Whether to return soft-deleted namespaces. r rrr5Trr6rNrrrrrrArrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) ]IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesAddAttestationRuleRequestiUaSA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesAd dAttestationRuleRequest object. Fields: addAttestationRuleRequest: A AddAttestationRuleRequest resource to be passed as the request body. resource: Required. The resource name of the managed identity or namespace resource to add an attestation rule to. rr rTrrNrrrrrrUrrrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) QIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesCreateRequestidaA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesCr eateRequest object. Fields: parent: Required. The parent resource to create the manage identity in. The only supported location is `global`. workloadIdentityPoolManagedIdentity: A WorkloadIdentityPoolManagedIdentity resource to be passed as the request body. workloadIdentityPoolManagedIdentityId: Required. The ID to use for the managed identity. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix "gcp-" will be reserved for future uses. r Tr#WorkloadIdentityPoolManagedIdentityrr5rN) rrrrrrr9rr#workloadIdentityPoolManagedIdentity%workloadIdentityPoolManagedIdentityIdrrrrrrdsA   T 2&(1(>(>?dfg(h%*3*?*?*B'rrc:\rSrSrSr\R "SSS9rSrg)QIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesDeleteRequestiyzA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesDe leteRequest object. Fields: name: Required. The name of the managed identity to delete. r TrrNr[rrrrryrrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) WIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGetIamPolicyRequestiaA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGe tIamPolicyRequest object. Fields: getIamPolicyRequest: A GetIamPolicyRequest resource to be passed as the request body. resource: REQUIRED: The resource for which the policy is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. rr rTrrNrrrrrrrrrc:\rSrSrSr\R "SSS9rSrg)NIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGetRequestizA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesGe tRequest object. Fields: name: Required. The name of the managed identity to retrieve. r TrrNr[rrrrrrrrc\rSrSrSr\R "S5r\R"S\RRS9r \R "S5r \R "SSS 9r S rg ) _IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesListAttestationRulesRequestiaA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesLi stAttestationRulesRequest object. Fields: filter: Optional. A query filter. Supports the following function: * `container_ids()`: Returns only the AttestationRules under the specific container ids. The function expects a comma-delimited list with only project numbers and must use the format `projects/`. For example: `container_ids(projects/, projects/,...)`. pageSize: Optional. The maximum number of AttestationRules to return. If unspecified, at most 50 AttestationRules are returned. The maximum value is 100; values above 100 are truncated to 100. pageToken: Optional. A page token, received from a previous `ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve the subsequent page. resource: Required. The resource name of the managed identity or namespace resource to list attestation rules of. r rrr5r6TrrNrrrrrrrrrc\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) OIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesListRequestiaRA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesLi stRequest object. Fields: pageSize: The maximum number of managed identities to return. If unspecified, at most 50 managed identities are returned. The maximum value is 1000; values above are 1000 truncated to 1000. pageToken: A page token, received from a previous `ListWorkloadIdentityPoolManagedIdentities` call. Provide this to retrieve the subsequent page. parent: Required. The parent resource to list managed identities for. showDeleted: Whether to return soft-deleted managed identities. r rrr5Trr6rNrrrrrrr>rrc:\rSrSrSr\R "SSS9rSrg)XIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesOperationsGetRequestizA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesOp erationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrrrrrc\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) PIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesPatchRequestiaWA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesPa tchRequest object. Fields: name: Output only. The resource name of the managed identity. updateMask: Required. The list of fields to update. workloadIdentityPoolManagedIdentity: A WorkloadIdentityPoolManagedIdentity resource to be passed as the request body. r Trrrr5rN) rrrrrrr9r:rrrrrrrrrs@   q4 0$$$Q'*(1(>(>?dfg(h%rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) `IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesRemoveAttestationRuleRequestiaaA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesRe moveAttestationRuleRequest object. Fields: removeAttestationRuleRequest: A RemoveAttestationRuleRequest resource to be passed as the request body. resource: Required. The resource name of the managed identity or namespace resource to remove an attestation rule from. RemoveAttestationRuleRequestr rTrrN rrrrrrrremoveAttestationRuleRequestr9rrrrrrr0"+!7!78VXY!Z  " "1t 4(rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) ^IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSetAttestationRulesRequestiaVA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSe tAttestationRulesRequest object. Fields: resource: Required. The resource name of the managed identity or namespace resource to add an attestation rule to. setAttestationRulesRequest: A SetAttestationRulesRequest resource to be passed as the request body. r TrSetAttestationRulesRequestrrN rrrrrrr9rrsetAttestationRulesRequestrrrrr r 0 " "1t 4((556RTUVrr c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) WIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSetIamPolicyRequesti aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSe tIamPolicyRequest object. Fields: resource: REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the request body. r TrrlrrNrmrrrrr /  " "1t 4(!../DaHrrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) ]IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesTestIamPermissionsRequesti aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesTe stIamPermissionsRequest object. Fields: resource: REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. testIamPermissionsRequest: A TestIamPermissionsRequest resource to be passed as the request body. r TrrzrrNr{rrrrr 0  " "1t 4('445PRSTrrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) SIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesUndeleteRequesti* aFA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesUn deleteRequest object. Fields: name: Required. The name of the managed identity to undelete. undeleteWorkloadIdentityPoolManagedIdentityRequest: A UndeleteWorkloadIdentityPoolManagedIdentityRequest resource to be passed as the request body. r Tr2UndeleteWorkloadIdentityPoolManagedIdentityRequestrrN) rrrrrrr9r:r2undeleteWorkloadIdentityPoolManagedIdentityRequestrrrrrr* s;   q4 0$7@7M7MOCEF8G4rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) `IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesCreateRequesti9 anA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo rkloadSourcesCreateRequest object. Fields: parent: Required. The parent resource to create the workload source in. workloadSource: A WorkloadSource resource to be passed as the request body. workloadSourceId: Required. The ID to use for the workload source, which becomes the final component of the resource name. If ID of the WorkloadSource resource determines which workloads may be matched. The following formats are supported: - `project-{project_number}` matches workloads within the referenced Google Cloud project. r TrWorkloadSourcerr5rN rrrrrrr9rrworkloadSourceworkloadSourceIdrrrrrr9 ?   T 2&))*:A>.**1-rrc^\rSrSrSr\R "S5r\R "SSS9rSr g) `IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesDeleteRequestiM aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo rkloadSourcesDeleteRequest object. Fields: etag: Optional. The etag for this workload source. If provided, it must match the server's etag. name: Required. The name of the workload source to delete. r rTrrN rrrrrrr9rr:rrrrr!r!M +   q !$   q4 0$rr!c:\rSrSrSr\R "SSS9rSrg)]IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesGetRequesti[ zA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo rkloadSourcesGetRequest object. Fields: name: Required. The name of the workload source to retrieve. r TrrNr[rrrr%r%[ rrr%c\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r S r g ) ^IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesListRequestif aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo rkloadSourcesListRequest object. Fields: pageSize: The maximum number of workload sources to return. If unspecified, at most 50 workload sources are returned. The maximum value is 1000; values above are 1000 truncated to 1000. pageToken: A page token, received from a previous `ListWorkloadSources` call. Provide this to retrieve the subsequent page. parent: Required. The parent resource to list workload sources for. r rrr5TrrNrrrrrrrrrrr9rrrrrrr'r'f I  # #Ay/@/@/F/F G(##A&)  T 2&rr'c:\rSrSrSr\R "SSS9rSrg)gIamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesOperationsGetRequestix zA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo rkloadSourcesOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrr+r+x rrr+c\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) _IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesPatchRequesti aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWo rkloadSourcesPatchRequest object. Fields: name: Output only. The resource name of the workload source. If ID of the WorkloadSource resource determines which workloads may be matched. The following formats are supported: - `project-{project_number}` matches workloads within the referenced Google Cloud project. updateMask: Required. The list of fields to update. workloadSource: A WorkloadSource resource to be passed as the request body. r Trrrr5rN rrrrrrr9r:rrrrrrrr-r- >    q4 0$$$Q'*))*:A>.rr-c:\rSrSrSr\R "SSS9rSrg)GIamProjectsLocationsWorkloadIdentityPoolsNamespacesOperationsGetRequesti zA IamProjectsLocationsWorkloadIdentityPoolsNamespacesOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrr1r1 r rr1c\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) ?IamProjectsLocationsWorkloadIdentityPoolsNamespacesPatchRequesti a2A IamProjectsLocationsWorkloadIdentityPoolsNamespacesPatchRequest object. Fields: name: Output only. The resource name of the namespace. updateMask: Required. The list of fields to update. workloadIdentityPoolNamespace: A WorkloadIdentityPoolNamespace resource to be passed as the request body. r Trrrr5rN) rrrrrrr9r:rrrrrrrr3r3 s@   q4 0$$$Q'*"+"8"89XZ["\rr3c`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) OIamProjectsLocationsWorkloadIdentityPoolsNamespacesRemoveAttestationRuleRequesti aPA IamProjectsLocationsWorkloadIdentityPoolsNamespacesRemoveAttestationRu leRequest object. Fields: removeAttestationRuleRequest: A RemoveAttestationRuleRequest resource to be passed as the request body. resource: Required. The resource name of the managed identity or namespace resource to remove an attestation rule from. rr rTrrNrrrrr5r5 rrr5c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) MIamProjectsLocationsWorkloadIdentityPoolsNamespacesSetAttestationRulesRequesti aEA IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetAttestationRules Request object. Fields: resource: Required. The resource name of the managed identity or namespace resource to add an attestation rule to. setAttestationRulesRequest: A SetAttestationRulesRequest resource to be passed as the request body. r Trr rrNr rrrr7r7 rrr7c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) FIamProjectsLocationsWorkloadIdentityPoolsNamespacesSetIamPolicyRequesti aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetIamPolicyRequest object. Fields: resource: REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the request body. r TrrlrrNrmrrrr9r9 rrr9c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) LIamProjectsLocationsWorkloadIdentityPoolsNamespacesTestIamPermissionsRequesti aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesTestIamPermissionsRequest object. Fields: resource: REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. testIamPermissionsRequest: A TestIamPermissionsRequest resource to be passed as the request body. r TrrzrrNr{rrrr;r; s0  " "1t 4('445PRSTrr;c`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) BIamProjectsLocationsWorkloadIdentityPoolsNamespacesUndeleteRequesti a!A IamProjectsLocationsWorkloadIdentityPoolsNamespacesUndeleteRequest object. Fields: name: Required. The name of the namespace to undelete. undeleteWorkloadIdentityPoolNamespaceRequest: A UndeleteWorkloadIdentityPoolNamespaceRequest resource to be passed as the request body. r Tr,UndeleteWorkloadIdentityPoolNamespaceRequestrrN) rrrrrrr9r:r,undeleteWorkloadIdentityPoolNamespaceRequestrrrrr=r= s0   q4 0$1:1G1GHvxy1z.rr=c\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) OIamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesCreateRequesti a]A IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesCrea teRequest object. Fields: parent: Required. The parent resource to create the workload source in. workloadSource: A WorkloadSource resource to be passed as the request body. workloadSourceId: Required. The ID to use for the workload source, which becomes the final component of the resource name. If ID of the WorkloadSource resource determines which workloads may be matched. The following formats are supported: - `project-{project_number}` matches workloads within the referenced Google Cloud project. r Trrrr5rNrrrrrArA rrrAc^\rSrSrSr\R "S5r\R "SSS9rSr g) OIamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesDeleteRequesti aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesDele teRequest object. Fields: etag: Optional. The etag for this workload source. If provided, it must match the server's etag. name: Required. The name of the workload source to delete. r rTrrNr"rrrrCrC r#rrCc:\rSrSrSr\R "SSS9rSrg)LIamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesGetRequesti$ zA IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesGetRequest object. Fields: name: Required. The name of the workload source to retrieve. r TrrNr[rrrrErE$ r rrEc\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r S r g ) MIamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesListRequesti0 aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesList Request object. Fields: pageSize: The maximum number of workload sources to return. If unspecified, at most 50 workload sources are returned. The maximum value is 1000; values above are 1000 truncated to 1000. pageToken: A page token, received from a previous `ListWorkloadSources` call. Provide this to retrieve the subsequent page. parent: Required. The parent resource to list workload sources for. r rrr5TrrNr(rrrrGrG0 r)rrGc:\rSrSrSr\R "SSS9rSrg)VIamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesOperationsGetRequestiB zA IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesOper ationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrIrIB rrrIc\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) NIamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesPatchRequestiM aA IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesPatc hRequest object. Fields: name: Output only. The resource name of the workload source. If ID of the WorkloadSource resource determines which workloads may be matched. The following formats are supported: - `project-{project_number}` matches workloads within the referenced Google Cloud project. updateMask: Required. The list of fields to update. workloadSource: A WorkloadSource resource to be passed as the request body. r Trrrr5rNr.rrrrKrKM r/rrKc:\rSrSrSr\R "SSS9rSrg)=IamProjectsLocationsWorkloadIdentityPoolsOperationsGetRequesti` z}A IamProjectsLocationsWorkloadIdentityPoolsOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrMrM` rrrMc\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) 5IamProjectsLocationsWorkloadIdentityPoolsPatchRequestij aA IamProjectsLocationsWorkloadIdentityPoolsPatchRequest object. Fields: name: Output only. The resource name of the pool. updateMask: Required. The list of fields to update. workloadIdentityPool: A WorkloadIdentityPool resource to be passed as the request body. r Trrrr5rN) rrrrrrr9r:rrrrrrrrOrOj s?   q4 0$$$Q'*"//0FJrrOc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) ?IamProjectsLocationsWorkloadIdentityPoolsProvidersCreateRequestiy aA IamProjectsLocationsWorkloadIdentityPoolsProvidersCreateRequest object. Fields: parent: Required. The pool to create this provider in. workloadIdentityPoolProvider: A WorkloadIdentityPoolProvider resource to be passed as the request body. workloadIdentityPoolProviderId: Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. r TrWorkloadIdentityPoolProviderrr5rN) rrrrrrr9rrworkloadIdentityPoolProviderworkloadIdentityPoolProviderIdrrrrrQrQy sA   T 2&!*!7!78VXY!Z#,#8#8#; rrQc:\rSrSrSr\R "SSS9rSrg)?IamProjectsLocationsWorkloadIdentityPoolsProvidersDeleteRequesti zA IamProjectsLocationsWorkloadIdentityPoolsProvidersDeleteRequest object. Fields: name: Required. The name of the provider to delete. r TrrNr[rrrrVrV rrrVc:\rSrSrSr\R "SSS9rSrg)#rrZc:\rSrSrSr\R "SSS9rSrg)CIamProjectsLocationsWorkloadIdentityPoolsProvidersKeysDeleteRequesti zA IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysDeleteRequest object. Fields: name: Required. The name of the encryption key to delete. r TrrNr[rrrr_r_ rrr_c:\rSrSrSr\R "SSS9rSrg)@IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysGetRequesti zA IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysGetRequest object. Fields: name: Required. The name of the key to retrieve. r TrrNr[rrrrara rrrac\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) AIamProjectsLocationsWorkloadIdentityPoolsProvidersKeysListRequesti aA IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysListRequest object. Fields: pageSize: The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. pageToken: A page token, received from a previous `ListWorkloadIdentityPoolProviderKeys` call. Provide this to retrieve the subsequent page. parent: Required. The parent provider resource to list encryption keys for. showDeleted: Whether to return soft deleted resources as well. r rrr5Trr6rNrrrrrcrc r5rrcc:\rSrSrSr\R "SSS9rSrg)JIamProjectsLocationsWorkloadIdentityPoolsProvidersKeysOperationsGetRequesti zA IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrere r rrec`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) EIamProjectsLocationsWorkloadIdentityPoolsProvidersKeysUndeleteRequesti a-A IamProjectsLocationsWorkloadIdentityPoolsProvidersKeysUndeleteRequest object. Fields: name: Required. The name of the encryption key to undelete. undeleteWorkloadIdentityPoolProviderKeyRequest: A UndeleteWorkloadIdentityPoolProviderKeyRequest resource to be passed as the request body. r Tr.UndeleteWorkloadIdentityPoolProviderKeyRequestrrN) rrrrrrr9r:r.undeleteWorkloadIdentityPoolProviderKeyRequestrrrrrgrg s0   q4 0$3<3I3IJz|}3~0rrgc\rSrSrSr\R "S\RRS9r \R"S5r \R"SSS9r \R"S 5rS rg ) =IamProjectsLocationsWorkloadIdentityPoolsProvidersListRequesti aA IamProjectsLocationsWorkloadIdentityPoolsProvidersListRequest object. Fields: pageSize: The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. pageToken: A page token, received from a previous `ListWorkloadIdentityPoolProviders` call. Provide this to retrieve the subsequent page. parent: Required. The pool to list providers for. showDeleted: Whether to return soft-deleted providers. r rrr5Trr6rNrrrrrkrk rrrkc:\rSrSrSr\R "SSS9rSrg)FIamProjectsLocationsWorkloadIdentityPoolsProvidersOperationsGetRequesti zA IamProjectsLocationsWorkloadIdentityPoolsProvidersOperationsGetRequest object. Fields: name: The name of the operation resource. r TrrNr[rrrrmrm rrrmc\rSrSrSr\R "SSS9r\R "S5r\R"SS5r S r g ) >IamProjectsLocationsWorkloadIdentityPoolsProvidersPatchRequesti a.A IamProjectsLocationsWorkloadIdentityPoolsProvidersPatchRequest object. Fields: name: Output only. The resource name of the provider. updateMask: Required. The list of fields to update. workloadIdentityPoolProvider: A WorkloadIdentityPoolProvider resource to be passed as the request body. r TrrrRr5rN) rrrrrrr9r:rrrSrrrrroro s@   q4 0$$$Q'*!*!7!78VXY!Zrroc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) AIamProjectsLocationsWorkloadIdentityPoolsProvidersUndeleteRequesti( aA IamProjectsLocationsWorkloadIdentityPoolsProvidersUndeleteRequest object. Fields: name: Required. The name of the provider to undelete. undeleteWorkloadIdentityPoolProviderRequest: A UndeleteWorkloadIdentityPoolProviderRequest resource to be passed as the request body. r Tr+UndeleteWorkloadIdentityPoolProviderRequestrrN) rrrrrrr9r:r+undeleteWorkloadIdentityPoolProviderRequestrrrrrqrq( s0   q4 0$090F0FGtvw0x-rrqc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) EIamProjectsLocationsWorkloadIdentityPoolsRemoveAttestationRuleRequesti7 aEA IamProjectsLocationsWorkloadIdentityPoolsRemoveAttestationRuleRequest object. Fields: removeAttestationRuleRequest: A RemoveAttestationRuleRequest resource to be passed as the request body. resource: Required. The resource name of the managed identity or namespace resource to remove an attestation rule from. rr rTrrNrrrrruru7 rrruc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) CIamProjectsLocationsWorkloadIdentityPoolsSetAttestationRulesRequestiF a:A IamProjectsLocationsWorkloadIdentityPoolsSetAttestationRulesRequest object. Fields: resource: Required. The resource name of the managed identity or namespace resource to add an attestation rule to. setAttestationRulesRequest: A SetAttestationRulesRequest resource to be passed as the request body. r Trr rrNr rrrrwrwF rrrwc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) (>?dfg(h%rr}c`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) IamProjectsRolesCreateRequesti a"A IamProjectsRolesCreateRequest object. Fields: createRoleRequest: A CreateRoleRequest resource to be passed as the request body. parent: The `parent` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/referen ce/rest/v1/projects.roles) or [organizations](https://cloud.google.com/i am/docs/reference/rest/v1/organizations.roles). Each resource type's `parent` value format is described below: * [projects.roles.create](http s://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/create): `projects/{PROJECT_ID}`. This method creates project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat ions.roles.create](https://cloud.google.com/iam/docs/reference/rest/v1/o rganizations.roles/create): `organizations/{ORGANIZATION_ID}`. This method creates organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. rrr rTrrNrrrrrr rrrc^\rSrSrSr\R "S5r\R"SSS9r Sr g) IamProjectsRolesDeleteRequesti aA IamProjectsRolesDeleteRequest object. Fields: etag: Used to perform a consistent read-modify-write. name: The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/r est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d ocs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.delete](https://cloud .google.com/iam/docs/reference/rest/v1/projects.roles/delete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom- roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ ID}` * [organizations.roles.delete](https://cloud.google.com/iam/docs/re ference/rest/v1/organizations.roles/delete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. r rTrrNrrrrrr rrrc:\rSrSrSr\R "SSS9rSrg)IamProjectsRolesGetRequesti aA IamProjectsRolesGetRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/ v1/organizations.roles). Each resource type's `name` value format is described below: * [roles.get](https://cloud.google.com/iam/docs/referen ce/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results from all [predefined roles](https://cloud.google.com/iam/docs/understanding- roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get] (https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get) : `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding- custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/ {CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/i am/docs/reference/rest/v1/organizations.roles/get): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. r TrrNr[rrrrr rrrc\rSrSrSr"SS\R 5r\R"S\RRS9r \R"S5r \R"SS S 9r\R"S 5r\R""SS 5rS rg)IamProjectsRolesListRequesti a A IamProjectsRolesListRequest object. Enums: ViewValueValuesEnum: Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. Fields: pageSize: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. pageToken: Optional pagination token returned in an earlier ListRolesResponse. parent: The `parent` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/ v1/organizations.roles). Each resource type's `parent` value format is described below: * [roles.list](https://cloud.google.com/iam/docs/refere nce/rest/v1/roles/list): An empty string. This method doesn't require a resource; it simply returns all [predefined roles](https://cloud.google.com/iam/docs/understanding- roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cl oud.google.com/iam/docs/reference/rest/v1/projects.roles/list): `projects/{PROJECT_ID}`. This method lists all project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat ions.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/org anizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method lists all organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. showDeleted: Include Roles that have been deleted. view: Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. c \rSrSrSrSrSrSrg)/IamProjectsRolesListRequest.ViewValueValuesEnumi rrr rNrrrrrr rrrr rrr5Trr6rrNrrrrrr rrrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) IamProjectsRolesPatchRequesti% aA IamProjectsRolesPatchRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/r est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d ocs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.patch](https://cloud. google.com/iam/docs/reference/rest/v1/projects.roles/patch): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](https://cloud.google.com/iam/docs/understanding-custom- roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ ID}` * [organizations.roles.patch](https://cloud.google.com/iam/docs/ref erence/rest/v1/organizations.roles/patch): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. role: A Role resource to be passed as the request body. updateMask: A mask describing which fields in the Role have changed. r Trrsrr5rNrrrrrr% rrrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) IamProjectsRolesUndeleteRequestiE aA IamProjectsRolesUndeleteRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/r est/v1/projects.roles) or [organizations](https://cloud.google.com/iam/d ocs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.undelete](https://clo ud.google.com/iam/docs/reference/rest/v1/projects.roles/undelete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/understanding- custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/ {CUSTOM_ROLE_ID}` * [organizations.roles.undelete](https://cloud.google. com/iam/docs/reference/rest/v1/organizations.roles/undelete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. undeleteRoleRequest: A UndeleteRoleRequest resource to be passed as the request body. r TrrrrNrrrrrrE rrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) 'IamProjectsServiceAccountsCreateRequestid a'A IamProjectsServiceAccountsCreateRequest object. Fields: createServiceAccountRequest: A CreateServiceAccountRequest resource to be passed as the request body. name: Required. The resource name of the project associated with the service accounts, such as `projects/my-project-123`. rr rTrrN) rrrrrrrcreateServiceAccountRequestr9r:rrrrrrd s0!* 6 67TVW X   q4 0$rrc:\rSrSrSr\R "SSS9rSrg)'IamProjectsServiceAccountsDeleteRequestir a8A IamProjectsServiceAccountsDeleteRequest object. Fields: name: Required. The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. r TrrNr[rrrrrr "   q4 0$rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) (IamProjectsServiceAccountsDisableRequesti aA IamProjectsServiceAccountsDisableRequest object. Fields: disableServiceAccountRequest: A DisableServiceAccountRequest resource to be passed as the request body. name: The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. rr rTrrN) rrrrrrrdisableServiceAccountRequestr9r:rrrrrr s0$"+!7!78VXY!Z   q4 0$rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) 'IamProjectsServiceAccountsEnableRequesti aA IamProjectsServiceAccountsEnableRequest object. Fields: enableServiceAccountRequest: A EnableServiceAccountRequest resource to be passed as the request body. name: The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. rr rTrrN) rrrrrrrenableServiceAccountRequestr9r:rrrrrr s0$!* 6 67TVW X   q4 0$rrc\rSrSrSr\R "S\RRS9r \R"SSS9r Sr g ) -IamProjectsServiceAccountsGetIamPolicyRequesti a9A IamProjectsServiceAccountsGetIamPolicyRequest object. Fields: options_requestedPolicyVersion: Optional. The maximum policy version that will be used to format the policy. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional role bindings must specify version 3. Policies with no conditional role bindings may specify any valid value or leave the field unset. The policy in the response might use the policy version that you specified, or it might use a lower policy version. For example, if you specify version 3, but the policy has no conditional role bindings, the response uses version 1. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource- policies). resource: REQUIRED: The resource for which the policy is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. r rrTrrN) rrrrrrrrroptions_requestedPolicyVersionr9rrrrrrr s:*$-#9#9!YEVEVE\E\#]  " "1t 4(rrc:\rSrSrSr\R "SSS9rSrg)$IamProjectsServiceAccountsGetRequesti a5A IamProjectsServiceAccountsGetRequest object. Fields: name: Required. The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. r TrrNr[rrrrr rrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) +IamProjectsServiceAccountsKeysCreateRequesti aA IamProjectsServiceAccountsKeysCreateRequest object. Fields: createServiceAccountKeyRequest: A CreateServiceAccountKeyRequest resource to be passed as the request body. name: Required. The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. rvr rTrrN) rrrrrrrcreateServiceAccountKeyRequestr9r:rrrrrr s0&$-#9#9:Z\]#^   q4 0$rrc:\rSrSrSr\R "SSS9rSrg)+IamProjectsServiceAccountsKeysDeleteRequesti aA IamProjectsServiceAccountsKeysDeleteRequest object. Fields: name: Required. The resource name of the service account key. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. r TrrNr[rrrrr s$   q4 0$rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) ,IamProjectsServiceAccountsKeysDisableRequesti aA IamProjectsServiceAccountsKeysDisableRequest object. Fields: disableServiceAccountKeyRequest: A DisableServiceAccountKeyRequest resource to be passed as the request body. name: Required. The resource name of the service account key. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. rr rTrrN) rrrrrrrdisableServiceAccountKeyRequestr9r:rrrrrr s0(%.$:$:;\^_$`!   q4 0$rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) +IamProjectsServiceAccountsKeysEnableRequesti+ aA IamProjectsServiceAccountsKeysEnableRequest object. Fields: enableServiceAccountKeyRequest: A EnableServiceAccountKeyRequest resource to be passed as the request body. name: Required. The resource name of the service account key. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. rr rTrrN) rrrrrrrenableServiceAccountKeyRequestr9r:rrrrrr+ s0($-#9#9:Z\]#^   q4 0$rrc\rSrSrSr"SS\R 5r\R"SSS9r \R"SS5r S r g ) (IamProjectsServiceAccountsKeysGetRequestiD aA IamProjectsServiceAccountsKeysGetRequest object. Enums: PublicKeyTypeValueValuesEnum: Optional. The output format of the public key. The default is `TYPE_NONE`, which means that the public key is not returned. Fields: name: Required. The resource name of the service account key. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` * `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. publicKeyType: Optional. The output format of the public key. The default is `TYPE_NONE`, which means that the public key is not returned. c$\rSrSrSrSrSrSrSrg)EIamProjectsServiceAccountsKeysGetRequest.PublicKeyTypeValueValuesEnumi^ zOptional. The output format of the public key. The default is `TYPE_NONE`, which means that the public key is not returned. Values: TYPE_NONE: Do not return the public key. TYPE_X509_PEM_FILE: X509 PEM format. TYPE_RAW_PUBLIC_KEY: Raw public key. rr rrN) rrrrr TYPE_NONETYPE_X509_PEM_FILETYPE_RAW_PUBLIC_KEYrrrrPublicKeyTypeValueValuesEnumr^ sIrrr TrrrN) rrrrrrr7rr9r:r; publicKeyTyperrrrrrD s>2 Y^^    q4 0$%%&DaH-rrc\rSrSrSr"SS\R 5r\R"SSSS9r \R"SSS 9r S r g ) )IamProjectsServiceAccountsKeysListRequestio aA IamProjectsServiceAccountsKeysListRequest object. Enums: KeyTypesValueValuesEnum: Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. Fields: keyTypes: Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. name: Required. The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. c$\rSrSrSrSrSrSrSrg)AIamProjectsServiceAccountsKeysListRequest.KeyTypesValueValuesEnumi aFilters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. Values: KEY_TYPE_UNSPECIFIED: Unspecified key type. The presence of this in the message will immediately result in an error. USER_MANAGED: User-managed keys (managed and rotated by the user). SYSTEM_MANAGED: System-managed keys (managed and rotated by Google). rr rrN rrrrrKEY_TYPE_UNSPECIFIED USER_MANAGEDSYSTEM_MANAGEDrrrrKeyTypesValueValuesEnumr s LNrrr Tr rrrN) rrrrrrr7rr;keyTypesr9r:rrrrrro s@2    !:A M(   q4 0$rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) +IamProjectsServiceAccountsKeysUploadRequesti aA IamProjectsServiceAccountsKeysUploadRequest object. Fields: name: The resource name of the service account key. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. uploadServiceAccountKeyRequest: A UploadServiceAccountKeyRequest resource to be passed as the request body. r TrUploadServiceAccountKeyRequestrrN) rrrrrrr9r:ruploadServiceAccountKeyRequestrrrrrr s0&   q4 0$#,#9#9:Z\]#^ rrc\rSrSrSr\R "SSS9r\R"S\RRS9r \R "S5r S r g ) %IamProjectsServiceAccountsListRequesti a<A IamProjectsServiceAccountsListRequest object. Fields: name: Required. The resource name of the project associated with the service accounts, such as `projects/my-project-123`. pageSize: Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request. The default is 20, and the maximum is 100. pageToken: Optional pagination token returned in an earlier ListServiceAccountsResponse.next_page_token. r Trrrr5rN)rrrrrrr9r:rrrrrrrrrrr sI    q4 0$  # #Ay/@/@/F/F G(##A&)rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) &IamProjectsServiceAccountsPatchRequesti aA IamProjectsServiceAccountsPatchRequest object. Fields: name: The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. patchServiceAccountRequest: A PatchServiceAccountRequest resource to be passed as the request body. r TrPatchServiceAccountRequestrrN) rrrrrrr9r:rpatchServiceAccountRequestrrrrrr s0$   q4 0$(556RTUVrrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) -IamProjectsServiceAccountsSetIamPolicyRequesti aiA IamProjectsServiceAccountsSetIamPolicyRequest object. Fields: resource: REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. setIamPolicyRequest: A SetIamPolicyRequest resource to be passed as the request body. r TrrlrrNrmrrrrr rorrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) )IamProjectsServiceAccountsSignBlobRequesti aA IamProjectsServiceAccountsSignBlobRequest object. Fields: name: Required. Deprecated. [Migrate to Service Account Credentials API](https://cloud.google.com/iam/help/credentials/migrate-api). The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. signBlobRequest: A SignBlobRequest resource to be passed as the request body. r TrSignBlobRequestrrN) rrrrrrr9r:rsignBlobRequestrrrrrr s.(   q4 0$**+.rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 3IamProjectsServiceAccountsTestIamPermissionsRequesti aA IamProjectsServiceAccountsTestIamPermissionsRequest object. Fields: resource: REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. testIamPermissionsRequest: A TestIamPermissionsRequest resource to be passed as the request body. r TrrzrrNr{rrrrr r}rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) )IamProjectsServiceAccountsUndeleteRequesti0aA IamProjectsServiceAccountsUndeleteRequest object. Fields: name: The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. undeleteServiceAccountRequest: A UndeleteServiceAccountRequest resource to be passed as the request body. r TrUndeleteServiceAccountRequestrrN) rrrrrrr9r:rundeleteServiceAccountRequestrrrrrr0s0$   q4 0$"+"8"89XZ["\rrc:\rSrSrSr\R "SSS9rSrg)IamRolesGetRequestiGaA IamRolesGetRequest object. Fields: name: The `name` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/ v1/organizations.roles). Each resource type's `name` value format is described below: * [roles.get](https://cloud.google.com/iam/docs/referen ce/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results from all [predefined roles](https://cloud.google.com/iam/docs/understanding- roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get] (https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get) : `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding- custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/ {CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/i am/docs/reference/rest/v1/organizations.roles/get): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: ` https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUS TOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. r TrrNr[rrrrrGrrrc\rSrSrSr"SS\R 5r\R"S\RRS9r \R"S5r \R"S5r\R"S 5r\R""SS 5rS rg ) IamRolesListRequestija A IamRolesListRequest object. Enums: ViewValueValuesEnum: Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. Fields: pageSize: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. pageToken: Optional pagination token returned in an earlier ListRolesResponse. parent: The `parent` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [pro jects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.role s), or [organizations](https://cloud.google.com/iam/docs/reference/rest/ v1/organizations.roles). Each resource type's `parent` value format is described below: * [roles.list](https://cloud.google.com/iam/docs/refere nce/rest/v1/roles/list): An empty string. This method doesn't require a resource; it simply returns all [predefined roles](https://cloud.google.com/iam/docs/understanding- roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cl oud.google.com/iam/docs/reference/rest/v1/projects.roles/list): `projects/{PROJECT_ID}`. This method lists all project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizat ions.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/org anizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method lists all organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. showDeleted: Include Roles that have been deleted. view: Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. c \rSrSrSrSrSrSrg)'IamRolesListRequest.ViewValueValuesEnumirrr rNrrrrrrrrrr rrr5r6rrNrrrrrrjs{+Z  INN   # #Ay/@/@/F/F G(##A&)   #&&&q)+   2A 6$rrc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) IdentityAssignmentiaDefines how to assign an identity to a workload. At least one workload selector and at least one identity assignment method must be defined. Fields: allowIdentitySelfSelection: Optional. Identity assignment method that authorizes matched workloads to self select an identity within the parent's scope (e.g. within the namespace when the WorkloadSource is defined on a Namespace). singleAttributeSelectors: Optional. Workload selector that matches workloads based on their attested attributes. r SingleAttributeSelectorrTr rN) rrrrrrrallowIdentitySelfSelectionrsingleAttributeSelectorsrrrrrrs1  )55a8&334Mq[_`rrct\rSrSrSr"SS\R 5r\R"S5"SS\R55r \R"SS5r \R"SS 5r\R "S 5r\R$"S \R&R(S 9r\R,"S 5rSrg)InlineCertificateIssuanceConfigia! Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Enums: KeyAlgorithmValueValuesEnum: Optional. Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If not specified, this will default to ECDSA_P256. Messages: CaPoolsValue: Optional. A required mapping of a Google Cloud region to the CA pool resource located in that region. The CA pool is used for certificate issuance, adhering to the following constraints: * Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * Value format: A valid CA pool resource path format like: "projects/{project}/locations/{location}/caPools/{ca_pool}" * Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key). Fields: caPools: Optional. A required mapping of a Google Cloud region to the CA pool resource located in that region. The CA pool is used for certificate issuance, adhering to the following constraints: * Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * Value format: A valid CA pool resource path format like: "projects/{project}/locations/{location}/caPools/{ca_pool}" * Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key). keyAlgorithm: Optional. Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If not specified, this will default to ECDSA_P256. lifetime: Optional. Lifetime of the workload certificates issued by the CA pool. Must be between 24 hours and 30 days. If not specified, this will be defaulted to 24 hours. rotationWindowPercentage: Optional. Rotation window percentage, the percentage of remaining lifetime after which certificate rotation is initiated. Must be between 50 and 80. If no value is specified, rotation window percentage is defaulted to 50. useDefaultSharedCa: Optional. If set to true, the trust domain will utilize the GCP-provisioned default CA. A default CA in the same region as the workload will be selected to issue the certificate. Enabling this will clear any existing `ca_pools` configuration to provision the certificates. NOTE: This field is mutually exclusive with `ca_pools`. If this flag is enabled, certificates will be automatically provisioned from the default shared CAs. This flag should not be set if you want to use your own CA pools to provision the certificates. c0\rSrSrSrSrSrSrSrSr Sr S r g ) ;InlineCertificateIssuanceConfig.KeyAlgorithmValueValuesEnumiaOptional. Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If not specified, this will default to ECDSA_P256. Values: KEY_ALGORITHM_UNSPECIFIED: Unspecified key algorithm. Defaults to ECDSA_P256. RSA_2048: Specifies RSA with a 2048-bit modulus. RSA_3072: Specifies RSA with a 3072-bit modulus. RSA_4096: Specifies RSA with a 4096-bit modulus. ECDSA_P256: Specifies ECDSA with curve P256. ECDSA_P384: Specifies ECDSA with curve P384. rr rr5r6rrN) rrrrrKEY_ALGORITHM_UNSPECIFIEDRSA_2048RSA_3072RSA_4096 ECDSA_P256 ECDSA_P384rrrrr}rs( !"HHHJJrr}additionalPropertiescf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) ,InlineCertificateIssuanceConfig.CaPoolsValueiaOptional. A required mapping of a Google Cloud region to the CA pool resource located in that region. The CA pool is used for certificate issuance, adhering to the following constraints: * Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * Value format: A valid CA pool resource path format like: "projects/{project}/locations/{location}/caPools/{ca_pool}" * Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key). Messages: AdditionalProperty: An additional property for a CaPoolsValue object. Fields: additionalProperties: Additional properties of type CaPoolsValue c`\rSrSrSr\R "S5r\R "S5rSr g)?InlineCertificateIssuanceConfig.CaPoolsValue.AdditionalPropertyizAn additional property for a CaPoolsValue object. Fields: key: Name of the additional property. value: A string attribute. r rrN rrrrrrr9rrrrrrAdditionalPropertyr)   ! !! $c##A&errr Tr rN rrrrrrMessagerrrrrrr CaPoolsValuers2$ 'Y.. '%112FTXYrrr rr5r6rrrN)rrrrrrr7r}rMapUnrecognizedFieldsrrrcaPoolsr;rr9lifetimerrrrotationWindowPercentageruseDefaultSharedCarrrrrrs1fINN* !!"89ZY&&Z:Z@  " ">1 5'$$%BAF,  " "1 %(&33Ay?P?P?V?VW --a0rrc\rSrSrSr\R "S5"SS\R55r \R"SS5r Sr g) InlineTrustConfigi/a1Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Messages: AdditionalTrustBundlesValue: Optional. Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be *appended to* the trust bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Fields: additionalTrustBundles: Optional. Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be *appended to* the trust bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. rcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) -InlineTrustConfig.AdditionalTrustBundlesValueiMaOptional. Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be *appended to* the trust bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Messages: AdditionalProperty: An additional property for a AdditionalTrustBundlesValue object. Fields: additionalProperties: Additional properties of type AdditionalTrustBundlesValue cb\rSrSrSr\R "S5r\R"SS5r Sr g)@InlineTrustConfig.AdditionalTrustBundlesValue.AdditionalPropertyiazAn additional property for a AdditionalTrustBundlesValue object. Fields: key: Name of the additional property. value: A TrustStore attribute. r TrustStorerrN rrrrrrr9rrrrrrrrras+   ! !! $c$$\15errr Tr rNrrrrAdditionalTrustBundlesValuerMs2$ 6Y.. 6%112FTXYrrr rN) rrrrrrrrrrradditionalTrustBundlesrrrrrr/sO: !!"89ZI$5$5Z:Z@%112OQRSrrc<\rSrSrSr\R "S5rSrg)IntermediateCAiqzIntermediate CA certificates used for building the trust chain to trust anchor Fields: pemCertificate: PEM certificate of the PKI used for validation. Must only contain one ca certificate. r rN rrrrrrr9pemCertificaterrrrrrqs((+.rrcH\rSrSrSr"SS\R 5r"SS\R 5r\R"S5r \R"SS5r \R"S 5r \R"SS 5r\R"S 5r\R"S 5rS rg)KeyDatai}aORepresents a public key data along with its format. Enums: FormatValueValuesEnum: Output only. The format of the key. KeySpecValueValuesEnum: Required. The specifications for the key. Fields: createTime: Output only. The timestamp when this key was created. format: Output only. The format of the key. key: Output only. The key data. The format of the key is represented by the format field. keySpec: Required. The specifications for the key. notAfterTime: Output only. Latest timestamp when this key is valid. Attempts to use this key after this time will fail. Only present if the key data represents a X.509 certificate. notBeforeTime: Output only. Earliest timestamp when this key is valid. Attempts to use this key before this time will fail. Only present if the key data represents a X.509 certificate. c \rSrSrSrSrSrSrg)KeyData.FormatValueValuesEnumiaOutput only. The format of the key. Values: KEY_FORMAT_UNSPECIFIED: No format has been specified. This is an invalid format and must not be used. RSA_X509_PEM: A RSA public key wrapped in an X.509v3 certificate ([RFC5280] ( https://www.ietf.org/rfc/rfc5280.txt)), encoded in base64, and wrapped in [public certificate label](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1). rr rN)rrrrrKEY_FORMAT_UNSPECIFIED RSA_X509_PEMrrrrFormatValueValuesEnumr s Lrrc(\rSrSrSrSrSrSrSrSr g) KeyData.KeySpecValueValuesEnumizRequired. The specifications for the key. Values: KEY_SPEC_UNSPECIFIED: No key specification specified. RSA_2048: A 2048 bit RSA key. RSA_3072: A 3072 bit RSA key. RSA_4096: A 4096 bit RSA key. rr rr5rN) rrrrrKEY_SPEC_UNSPECIFIEDrrrrrrrKeySpecValueValuesEnumrsHHHrrr rr5r6rrN)rrrrrrr7rrr9 createTimer;formatrkeySpec notAfterTime notBeforeTimerrrrr r }s( inn  y~~ $$Q'*   6 :&a #    8! <'&&q),''*-rr cb\rSrSrSr\R "SS5r\R"S5r Sr g)LintPolicyRequestia The request to lint an IAM policy object. Fields: condition: google.iam.v1.Binding.condition object to be linted. fullResourceName: The full resource name of the policy this lint request is about. The name follows the Google Cloud format for full resource names. For example, a Google Cloud project with ID `my-project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`. The resource name is not used to read a policy from IAM. Only the data in the request object is linted. rcr rrN) rrrrrrrrdr9fullResourceNamerrrrrrs, $$VQ/)**1-rrc<\rSrSrSr\R "SSSS9rSrg) LintPolicyResponseizThe response of a lint operation. An empty response indicates the operation was able to fully execute and no lint issue was found. Fields: lintResults: List of lint results sorted by `severity` in descending order. LintResultr Tr rN) rrrrrrr lintResultsrrrrrrs&&|QF+rrcn\rSrSrSr"SS\R 5r"SS\R 5r\R"S5r \R"S5r \R"SS 5r \R"S \RR S 9r\R"SS 5r\R"S 5rSrg)r iaStructured response of a single validation unit. Enums: LevelValueValuesEnum: The validation unit level. SeverityValueValuesEnum: The validation unit severity. Fields: debugMessage: Human readable debug message associated with the issue. fieldName: The name of the field for which this lint result is about. For nested messages `field_name` consists of names of the embedded fields separated by period character. The top-level qualifier is the input object to lint in the request. For example, the `field_name` value `condition.expression` identifies a lint result for the `expression` field of the provided condition. level: The validation unit level. locationOffset: 0-based character position of problematic construct within the object identified by `field_name`. Currently, this is populated only for condition expression. severity: The validation unit severity. validationUnitName: The validation unit name, for instance "lintValidationUnits/ConditionComplexityCheck". c \rSrSrSrSrSrSrg)LintResult.LevelValueValuesEnumizThe validation unit level. Values: LEVEL_UNSPECIFIED: Level is unspecified. CONDITION: A validation unit which operates on an individual condition within a binding. rr rN)rrrrrLEVEL_UNSPECIFIED CONDITIONrrrrLevelValueValuesEnumr$sIrr'c0\rSrSrSrSrSrSrSrSr Sr S r g ) "LintResult.SeverityValueValuesEnumiaThe validation unit severity. Values: SEVERITY_UNSPECIFIED: Severity is unspecified. ERROR: A validation unit returns an error only for critical issues. If an attempt is made to set the problematic policy without rectifying the critical issue, it causes the `setPolicy` operation to fail. WARNING: Any issue which is severe enough but does not cause an error. For example, suspicious constructs in the input object will not necessarily fail `setPolicy`, but there is a high likelihood that they won't behave as expected during policy evaluation in `checkPolicy`. This includes the following common scenarios: - Unsatisfiable condition: Expired timestamp in date/time condition. - Ineffective condition: Condition on a pair which is granted unconditionally in another binding of the same policy. NOTICE: Reserved for the issues that are not severe as `ERROR`/`WARNING`, but need special handling. For instance, messages about skipped validation units are issued as `NOTICE`. INFO: Any informative statement which is not severe enough to raise `ERROR`/`WARNING`/`NOTICE`, like auto-correction recommendations on the input content. Note that current version of the linter does not utilize `INFO`. DEPRECATED: Deprecated severity level. rr rr5r6rrN) rrrrrSEVERITY_UNSPECIFIEDERRORWARNINGNOTICEINFO DEPRECATEDrrrrSeverityValueValuesEnumr)s(0 EG F DJrr0r rr5r6rrrrN)rrrrrrr7r'r0r9 debugMessage fieldNamer;levelrrrlocationOffsetseverityvalidationUnitNamerrrrr r s. Y^^  @&&q),##A&)   4a 8%))!Y5F5F5L5LM.  !:A >( ,,Q/rr c`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) ListAttestationRulesResponseiaResponse message for ListAttestationRules. Fields: attestationRules: A list of AttestationRules. nextPageToken: Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. r!r Tr rrN) rrrrrrrattestationRulesr9 nextPageTokenrrrrr8r8s/++,=q4P''*-rr8c<\rSrSrSr\R "SSSS9rSrg) "ListOauthClientCredentialsResponsei,zvResponse message for ListOauthClientCredentials. Fields: oauthClientCredentials: A list of OauthClientCredentials. rr Tr rN) rrrrrrroauthClientCredentialsrrrrr<r<,s  %112I1W[\rr<c`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ListOauthClientsResponsei6zResponse message for ListOauthClients. Fields: nextPageToken: Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. oauthClients: A list of OauthClients. r rrTr rN) rrrrrrr9r:r oauthClientsrrrrr?r?6s-''*-'' q4H,rr?c`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ListRolesResponseiDzThe response containing the roles defined under a resource. Fields: nextPageToken: To retrieve the next page of results, set `ListRolesRequest.page_token` to this value. roles: The Roles defined on this resource. r rsrTr rN rrrrrrr9r:rrolesrrrrrBrBD-''*-  T :%rrBc<\rSrSrSr\R "SSSS9rSrg) ListServiceAccountKeysResponseiQzbThe service account keys list response. Fields: keys: The public keys for the service account. ServiceAccountKeyr Tr rN) rrrrrrrkeysrrrrrGrGQs    3Q F$rrGc`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) ListServiceAccountsResponsei[zThe service account list response. Fields: accounts: The list of matching service accounts. nextPageToken: To retrieve the next page of results, set ListServiceAccountsRequest.page_token to this value. rr Tr rrN) rrrrrrraccountsr9r:rrrrrKrK[s. # #$4a$ G(''*-rrKc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) &ListWorkforcePoolInstalledAppsResponseiha8Response message for ListWorkforcePoolInstalledApps. Fields: nextPageToken: Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workforcePoolInstalledApps: Output only. A list of workforce pool installed apps. r rrTr rN) rrrrrrr9r:rworkforcePoolInstalledAppsrrrrrNrNhs1''*-(556QST_cdrrNc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) %ListWorkforcePoolProviderKeysResponseiwaResponse message for ListWorkforcePoolProviderKeys. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workforcePoolProviderKeys: A list of WorkforcePoolProviderKeys. r r,rTr rN) rrrrrrr9r:rworkforcePoolProviderKeysrrrrrQrQws1''*-'445OQR]abrrQc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ,ListWorkforcePoolProviderScimTenantsResponseiafAgentspace only. Response message for ListWorkforcePoolProviderScimTenants. Fields: nextPageToken: Optional. Agentspace only. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workforcePoolProviderScimTenants: Output only. Agentspace only. A list of SCIM tenants. r rErTr rN) rrrrrrr9r:r workforcePoolProviderScimTenantsrrrrrTrTs1 ''*-%.%;%;<]_`ko%p"rrTc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) +ListWorkforcePoolProviderScimTokensResponseiacAgentspace only. Response message for ListWorkforcePoolProviderScimTokens. Fields: nextPageToken: Optional. Agentspace only. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workforcePoolProviderScimTokens: Output only. Agentspace only. A list of SCIM tokens. r rSrTr rN) rrrrrrr9r:rworkforcePoolProviderScimTokensrrrrrWrWs1 ''*-$-$:$:;[]^im$n!rrWc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) "ListWorkforcePoolProvidersResponseizResponse message for ListWorkforcePoolProviders. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workforcePoolProviders: A list of providers. r r#rTr rN) rrrrrrr9r:rworkforcePoolProvidersrrrrrZrZs0''*-$112I1W[\rrZc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ListWorkforcePoolsResponseizResponse message for ListWorkforcePools. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workforcePools: A list of pools. r rrTr rN) rrrrrrr9r:rworkforcePoolsrrrrr]r]s-''*-))/1tL.rr]c`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) 1ListWorkloadIdentityPoolManagedIdentitiesResponseia$Response message for ListWorkloadIdentityPoolManagedIdentities. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workloadIdentityPoolManagedIdentities: A list of managed identities. r rrTr rN) rrrrrrr9r:r%workloadIdentityPoolManagedIdentitiesrrrrr`r`s1''*-*3*@*@Afhitx*y'rr`c`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) *ListWorkloadIdentityPoolNamespacesResponseiaResponse message for ListWorkloadIdentityPoolNamespaces. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workloadIdentityPoolNamespaces: A list of namespaces. r rrTr rN) rrrrrrr9r:rworkloadIdentityPoolNamespacesrrrrrcrcs1''*-#,#9#9:Y[\gk#l rrcc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ,ListWorkloadIdentityPoolProviderKeysResponseia*Response message for ListWorkloadIdentityPoolProviderKeys. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workloadIdentityPoolProviderKeys: A list of WorkloadIdentityPoolProviderKey r r[rTr rN) rrrrrrr9r:r workloadIdentityPoolProviderKeysrrrrrfrfs1''*-%.%;%;<]_`ko%p"rrfc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) )ListWorkloadIdentityPoolProvidersResponseia Response message for ListWorkloadIdentityPoolProviders. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workloadIdentityPoolProviders: A list of providers. r rRrTr rN) rrrrrrr9r:rworkloadIdentityPoolProvidersrrrrriris1''*-"+"8"89WYZei"jrric`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) !ListWorkloadIdentityPoolsResponseizResponse message for ListWorkloadIdentityPools. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workloadIdentityPools: A list of pools. r rrTr rN) rrrrrrr9r:rworkloadIdentityPoolsrrrrrlrls0''*-#001GUYZrrlc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) ListWorkloadSourcesResponseizResponse message for ListWorkloadSources. Fields: nextPageToken: A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. workloadSources: A list of workload sources. r rrTr rN) rrrrrrr9r:rworkloadSourcesrrrrroros.''*-**+;QN/rrocF\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r \R"SS S S 9r \R"S S S 9r \R"S S S 9r\R"S5r\R"SS5r\R"S5r\R$"S5r\R"S5r\R"S5r\R"S5r\R$"S5r\R"SS5rSrg)ri ab Represents an OauthClient. Used to access Google Cloud resources on behalf of a Workforce Identity Federation user by using OAuth 2.0 Protocol to obtain an access token from Google Cloud. Enums: AllowedGrantTypesValueListEntryValuesEnum: ClientTypeValueValuesEnum: Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. StateValueValuesEnum: Output only. The state of the OauthClient. Fields: allowedGrantTypes: Required. The list of OAuth grant types is allowed for the OauthClient. allowedRedirectUris: Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. allowedScopes: Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. clientId: Output only. The system-generated OauthClient id. clientType: Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. description: Optional. A user-specified description of the OauthClient. Cannot exceed 256 characters. disabled: Optional. Whether the OauthClient is disabled. You cannot use a disabled OAuth client. displayName: Optional. A user-specified display name of the OauthClient. Cannot exceed 32 characters. expireTime: Output only. Time after which the OauthClient will be permanently purged and cannot be recovered. name: Immutable. Identifier. The resource name of the OauthClient. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}`. pkceEnforced: Optional. Indicates whether to enforce PKCE (RFC 7636) for the OauthClient. If not set, the default value is false. Public clients must set this field to true. state: Output only. The state of the OauthClient. c$\rSrSrSrSrSrSrSrg)5OauthClient.AllowedGrantTypesValueListEntryValuesEnumi:zAllowedGrantTypesValueListEntryValuesEnum enum type. Values: GRANT_TYPE_UNSPECIFIED: Should not be used. AUTHORIZATION_CODE_GRANT: Authorization code grant. REFRESH_TOKEN_GRANT: Refresh token grant. rr rrN) rrrrrGRANT_TYPE_UNSPECIFIEDAUTHORIZATION_CODE_GRANTREFRESH_TOKEN_GRANTrrrr)AllowedGrantTypesValueListEntryValuesEnumrs:s rrwc$\rSrSrSrSrSrSrSrg)%OauthClient.ClientTypeValueValuesEnumiFa5Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Values: CLIENT_TYPE_UNSPECIFIED: Should not be used. PUBLIC_CLIENT: Public client has no secret. CONFIDENTIAL_CLIENT: Private client. rr rrN) rrrrrCLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENTCONFIDENTIAL_CLIENTrrrrClientTypeValueValuesEnumryFs Mrr}c$\rSrSrSrSrSrSrSrg) OauthClient.StateValueValuesEnumiTa>Output only. The state of the OauthClient. Values: STATE_UNSPECIFIED: Default value. This value is unused. ACTIVE: The OauthClient is active. DELETED: The OauthClient is soft-deleted. Soft-deleted OauthClient is permanently deleted after approximately 30 days unless restored via `UndeleteOauthClient`. rr rrNr0rrrr4rT FGrr4r Tr rr5r6rr rN)rrrrrrr7rwr}r4r;allowedGrantTypesr9allowedRedirectUris allowedScopesr clientTyperrr8 displayName expireTimer: pkceEnforcedr<rrrrrr s *X )..  )..  Y^^  ))*UWXcgh!--a$?''D9-  " "1 %(""#>B*%%a(+  # #A &(%%a(+$$Q'*   r "$''+,   4b 9%rrc\rSrSrSr\R "S5r\R "S5r\R"S5r \R "S5r \R "S5r \R "S5r S rg ) ripaRepresents an OauthClientCredential. Used to authenticate an OauthClient while accessing Google Cloud resources on behalf of a user by using OAuth 2.0 Protocol. Fields: clientSecret: Output only. The system-generated OAuth client secret. The client secret must be stored securely. If the client secret is leaked, you must delete and re-create the client credential. To learn more, see [OAuth client and credential security risks and mitigations](https://cloud.google.com/iam/docs/workforce-oauth- app#security) createTime: Output only. The timestamp when the OauthClientCredential was created. disabled: Optional. Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. displayName: Optional. A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. name: Immutable. Identifier. The resource name of the OauthClientCredential. Format: `projects/{project}/locations/{location}/ oauthClients/{oauth_client}/credentials/{credential}` updateTime: Output only. The timestamp for the last update of the OauthClientCredential. If no updates have been made, the creation time will serve as the designated value. r rr5r6rrrN)rrrrrrr9rrrr8rr: updateTimerrrrrrpsi2&&q),$$Q'*  # #A &(%%a(+   q !$$$Q'*rrc\rSrSrSr\R "SSS9r\R "S5r\R "S5r Sr g ) OidciaRepresents an OpenId Connect 1.0 identity provider. Fields: allowedAudiences: Optional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/ projects//locations//workloadIdentityPools//providers/ https://iam.googl eapis.com/projects//locations//workloadIdentityPools//providers/ ``` issuerUri: Required. The OIDC issuer URL. Must be an HTTPS endpoint. Per OpenID Connect Discovery 1.0 spec, the OIDC issuer URL is used to locate the provider's public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token. These public key types must be 'EC' or 'RSA'. jwksJson: Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from the discovery document(fetched from the .well- known path of the `issuer_uri`) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } r Tr rr5rN) rrrrrrr9allowedAudiencesrrrrrrrrs<4**1t<##A&)  " "1 %(rrcz\rSrSrSr\R "S5"SS\R55r \R "S5"SS\R55r \R"S5r \R"S S 5r\R"SS 5r\R "S 5r\R"SS 5rSrg) OperationiaThis resource represents a long-running operation that is the result of a network API call. Messages: MetadataValue: Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. ResponseValue: The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. Fields: done: If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. error: The error result of the operation in case of failure or cancellation. metadata: Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. name: The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. response: The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. rcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) Operation.MetadataValueiaService-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. Messages: AdditionalProperty: An additional property for a MetadataValue object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cb\rSrSrSr\R "S5r\R"SS5r Sr g)*Operation.MetadataValue.AdditionalPropertyizAn additional property for a MetadataValue object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r extra_types.JsonValuerrNrrrrrr,   ! !! $c$$%.$$Q'*rrc\rSrSrSr"SS\R 5r"SS\R 5r\R"S5r \R"SS5r \R"S 5r\R"S 5r\R"S 5r\R"S 5r\R"SS 5r\R"S5rSrg) PermissioniSa A permission which can be included by a role. Enums: CustomRolesSupportLevelValueValuesEnum: The current custom role support level. StageValueValuesEnum: The current launch stage of the permission. Fields: apiDisabled: The service API associated with the permission is not enabled. customRolesSupportLevel: The current custom role support level. description: A brief description of what this Permission is used for. name: The name of this Permission. onlyInPredefinedRoles: A boolean attribute. primaryPermission: The preferred name for this permission. If present, then this permission is an alias of, and equivalent to, the listed primary_permission. stage: The current launch stage of the permission. title: The title of this Permission. c$\rSrSrSrSrSrSrSrg)1Permission.CustomRolesSupportLevelValueValuesEnumiiaThe current custom role support level. Values: SUPPORTED: Default state. Permission is fully supported for custom role use. TESTING: Permission is being tested to check custom role compatibility. NOT_SUPPORTED: Permission is not supported for custom role use. rr rrN) rrrrr SUPPORTEDTESTING NOT_SUPPORTEDrrrr&CustomRolesSupportLevelValueValuesEnumrisIGMrrc(\rSrSrSrSrSrSrSrSr g) Permission.StageValueValuesEnumivaThe current launch stage of the permission. Values: ALPHA: The permission is currently in an alpha phase. BETA: The permission is currently in a beta phase. GA: The permission is generally available. DEPRECATED: The permission is being deprecated. rr rr5rN) rrrrrALPHABETAGAr/rrrrStageValueValuesEnumrvs E D BJrrr rr5r6rrrrrN)rrrrrrr7rrr apiDisabledr;customRolesSupportLevelr9rr:onlyInPredefinedRolesprimaryPermissionstagerrrrrrrSs* y~~  Y^^ &&q)+%//0XZ[\%%a(+   q !$#003++A.   4a 8%    "%rrc\\rSrSrSr\R "SSS9r\R "SSS9rSr g) r(izA PermissionDelta message to record the added_permissions and removed_permissions inside a role. Fields: addedPermissions: Added permissions. removedPermissions: Removed permissions. r Tr rrN) rrrrrrr9addedPermissionsremovedPermissionsrrrrr(r(s/**1t< ,,Q>rr(c\rSrSrSr\R "SSSS9r\R "SSSS9r\R"S 5r \R"S \RRS 9rS rg )PolicyiawAn Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource- policies). **JSON example:** ``` { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). Fields: auditConfigs: Specifies cloud audit logging configuration for this policy. bindings: Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`. etag: `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the `etag` in the read- modify-write cycle to perform policy updates in order to avoid race conditions: An `etag` is returned in the response to `getIamPolicy`, and systems are expected to put that etag in the request to `setIamPolicy` to ensure that their change will be applied to the same version of the policy. **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost. version: Specifies the format of the policy. Valid values are `0`, `1`, and `3`. Requests that specify an invalid value are rejected. Any operation that affects conditional role bindings must specify version `3`. This requirement applies to the following operations: * Getting a policy that includes a conditional role binding * Adding a conditional role binding to a policy * Changing a conditional role binding in a policy * Removing any role binding, with or without a condition, from a policy that includes conditions **Important:** If you use IAM Conditions, you must include the `etag` field whenever you call `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a version `3` policy with a version `1` policy, and all of the conditions in the version `3` policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource- policies). rBr Tr rarr5r6rrN)rrrrrrr auditConfigsbindingsrrrrrversionrrrrrrsaEN'' q4H,  # #Iq4 @(   a $  " "1i.?.?.E.E F'rrc<\rSrSrSr\R "SSSS9rSrg) rJizrThe difference delta between two policies. Fields: bindingDeltas: The delta for Bindings between two policies. rhr Tr rN) rrrrrrr bindingDeltasrrrrrJrJs ((TJ-rrJc<\rSrSrSr\R "S5rSrg)QueryAuditableServicesRequestiaA request to get the list of auditable services for a resource. Fields: fullResourceName: Required. The full resource name to query from the list of auditable services. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my- project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`. r rN) rrrrrrr9rrrrrrrs**1-rrc<\rSrSrSr\R "SSSS9rSrg) QueryAuditableServicesResponseizA response containing a list of auditable services for a resource. Fields: services: The auditable services for a resource. rYr Tr rN) rrrrrrrservicesrrrrrrs  # #$6D I(rrc\rSrSrSr"SS\R 5r\R"S5r \R"S\RRS9r \R"S5r\R"SS 5rS rg ) QueryGrantableRolesRequesti aThe grantable role query request. Enums: ViewValueValuesEnum: Fields: fullResourceName: Required. Required. The full resource name to query from the list of grantable roles. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my- project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`. pageSize: Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 2,000. pageToken: Optional pagination token returned in an earlier QueryGrantableRolesResponse. view: A ViewValueValuesEnum attribute. c \rSrSrSrSrSrSrg).QueryGrantableRolesRequest.ViewValueValuesEnumizViewValueValuesEnum enum type. Values: BASIC: Omits the `included_permissions` field. This is the default value. FULL: Returns all fields. rr rNrrrrrrs E Drrr rrr5r6rN)rrrrrrr7rr9rrrrrrr;rrrrrrr sk$  INN  **1-  # #Ay/@/@/F/F G(##A&)   2A 6$rrc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) QueryGrantableRolesResponsei/zThe grantable role query response. Fields: nextPageToken: To retrieve the next page of results, set `QueryGrantableRolesRequest.page_token` to this value. roles: The list of matching roles. r rsrTr rNrCrrrrr/rErrc\rSrSrSr\R "S5r\R"S\RRS9r \R "S5r Sr g) QueryTestablePermissionsRequesti<ajA request to get permissions which can be tested on a resource. Fields: fullResourceName: Required. The full resource name to query from the list of testable permissions. The name follows the Google Cloud Platform resource format. For example, a Cloud Platform project with id `my- project` will be named `//cloudresourcemanager.googleapis.com/projects/my-project`. pageSize: Optional limit on the number of permissions to include in the response. The default is 100, and the maximum is 1,000. pageToken: Optional pagination token returned in an earlier QueryTestablePermissionsRequest. r rrr5rN)rrrrrrr9rrrrrrrrrrrr<sH **1-  # #Ay/@/@/F/F G(##A&)rrc`\rSrSrSr\R "S5r\R"SSSS9r Sr g ) QueryTestablePermissionsResponseiPaThe response containing permissions which can be tested on a resource. Fields: nextPageToken: To retrieve the next page of results, set `QueryTestableRolesRequest.page_token` to this value. permissions: The Permissions testable on the requested resource. r rrTr rN) rrrrrrr9r:r permissionsrrrrrrPs-''*-&&|QF+rrc\rSrSrSr"SS\R 5r\R"S5r \R"SS5r Sr g) ReconciliationOperationMetadatai]aOperation metadata returned by the CLH during resource state reconciliation. Enums: ExclusiveActionValueValuesEnum: Excluisive action returned by the CLH. Fields: deleteResource: DEPRECATED. Use exclusive_action instead. exclusiveAction: Excluisive action returned by the CLH. c$\rSrSrSrSrSrSrSrg)>ReconciliationOperationMetadata.ExclusiveActionValueValuesEnumiiaExcluisive action returned by the CLH. Values: UNKNOWN_REPAIR_ACTION: Unknown repair action. DELETE: The resource has to be deleted. When using this bit, the CLH should fail the operation. DEPRECATED. Instead use DELETE_RESOURCE OperationSignal in SideChannel. RETRY: This resource could not be repaired but the repair should be tried again at a later time. This can happen if there is a dependency that needs to be resolved first- e.g. if a parent resource must be repaired before a child resource. rr rrN) rrrrrUNKNOWN_REPAIR_ACTIONDELETERETRYrrrrExclusiveActionValueValuesEnumris  F Errr rrN) rrrrrrr7rrdeleteResourcer;exclusiveActionrrrrrr]s< y~~"))!,.''(H!L/rrc>\rSrSrSr\R "SS5rSrg)ri~zuRequest message for RemoveAttestationRule. Fields: attestationRule: Required. The attestation rule to be removed. r!r rNr"rrrrr~r$rrc>\rSrSrSr"SS\R 5r\R"S5r \R"S5r \R"S5r \R"SS S 9r\R"S 5r\R "SS 5r\R"S 5rSrg)rsiabA role in the Identity and Access Management API. Enums: StageValueValuesEnum: The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role. Fields: deleted: The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole. description: Optional. A human-readable description for the role. etag: Used to perform a consistent read-modify-write. includedPermissions: The names of the permissions this role grants when bound in an IAM policy. name: The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles. stage: The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role. title: Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. c0\rSrSrSrSrSrSrSrSr Sr S r g ) Role.StageValueValuesEnumiaThe current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role. Values: ALPHA: The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the `stage` field will not be included when requesting the definition for a given role. BETA: The user has indicated this role is currently in a Beta phase. GA: The user has indicated this role is generally available. DEPRECATED: The user has indicated this role is being deprecated. DISABLED: This role is disabled and will not contribute permissions to any principals it is granted to in policies. EAP: The user has indicated this role is currently in an EAP phase. rr rr5r6rrN) rrrrrrrrr/DISABLEDEAPrrrrrrs' E D BJH Crrr rr5r6Tr rrrrN)rrrrrrr7rrdeletedr9rrrincludedPermissionsr:r;rrrrrrrsrss8 Y^^ .  " "1 %'%%a(+   a $!--a$?   q !$   4a 8%    "%rrsc<\rSrSrSr\R "S5rSrg)SamliaRepresents an SAML 2.0 identity provider. Fields: idpMetadataXml: Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml- metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 25 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. r rNrrrrrrrrrc\\rSrSrSr\R "S5r\R"S5r \R "S5r \R "S5r \R"S5r \R "S5r\R "S 5r\R "S 5r\R "S 5rS rg )riaAn IAM service account. A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the [overview of service accounts](https://cloud.google.com/iam/help/service- accounts/overview). When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account. // Fields: description: Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. disabled: Output only. Whether the service account is disabled. displayName: Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. email: Output only. The email address of the service account. etag: Deprecated. Do not use. name: The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. oauth2ClientId: Output only. The OAuth 2.0 client ID for the service account. projectId: Output only. The ID of the project that owns the service account. uniqueId: Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. r rr5r6rrrrrrN)rrrrrrr9rrr8remailrrr:oauth2ClientId projectIduniqueIdrrrrrrs%N%%a(+  # #A &(%%a(+    "%   a $   q !$((+.##A&)  " "1 %(rrc\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r "S S \R 5r \R"SS 5r \R"S5r\R "SSSS9r\R"SS5r\R"SS5r\R"S S5r\R*"S5r\R."S5r\R"S S5r\R."S5r\R*"S5r\R*"S5rSrg)rHia Represents a service account key. A service account has two sets of key- pairs: user-managed, and system-managed. User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key. System-managed keys are automatically rotated by Google, and are used for signing for a maximum of two weeks. The rotation process is probabilistic, and usage of the new key will gradually ramp up and down over the key's lifetime. If you cache the public key set for a service account, we recommend that you update the cache every 15 minutes. User-managed keys can be added and removed at any time, so it is important to update the cache frequently. For Google-managed keys, Google will publish a key at least 6 hours before it is first used for signing and will keep publishing it for at least 6 hours after it was last used for signing. Public keys for all service accounts are also published at the OAuth2 Service Account API. Enums: DisableReasonValueValuesEnum: Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled. KeyAlgorithmValueValuesEnum: Specifies the algorithm (and possibly key size) for the key. KeyOriginValueValuesEnum: The key origin. KeyTypeValueValuesEnum: The key type. PrivateKeyTypeValueValuesEnum: The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user- managed private keys. Fields: disableReason: Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled. disabled: The key status. extendedStatus: Output only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status. keyAlgorithm: Specifies the algorithm (and possibly key size) for the key. keyOrigin: The key origin. keyType: The key type. name: The resource name of the service account key in the following format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`. privateKeyData: The private key data. Only provided in `CreateServiceAccountKey` responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account. privateKeyType: The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys. publicKeyData: The public key data. Only provided in `GetServiceAccountKey` responses. validAfterTime: The key can be used after this timestamp. validBeforeTime: The key can be used before this timestamp. For system- managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time. c(\rSrSrSrSrSrSrSrSr g) .ServiceAccountKey.DisableReasonValueValuesEnumiLafOutput only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled. Values: SERVICE_ACCOUNT_KEY_DISABLE_REASON_UNSPECIFIED: Unspecified disable reason SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED: Disabled by the user SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED: Google detected this Service Account external key's private key data as exposed, typically in a public repository on GitHub or similar. SERVICE_ACCOUNT_KEY_DISABLE_REASON_COMPROMISE_DETECTED: This service account external key was detected as compromised and used by an attacker. rr rr5rNrrrrDisableReasonValueValuesEnumrLs! 67289512.=>:rrc$\rSrSrSrSrSrSrSrg)-ServiceAccountKey.KeyAlgorithmValueValuesEnumi`zSpecifies the algorithm (and possibly key size) for the key. Values: KEY_ALG_UNSPECIFIED: An unspecified key algorithm. KEY_ALG_RSA_1024: 1k RSA Key. KEY_ALG_RSA_2048: 2k RSA Key. rr rrNryrrrr}r`srr}c$\rSrSrSrSrSrSrSrg)*ServiceAccountKey.KeyOriginValueValuesEnumilzThe key origin. Values: ORIGIN_UNSPECIFIED: Unspecified key origin. USER_PROVIDED: Key is provided by user. GOOGLE_PROVIDED: Key is provided by Google. rr rrN) rrrrrORIGIN_UNSPECIFIED USER_PROVIDEDGOOGLE_PROVIDEDrrrrKeyOriginValueValuesEnumrlsMOrrc$\rSrSrSrSrSrSrSrg)(ServiceAccountKey.KeyTypeValueValuesEnumixaThe key type. Values: KEY_TYPE_UNSPECIFIED: Unspecified key type. The presence of this in the message will immediately result in an error. USER_MANAGED: User-managed keys (managed and rotated by the user). SYSTEM_MANAGED: System-managed keys (managed and rotated by Google). rr rrNrrrrKeyTypeValueValuesEnumrxsLNrrc$\rSrSrSrSrSrSrSrg)/ServiceAccountKey.PrivateKeyTypeValueValuesEnumia8The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys. Values: TYPE_UNSPECIFIED: Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`. TYPE_PKCS12_FILE: PKCS12 format. The password for the PKCS12 file is `notasecret`. For more information, see https://tools.ietf.org/html/rfc7292. TYPE_GOOGLE_CREDENTIALS_FILE: Google Credentials File format. rr rrNrrrrrrs #$ rrr rrr5Tr r6rrrrrrrrrN)rrrrrrr7rr}rrrr; disableReasonrr8rextendedStatusr keyOriginkeyTyper9r:rprivateKeyDatar publicKeyDatavalidAfterTimevalidBeforeTimerrrrrHrHs.;z?Y^^?( INN    y~~ %inn%$%%&DaH-  # #A &())*:AM.$$%BAF,!!"" to include in api requests. uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). c$\rSrSrSrSrSrSrSrg)*StandardQueryParameters.AltValueValuesEnumiBzData format for response. Values: json: Responses with Content-Type of application/json media: Media download with context-dependent Content-Type proto: Responses with Content-Type of application/x-protobuf rr rrN) rrrrrjsonmediaprotorrrrAltValueValuesEnumr&Bs D E Err*c \rSrSrSrSrSrSrg)-StandardQueryParameters.FXgafvValueValuesEnumiNzFV1 error format. Values: _1: v1 error format _2: v2 error format rr rN)rrrrr_1_2rrrrFXgafvValueValuesEnumr,Ns B Brr/r rr5r')defaultr6rrrrTrrrrrN)rrrrrrr7r*r/r;f__xgafvr9 access_tokenaltcallbackfieldsr oauth_tokenr prettyPrint quotaUsertrace uploadTypeupload_protocolrrrrr$r$'s4 9>>  inn  !8! <(&&q),0!VD#  " "1 %(   #&a #%%a(+&&q$7+##A&)    #%$$R(*))"-/rr$c\rSrSrSr\R "S5"SS\R55r \R"S\RRS9r \R"SSS S 9r\R "S 5rS rg )rifaThe `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). Messages: DetailsValueListEntry: A DetailsValueListEntry object. Fields: code: The status code, which should be an enum value of google.rpc.Code. details: A list of messages that carry the error details. There is a common set of message types for APIs to use. message: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. rcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) Status.DetailsValueListEntryizzA DetailsValueListEntry object. Messages: AdditionalProperty: An additional property for a DetailsValueListEntry object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cb\rSrSrSr\R "S5r\R"SS5r Sr g)/Status.DetailsValueListEntry.AdditionalPropertyizAn additional property for a DetailsValueListEntry object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r rrrNrrrrrr@rrrr Tr rNrrrrDetailsValueListEntryr>zs4  AY.. A%112FTXYrrAr rrTr r5rN)rrrrrrrrrrArrrcoderdetailsr9messagerrrrrrfs|& !!"89Zi//Z:Z2   9+<+<+B+B C$  " "#:A M'  ! !! $'rrc:\rSrSrSr\R "SSS9rSrg)rzia3Request message for `TestIamPermissions` method. Fields: permissions: The set of permissions to check for the `resource`. Permissions with wildcards (such as `*` or `storage.*`) are not allowed. For more information see [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). r Tr rN rrrrrrr9rrrrrrzrzs%%a$7+rrzc:\rSrSrSr\R "SSS9rSrg)TestIamPermissionsResponseizResponse message for `TestIamPermissions` method. Fields: permissions: A subset of `TestPermissionsRequest.permissions` that the caller is allowed. r Tr rNrFrrrrHrHs%%a$7+rrHc<\rSrSrSr\R "S5rSrg) TrustAnchorizRepresents a root of trust. Fields: pemCertificate: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert). r rNrrrrrJrJs((+.rrJc\rSrSrSr\R "SSSS9r\R "SSSS9r\R"S 5r S r g ) riaHTrust store that contains trust anchors and optional intermediate CAs used in PKI to build a trust chain(trust hierarchy) and verify a client's identity. Fields: intermediateCas: Optional. Set of intermediate CA certificates used for building the trust chain to the trust anchor. Important: Intermediate CAs are only supported for X.509 federation. trustAnchors: Required. List of trust anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be in the trust chain of one of the trust anchors here. trustDefaultSharedCa: Optional. If set to True, the trust bundle will include the private ca managed identity regional root public certificates. Important: `trust_default_shared_ca` is only supported for managed identity trust domain resource. rr Tr rJrr5rN) rrrrrrrintermediateCas trustAnchorsrtrustDefaultSharedCarrrrrrsC"**+;QN/'' q4H,"//2rrc<\rSrSrSr\R "S5rSrg)rizRequest message for UndeleteOauthClient. Fields: validateOnly: Optional. If set, validate the request and preview the response, but do not actually post it. r rN rrrrrrrrrrrrrr''*,rrc<\rSrSrSr\R "S5rSrg)rizkThe request to undelete an existing role. Fields: etag: Used to perform a consistent read-modify-write. r rN) rrrrrrrrrrrrrrs   a $rrc\rSrSrSrSrg)riz%The service account undelete request.rNrrrrrrs.rrc>\rSrSrSr\R "SS5rSrg)UndeleteServiceAccountResponseizpA UndeleteServiceAccountResponse object. Fields: restoredAccount: Metadata for the restored service account. rr rN) rrrrrrrrestoredAccountrrrrrUrUs **+;Q?/rrUc<\rSrSrSr\R "S5rSrg)rizRequest message for UndeleteWorkforcePoolInstalledApp. Fields: validateOnly: Optional. If set, validate the request and preview the response, but do not actually post it. r rNrPrrrrrrQrrc\rSrSrSrSrg)r:iz5Request message for UndeleteWorkforcePoolProviderKey.rNrrrrr:r:s>rr:c\rSrSrSrSrg)rhiz2Request message for UndeleteWorkforcePoolProvider.rNrrrrrhrhs;rrhc\rSrSrSrSrg)rdi zNAgentspace only. Request message for UndeleteWorkforcePoolProviderScimTenant. rNrrrrrdrd rrdc\rSrSrSrSrg)r`izMAgentspace only. Request message for UndeleteWorkforcePoolProviderScimToken. rNrrrrr`r`r[rr`c\rSrSrSrSrg)riz*Request message for UndeleteWorkforcePool.rNrrrrrrs3rrc\rSrSrSrSrg)rviz1Request message for UndeleteWorkforcePoolSubject.rNrrrrrvrv:rrvc\rSrSrSrSrg)riz@Request message for UndeleteWorkloadIdentityPoolManagedIdentity.rNrrrrrrsIrrc\rSrSrSrSrg)r>i#z:Request message for UndeleteWorkloadIdentityPoolNamespace.rNrrrrr>r>#Crr>c\rSrSrSrSrg)rhi'zWorkforcePoolProvider.AttributeMappingValue.AdditionalPropertyiAn additional property for a AttributeMappingValue object. Fields: key: Name of the additional property. value: A string attribute. r rrNrrrrrr~rrrr Tr rNrrrrAttributeMappingValuer|s35n 'Y.. '%112FTXYrrr rr5r6rrrrrrrrrrr rN)!rrrrrrr7rxr4rrrrr9attributeConditionrattributeMappingattributeSyncIntervalrrdetailedAuditLoggingr8rrextendedAttributesOauth2ClientextraAttributesOauth2Clientr:oidcsamlr; scimUsager<rrrrr#r#sogR Y^^  !!"89CZi//CZ:CZJ!,,Q/++,CQG#//2%%a(+"//2  # #A &(%%a(+$$Q'*#,#9#9:|~$A ) 6 67y{} ~   r "$    KR P$    KR P$!!"> $$Q'*  " "9a 0'   q !$(()JAN   4a 8%0!4#rr,c\rSrSrSr"SS\R 5r\R"S5"SS\R55r \R"S5r \R"SS 5r\R"S 5r\R"S 5r\R"S 5r\R"S 5r\R"S5r\R*"SS5rSrg)rEi!aAgentspace only. Represents a SCIM tenant. Used for provisioning and managing identity data (such as Users and Groups) in cross-domain environments. Enums: StateValueValuesEnum: Output only. Agentspace only. The state of the tenant. Messages: ClaimMappingValue: Optional. Agentspace only. Maps BYOID claims to SCIM claims. Fields: baseUri: Output only. Agentspace only. Represents the base URI as defined in [RFC 7644, Section 1.3](https://datatracker.ietf.org/doc/html/rfc7644#section-1.3). Clients must use this as the root address for managing resources under the tenant. Format: https://iamscim.googleapis.com/{version}/{tenant_id}/ claimMapping: Optional. Agentspace only. Maps BYOID claims to SCIM claims. description: Optional. Agentspace only. The description of the SCIM tenant. Cannot exceed 256 characters. displayName: Optional. Agentspace only. The display name of the SCIM tenant. Cannot exceed 32 characters. name: Identifier. Agentspace only. The resource name of the SCIM Tenant. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}` purgeTime: Output only. Agentspace only. The timestamp that represents the time when the SCIM tenant is purged. serviceAgent: Output only. Service Agent created by SCIM Tenant API. SCIM tokens created under this tenant will be attached to this service agent. state: Output only. Agentspace only. The state of the tenant. c$\rSrSrSrSrSrSrSrg)4WorkforcePoolProviderScimTenant.StateValueValuesEnumiCabOutput only. Agentspace only. The state of the tenant. Values: STATE_UNSPECIFIED: Agentspace only. State unspecified. ACTIVE: Agentspace only. The tenant is active and may be used to provision users and groups. DELETED: Agentspace only. The tenant is soft-deleted. Soft-deleted tenants are permanently deleted after approximately 30 days. rr rrNr0rrrr4rCrrr4rcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) 1WorkforcePoolProviderScimTenant.ClaimMappingValueiQzOptional. Agentspace only. Maps BYOID claims to SCIM claims. Messages: AdditionalProperty: An additional property for a ClaimMappingValue object. Fields: additionalProperties: Additional properties of type ClaimMappingValue c`\rSrSrSr\R "S5r\R "S5rSr g)DWorkforcePoolProviderScimTenant.ClaimMappingValue.AdditionalPropertyi]zAn additional property for a ClaimMappingValue object. Fields: key: Name of the additional property. value: A string attribute. r rrNrrrrrr]rrrr Tr rNrrrrClaimMappingValuerQs2 'Y.. '%112FTXYrrr rr5r6rrrrrN)rrrrrrr7r4rrrrr9baseUrir claimMappingrrr: purgeTime serviceAgentr;r<rrrrrErE!sB Y^^  !!"89Z)++Z:Z0  ! !! $'''(;Q?,%%a(+%%a(+   q !$##A&)&&q),   4a 8%rrEc\rSrSrSr"SS\R 5r\R"S5r \R"S5r \R"S5r \R"SS5r S rg ) rSitaAgentspace only. Represents a token for the WorkforcePoolProviderScimTenant. Used for authenticating SCIM provisioning requests. Enums: StateValueValuesEnum: Output only. Agentspace only. The state of the token. Fields: displayName: Optional. Agentspace only. The display name of the SCIM token. Cannot exceed 32 characters. name: Identifier. Agentspace only. The resource name of the SCIM Token. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}/tokens/{token}` securityToken: Output only. Agentspace only. The token string. Provide this to the IdP for authentication. Will be set only during creation. state: Output only. Agentspace only. The state of the token. c$\rSrSrSrSrSrSrSrg)3WorkforcePoolProviderScimToken.StateValueValuesEnumia^Output only. Agentspace only. The state of the token. Values: STATE_UNSPECIFIED: Agentspace only. State unspecified. ACTIVE: Agentspace only. The token is active and may be used to provision users and groups. DELETED: Agentspace only. The token is soft-deleted. Soft-deleted tokens are permanently deleted after approximately 30 days. rr rrNr0rrrr4rrrr4r rr5r6rN)rrrrrrr7r4r9rr: securityTokenr;r<rrrrrSrSts\& Y^^ %%a(+   q !$''*-   4a 8%rrSc\rSrSrSr"SS\R 5r"SS\R 5r\R"S5r \R"S5r \R"S 5r \R"S 5r\R"S 5r\R "S S 5r\R "SS5r\R&"SS5r\R"S5r\R"S5r\R&"SS5rSrg)riaRepresents a collection of workload identities. You can define IAM policies to grant these identities access to Google Cloud resources. Enums: ModeValueValuesEnum: Immutable. The mode the pool is operating in. StateValueValuesEnum: Output only. The state of the pool. Fields: description: Optional. A description of the pool. Cannot exceed 256 characters. disabled: Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. displayName: Optional. A display name for the pool. Cannot exceed 32 characters. enableMeshCaCompatibility: Optional. If set to true, - the generated trust bundle for the workloads in this trust domain will include the Cloud Service Mesh certificate authority's root CA certificates. - the certificate chain for the workload in this trust domain will be signed by the Cloud Service Mesh certificate authority root CA. expireTime: Output only. Time after which the workload identity pool will be permanently purged and cannot be recovered. inlineCertificateIssuanceConfig: Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. inlineTrustConfig: Optional. Represents config to add additional trusted trust domains. mode: Immutable. The mode the pool is operating in. name: Output only. The resource name of the pool. sessionDuration: Overrides the lifespan of access tokens issued when federating using this pool. If not set, the lifespan of issued access tokens is computed based on the type of identity provider: - For AWS providers, the default access token lifespan is equal to 15 minutes. - For OIDC providers, the default access token lifespan is equal to the remaining lifespan of the exchanged OIDC ID token, with a maximum limit of 1 hour. If set, session duration must be between 2 minutes and 12 hours. Organization administrators can further restrict the maximum allowed session_duration value using the iam- workloadIdentitySessionDuration Resource Setting. state: Output only. The state of the pool. c$\rSrSrSrSrSrSrSrg)(WorkloadIdentityPool.ModeValueValuesEnumiaImmutable. The mode the pool is operating in. Values: MODE_UNSPECIFIED: State unspecified. New pools should not use this mode. Pools with an unspecified mode will operate as if they are in federation-only mode. FEDERATION_ONLY: Federation-only mode. Federation-only pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a federation-only pool, and you cannot create any resources within the pool besides providers. TRUST_DOMAIN: Trust-domain mode. Trust-domain pools can be used to assign identities to Google Cloud workloads. All identities within a trust-domain pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: `ns//sa/` WorkloadIdentityPoolProviders cannot be created within trust-domain pools. rr rrN) rrrrrMODE_UNSPECIFIEDFEDERATION_ONLY TRUST_DOMAINrrrrModeValueValuesEnumrs&OLrrc$\rSrSrSrSrSrSrSrg))WorkloadIdentityPool.StateValueValuesEnumiacOutput only. The state of the pool. Values: STATE_UNSPECIFIED: State unspecified. ACTIVE: The pool is active, and may be used in Google Cloud policies. DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again. rr rrNr0rrrr4rrjrr4r rr5r6rrrrrrrrrrN)rrrrrrr7rr4r9rrr8renableMeshCaCompatibilityrrinlineCertificateIssuanceConfiginlineTrustConfigr;moder:rlr<rrrrrrs)VINN0Y^^$%%a(+  # #A &(%%a(+'44Q7$$Q'*$-$:$:;\^_$`!,,-@!D   2A 6$   q !$))"-/   4b 9%rrc\rSrSrSr"SS\R 5r\R"S5r \R"S5r \R"S5r \R"S5r \R"SS 5rS rg ) riaRepresents a managed identity for a workload identity pool namespace. Enums: StateValueValuesEnum: Output only. The state of the managed identity. Fields: description: Optional. A description of the managed identity. Cannot exceed 256 characters. disabled: Optional. Whether the managed identity is disabled. If disabled, credentials may no longer be issued for the identity, however existing credentials will still be accepted until they expire. expireTime: Output only. Time after which the managed identity will be permanently purged and cannot be recovered. name: Output only. The resource name of the managed identity. state: Output only. The state of the managed identity. c$\rSrSrSrSrSrSrSrg)8WorkloadIdentityPoolManagedIdentity.StateValueValuesEnumiaOutput only. The state of the managed identity. Values: STATE_UNSPECIFIED: State unspecified. ACTIVE: The managed identity is active. DELETED: The managed identity is soft-deleted. Soft-deleted managed identities are permanently deleted after approximately 30 days. You can restore a soft-deleted managed identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a soft-deleted managed identity until it is permanently deleted. rr rrNr0rrrr4r  FGrr4r rr5r6rrN)rrrrrrr7r4r9rrr8rr:r;r<rrrrrrsl"Y^^ %%a(+  # #A &($$Q'*   q !$   4a 8%rrc\rSrSrSr"SS\R 5r\R"S5r \R"S5r \R"S5r \R"S5r \R"S S 5r\R "SS 5rS rg )ri(a1Represents a namespace for a workload identity pool. Namespaces are used to segment identities within the pool. Enums: StateValueValuesEnum: Output only. The state of the namespace. Fields: description: Optional. A description of the namespace. Cannot exceed 256 characters. disabled: Optional. Whether the namespace is disabled. If disabled, credentials may no longer be issued for identities within this namespace, however existing credentials will still be accepted until they expire. expireTime: Output only. Time after which the namespace will be permanently purged and cannot be recovered. name: Output only. The resource name of the namespace. ownerService: Output only. The Google Cloud service that owns this namespace. state: Output only. The state of the namespace. c$\rSrSrSrSrSrSrSrg)2WorkloadIdentityPoolNamespace.StateValueValuesEnumi>aOutput only. The state of the namespace. Values: STATE_UNSPECIFIED: State unspecified. ACTIVE: The namespace is active. DELETED: The namespace is soft-deleted. Soft-deleted namespaces are permanently deleted after approximately 30 days. You can restore a soft-deleted namespace using UndeleteWorkloadIdentityPoolNamespace. You cannot reuse the ID of a soft-deleted namespace until it is permanently deleted. rr rrNr0rrrr4r>rrr4r rr5r6rrrrN)rrrrrrr7r4r9rrr8rr:r ownerServicer;r<rrrrrr(s~*Y^^ %%a(+  # #A &($$Q'*   q !$'':,   4a 8%rrc\rSrSrSrSrg)%WorkloadIdentityPoolOperationMetadataiVz:Metadata for long-running WorkloadIdentityPool operations.rNrrrrrrVrbrrcR\rSrSrSr"SS\R 5r\R"S5"SS\R55r \R"S5r \R"SS 5r\R"S S 5r\R"S 5r\R$"S 5r\R"S5r\R"S5r\R"S5r\R"SS5r\R"SS5r\R2"SS5r\R"SS5rSrg)rRiZaA configuration for an external identity provider. Enums: StateValueValuesEnum: Output only. The state of the provider. Messages: AttributeMappingValue: Optional. Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis. com/projects/{project}/locations/{location}/workloadIdentityPools/{pool} /subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/ projects/{project}/locations/{location}/workloadIdentityPools/{pool}/gro up/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.google apis.com/projects/{project}/locations/{location}/workloadIdentityPools/{ pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, if no attribute mapping is defined, the following default mapping applies: ``` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed- role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", } ``` If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, you must supply a custom mapping, which must include the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ``` {"google.subject": "assertion.sub"} ``` Fields: attributeCondition: Optional. [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ``` attributeMapping: Optional. Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis. com/projects/{project}/locations/{location}/workloadIdentityPools/{pool} /subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/ projects/{project}/locations/{location}/workloadIdentityPools/{pool}/gro up/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.google apis.com/projects/{project}/locations/{location}/workloadIdentityPools/{ pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, if no attribute mapping is defined, the following default mapping applies: ``` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed- role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", } ``` If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, you must supply a custom mapping, which must include the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ``` {"google.subject": "assertion.sub"} ``` aws: An Amazon Web Services identity provider. description: Optional. A description for the provider. Cannot exceed 256 characters. disabled: Optional. Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. displayName: Optional. A display name for the provider. Cannot exceed 32 characters. expireTime: Output only. Time after which the workload identity pool provider will be permanently purged and cannot be recovered. name: Output only. The resource name of the provider. oidc: An OpenId Connect 1.0 identity provider. saml: An SAML 2.0 identity provider. state: Output only. The state of the provider. x509: An X.509-type identity provider. c$\rSrSrSrSrSrSrSrg)1WorkloadIdentityPoolProvider.StateValueValuesEnumiaOutput only. The state of the provider. Values: STATE_UNSPECIFIED: State unspecified. ACTIVE: The provider is active, and may be used to validate authentication credentials. DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted. rr rrNr0rrrr4rs  FGrr4rcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) 2WorkloadIdentityPoolProvider.AttributeMappingValueia Optional. Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/wo rkloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalS et://iam.googleapis.com/projects/{project}/locations/{location}/workloadId entityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `princ ipalSet://iam.googleapis.com/projects/{project}/locations/{location}/workl oadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, if no attribute mapping is defined, the following default mapping applies: ``` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", } ``` If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, you must supply a custom mapping, which must include the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ``` {"google.subject": "assertion.sub"} ``` Messages: AdditionalProperty: An additional property for a AttributeMappingValue object. Fields: additionalProperties: Additional properties of type AttributeMappingValue c`\rSrSrSr\R "S5r\R "S5rSr g)EWorkloadIdentityPoolProvider.AttributeMappingValue.AdditionalPropertyirr rrNrrrrrrrrrr Tr rNrrrrrrs31f 'Y.. '%112FTXYrrr rr]r5r6rrrrrrrrrX509rrN)rrrrrrr7r4rrrrr9rrrawsrrr8rrr:rrr;r<x509rrrrrRrRZswrY^^" !!"89?Zi//?Z:?ZB!,,Q/++,CQGua(#%%a(+  # #A &(%%a(+$$Q'*   q !$    *$    +$   4b 9%    +$rrRc&\rSrSrSr"SS\R 5r"SS\R 5r\R"S5r \R"SS 5r \R"S 5r \R"SS 5r\R"SS 5rS rg)r[i5aRepresents a public key configuration for your workload identity pool provider. The key can be configured in your identity provider to encrypt the SAML assertions. Google holds the corresponding private key which it uses to decrypt encrypted tokens. Enums: StateValueValuesEnum: Output only. The state of the key. UseValueValuesEnum: Required. The purpose of the key. Fields: expireTime: Output only. Time after which the key will be permanently purged and cannot be recovered. Note that the key may get purged before this timestamp if the total limit of keys per provider is crossed. keyData: Immutable. Public half of the asymmetric key. name: Output only. The resource name of the key. state: Output only. The state of the key. use: Required. The purpose of the key. c$\rSrSrSrSrSrSrSrg)4WorkloadIdentityPoolProviderKey.StateValueValuesEnumiIa{Output only. The state of the key. Values: STATE_UNSPECIFIED: State unspecified. ACTIVE: The key is active. DELETED: The key is soft-deleted. Soft-deleted keys are permanently deleted after approximately 30 days. You can restore a soft-deleted key using UndeleteWorkloadIdentityPoolProviderKey. While a key is deleted, you cannot use it during the federation. rr rrNr0rrrr4rIrprr4c \rSrSrSrSrSrSrg)2WorkloadIdentityPoolProviderKey.UseValueValuesEnumiXzRequired. The purpose of the key. Values: KEY_USE_UNSPECIFIED: The key use is not known. ENCRYPTION: The public key is used for encryption purposes. rr rN)rrrrrrrrrrrrrXs Jrrr r rr5r6rrN)rrrrrrr7r4rr9rrrr:r;r<rrrrrr[r[5s& Y^^ 9>>$$Q'*  " "9a 0'   q !$   4a 8%0!4#rr[c\rSrSrSr\R "S5r\R"SSSS9r \R "S5r \R"S S SS9r S r g ) riia5Defines which workloads can attest an identity within a pool. When a WorkloadSource is defined under a namespace, matching workloads may receive any identity within that namespace. When a WorkloadSource is defined under a managed identity, matching workloads may receive that specific identity. Each WorkloadSource may set at most 50 workload selectors. Fields: etag: Optional. The etag for this resource. If this is provided on update, it must match the server's etag. identityAssignments: Optional. Defines how a matched workload has its identity assigned. This option may only be set when the Workload Source is defined on a Namespace. name: Output only. The resource name of the workload source. If ID of the WorkloadSource resource determines which workloads may be matched. The following formats are supported: - `project-{project_number}` matches workloads within the referenced Google Cloud project. singleAttributeSelectors: Optional. Defines the set of attributes that a workload must attest in order to be matched by the policy. r rrTr r5rr6rN) rrrrrrr9rridentityAssignmentsr:rrrrrrrisW(   q !$!../CQQUV   q !$&334Mq[_`rrc>\rSrSrSr\R "SS5rSrg)riaAn X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Fields: trustStore: Required. A TrustStore. Use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the X.509 guidelines to define those PEM encoded certs. Only one trust store is currently supported. rr rN) rrrrrrr trustStorerrrrrrs %%lA6*rrr1z$.xgafvr-1r.2rzoptions.requestedPolicyVersionN('r __future__rapitools.base.protorpcliterrapitools.base.pyrrpackagerr rr&r+r!rBrHrDrYr]rarhrrrvrrrrrrrcrrrrrrrrrrrrrrrrr r rrrrr r"r'r)r+r0r2r4r7r9r=r@rBrDrIrLrNrPrRrWrYr[r]r_rcrgrkrqrsruryrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr rrrrr!r%r'r+r-r1r3r5r7r9r;r=rArCrErGrIrKrMrOrQrVrXrZr_rarcrergrkrmrorqrurwryr{r}rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr rrr r8r<r?rBrGrKrNrQrTrWrZr]r`rcrfrirlrorrrrrrrrr(rrJrrrrrrrrrsrrrHr r rlrrrrrr$rrzrHrJrrrrrUrr:rhrdr`rrvrr>rhrrr~rrrr#r,rErSrrrrrRr[rrAddCustomJsonFieldMappingAddCustomJsonEnumMappingr/rrrrs]'<%( 8**8"A 1 1A AY&& A")##"D 1i'' 1%)##%: 9 !! 9=Y&&=D"y(("')  'T"iT"n "9$$ "F $ )) $3KY%6%63Kl ?)"3"3 ? (ki&7&7(kV.9#4#4.I  1Y%6%61-)"3"3-!#9  !#H#Y&&#D:)++:Vy((V*IAyGXGXIAX$V_VgVg$4d 0A0Ad<bI-> =5y7H7H5&1y7H7H11I4E4E189;L;L8"19;L;L11 8I8I1*9J9J*,1)BSBS1 qY=N=N q*Y5F5F**1i>O>O1 Mi6G6G M ?)BSBS?( 1)BSBS 1 1y?P?P 1* @Q@Q*,aARARa"> HYHY>* 1 HYHY 1 1YEVEV 1*iFWFW*._yGXGX_$})J[J[}" IDUDU  k9J9J k II4E4E I 1i6G6G 11Y=N=N1i 8I8Ii" U):K:K U [ 0A0A [3):):3<1):):1< 1i&7&7 1F@7y'8'8@7F( (9(9(@I9+<+<I>3I4E4E3&3y?P?P3( +y?P?P + 1IO>O(" +I4E4E +11B1B1*)2C2C*& (93D3D ( Wi6G6G W 5IZIZ 54Y=N=N4&1Y=N=N1 59CTCT 5 1):K:K159K\K\54*9;L;L*( 5S\SdSd 5 =yGXGX=*1yGXGX15YM^M^5"1IDUDU15U^UfUf54*YEVEV*( 5dmdudu 5CXaXiXiC*1XaXiXi15^g^o^o5"1U^UfUf15fofwfw54*V_VgVg**1_h_p_p1 iW`WhWh i 5gpgxgx 5 Wenevev WI^g^o^oI"UdmduduU" GZcZkZk G.gpgxgx.( 1gpgxgx 11dmdudu13enevev3$1nwnn1?fofwfw?& 1iN_N_ 1 ]iFWFW ] 5V_VgVg 5 WT]TeTe WIYM^M^I"US\SdSdU$ {IZIZ {.V_VgVg.( 1V_VgVg 1 1S\SdSd 13T]TeTe3$1]f]n]n1?U^UfUf?&1IDUDU1 KI 1i.?.? 11i.?.?1*1y/@/@1.1i.?.?1.5I4E4E5419+<+<1*1)2C2C101)2C2C1,193D3D121)2C2C12(Iy/@/@(IV*1 0A0A*1Z_)2C2C_0'I,=,='&WY->->W. II4E4E I A 0A0AA2?y/@/@?2 U):K:K U ] 0A0A]. 1** 1F@7)++@7Fa**a"n1i&7&7n1b?T ))?TD ,Y&& ,6+i6+r. ))." G** GH0""H0V +9#4#4 +]):):] Iy00 I ; )) ;GY%6%6G +)"3"3 + eY->-> e cI,=,= c q93D3D q o)2C2C o ]):): ] M!2!2 M z 8I8I z m1B1B m q93D3D q k 0A0A k [ (9(9 [ O)"3"3 O`:)##`:F(I--(D&9  &@i8 !!i8X" ))"4.9$$. (!2!2 ( 8#""8#v ?i'' ?KGY  KG\K)##K .I$5$5 .JY%6%6J!7!2!2!7H ;)"3"3 ;'i&7&7'( Gy'8'8 GMi&7&7MBA9#4#4A:#9  :#z,9  ,,0&Y&&0&fT. ))T.n$I%%$Q!2!2Q()++(" (i'' (&y((&$%Y&&%('i'''$#i//#*<.i//<.~0%Y  0%f 8 1 1 88!2!28,)##,3""3.+!2!2+!)++!/I$5$5/@Y%6%6@+y/@/@+?i.?.??<9+<+<<Y5F5FI4E4E49#4#44;)*;*;;J9J9JJD93D3DDFY5F5FFC)2C2CC;)*;*;; *Y%6%6 *=9I%%=9@5( 1 15(p]:I--]:@ F5y00F5RP9i&7&7P9f%9Y%6%6%9P`:9,,`:F&9)*;*;&9R+9I$5$5+9\DI,=,=DX,9#4#4X,v15i&7&715haY&&a6 79   7 ""Z4!!114>!!114>""13SUuwr