BSrSSKJr SSKJr SSKJr Sr"SS\R5r "SS \R5r "S S \R5r "S S \R5r "SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"S S!\R5r"S"S#\R5r"S$S%\R5r"S&S'\R5r"S(S)\R5r"S*S+\R5r\R:"\S,S-5 \R<"\R>S.S/5 \R<"\R>S0S15 g2)3zGenerated message classes for iamcredentials version v1. Creates short-lived credentials for impersonating IAM service accounts. Disabling this API also disables the IAM API (iam.googleapis.com). However, enabling this API doesn't enable the IAM API. )absolute_import)messages)encodingiamcredentialsc\rSrSrSr\R "SSS9r\R "S5r\R "SSS9r Sr g ) GenerateAccessTokenRequestaA GenerateAccessTokenRequest object. Fields: delegates: The sequence of service accounts in a delegation chain. This field is required for [delegated requests](https://cloud.google.com/iam/help/credentials/delegated- request). For [direct requests](https://cloud.google.com/iam/help/credentials/direct-request), which are more common, do not specify this field. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. lifetime: The desired lifetime duration of the access token in seconds. By default, the maximum allowed value is 1 hour. To set a lifetime of up to 12 hours, you can add the service account as an allowed value in an Organization Policy that enforces the `constraints/iam.allowServiceAccountCredentialLifetimeExtension` constraint. See detailed instructions at https://cloud.google.com/iam/help/credentials/lifetime If a value is not specified, the token's lifetime will be set to a default value of 1 hour. scope: Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required. TrepeatedN) __name__ __module__ __qualname____firstlineno____doc__ _messages StringField delegateslifetimescope__static_attributes__rYlib/googlecloudsdk/generated_clients/apis/iamcredentials/v1/iamcredentials_v1_messages.pyrrs>@##A5)  " "1 %(   D 1%rrc`\rSrSrSr\R "S5r\R "S5rSr g)GenerateAccessTokenResponse8zA GenerateAccessTokenResponse object. Fields: accessToken: The OAuth 2.0 access token. expireTime: Token expiration time. The expiration time is always set. r r rN) rrrrrrr accessToken expireTimerrrrrr8s)%%a(+$$Q'*rrc\rSrSrSr\R "S5r\R "SSS9r\R"S5r \R"S5r S r g ) GenerateIdTokenRequestDaA GenerateIdTokenRequest object. Fields: audience: Required. The audience for the token, such as the API or account that this token grants access to. delegates: The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. includeEmail: Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims. organizationNumberIncluded: Include the organization number of the service account in the token. If set to `true`, the token will contain a `google.organization_number` claim. The value of the claim will be `null` if the service account isn't associated with an organization. r r Tr rrN) rrrrrrraudiencer BooleanField includeEmailorganizationNumberIncludedrrrrr#r#DsL. " "1 %(##A5)''*,(55a8rr#c<\rSrSrSr\R "S5rSrg)GenerateIdTokenResponseba}A GenerateIdTokenResponse object. Fields: token: The OpenId Connect ID token. The token is a JSON Web Token (JWT) that contains a payload with claims. See the [JSON Web Token spec](https://tools.ietf.org/html/rfc7519) for more information. Here is an example of a decoded JWT payload: ``` { "iss": "https://accounts.google.com", "iat": 1496953245, "exp": 1496953245, "aud": "https://www.example.com", "sub": "107517467455664443765", "azp": "107517467455664443765", "email": "my-iam-account@my- project.iam.gserviceaccount.com", "email_verified": true, "google": { "organization_number": 123456 } } ``` r rN) rrrrrrrtokenrrrrr+r+bs     "%rr+c:\rSrSrSr\R "SSS9rSrg)?IamcredentialsLocationsWorkforcePoolsGetAllowedLocationsRequesttzA IamcredentialsLocationsWorkforcePoolsGetAllowedLocationsRequest object. Fields: name: Required. Resource name of workforce pool. r TrequiredrN rrrrrrrnamerrrrr/r/t   q4 0$rr/c:\rSrSrSr\R "SSS9rSrg)NIamcredentialsProjectsLocationsWorkloadIdentityPoolsGetAllowedLocationsRequestzA IamcredentialsProjectsLocationsWorkloadIdentityPoolsGetAllowedLocation sRequest object. Fields: name: Required. Resource name of workload identity pool. r Tr1rNr3rrrr7r7r5rr7c`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) ?IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequestaA IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest object. Fields: generateAccessTokenRequest: A GenerateAccessTokenRequest resource to be passed as the request body. name: Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. rr r Tr1rN) rrrrrr MessageFieldgenerateAccessTokenRequestrr4rrrrr:r:s0  )556RTUV   q4 0$rr:c`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) ;IamcredentialsProjectsServiceAccountsGenerateIdTokenRequestaA IamcredentialsProjectsServiceAccountsGenerateIdTokenRequest object. Fields: generateIdTokenRequest: A GenerateIdTokenRequest resource to be passed as the request body. name: Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. r#r r Tr1rN) rrrrrrr<generateIdTokenRequestrr4rrrrr?r?s/ %112JAN   q4 0$rr?c:\rSrSrSr\R "SSS9rSrg)?IamcredentialsProjectsServiceAccountsGetAllowedLocationsRequestzA IamcredentialsProjectsServiceAccountsGetAllowedLocationsRequest object. Fields: name: Required. Resource name of service account. r Tr1rNr3rrrrCrCr5rrCc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) 4IamcredentialsProjectsServiceAccountsSignBlobRequestaA IamcredentialsProjectsServiceAccountsSignBlobRequest object. Fields: name: Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. signBlobRequest: A SignBlobRequest resource to be passed as the request body. r Tr1SignBlobRequestr rN) rrrrrrrr4r<signBlobRequestrrrrrFrFs.    q4 0$**+.rrKc^\rSrSrSr\R "S5r\R "SSS9rSr g) ServiceAccountAllowedLocationsaRepresents a list of allowed locations for given service account. Fields: encodedLocations: Output only. The hex encoded bitmap of the trust boundary locations locations: Output only. The human readable trust boundary locations. For example, ["us-central1", "europe-west1"] r r Tr rN rrrrrrrencodedLocations locationsrrrrrPrP,**1-##A5)rrPc^\rSrSrSr\R "SSS9r\R"S5r Sr g) rHaA SignBlobRequest object. Fields: delegates: The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. payload: Required. The bytes to sign. r Tr r rN) rrrrrrrr BytesFieldpayloadrrrrrHrHs+ ##A5)   #'rrHc`\rSrSrSr\R "S5r\R"S5r Sr g)SignBlobResponseaA SignBlobResponse object. Fields: keyId: The ID of the key used to sign the blob. The key used for signing will remain valid for at least 12 hours after the blob is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints: - RSA public key wrapped in an X.509 v3 certificate: `https://www.googleapis.com/service_accounts/v1/metadata/x5 09/{ACCOUNT_EMAIL}` - Raw key in JSON format: `https://www.googleapis.co m/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` - JSON Web Key (JWK): `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACC OUNT_EMAIL}` signedBlob: The signature for the blob. Does not include the original blob. After the key pair referenced by the `key_id` response field expires, Google no longer exposes the public key that can be used to verify the blob. As a result, the receiver can no longer verify the signature. r r rN) rrrrrrrkeyIdrX signedBlobrrrrr[r[s)&    "%##A&*rr[c^\rSrSrSr\R "SSS9r\R "S5rSr g) rMiaA SignJwtRequest object. Fields: delegates: The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. payload: Required. The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: `{"sub": "user@example.com", "iat": 313435}` If the JWT Claims Set contains an expiration time (`exp`) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future. r Tr r rN) rrrrrrrrrYrrrrrMrMs+(##A5)  ! !! $'rrMc`\rSrSrSr\R "S5r\R "S5rSr g)SignJwtResponsei.a7A SignJwtResponse object. Fields: keyId: The ID of the key used to sign the JWT. The key used for signing will remain valid for at least 12 hours after the JWT is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints: - RSA public key wrapped in an X.509 v3 certificate: `https://www.googleapis.com/service_accounts/v1/metadata/x5 09/{ACCOUNT_EMAIL}` - Raw key in JSON format: `https://www.googleapis.co m/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` - JSON Web Key (JWK): `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACC OUNT_EMAIL}` signedJwt: The signed JWT. Contains the automatically generated header; the client-supplied payload; and the signature, which is generated using the key referenced by the `kid` field in the header. After the key pair referenced by the `key_id` response field expires, Google no longer exposes the public key that can be used to verify the JWT. As a result, the receiver can no longer verify the signature. r r rN) rrrrrrrr] signedJwtrrrrrara.s)(    "%##A&)rrac\rSrSrSr"SS\R 5r"SS\R 5r\R"SS5r \R"S5r \R"SS S S 9r \R"S 5r\R"S 5r\R"S5r\R"S5r\R$"SSS 9r\R"S5r\R"S5r\R"S5r\R"S5rSrg)StandardQueryParametersiGaQuery parameters accepted by all methods. Enums: FXgafvValueValuesEnum: V1 error format. AltValueValuesEnum: Data format for response. Fields: f__xgafv: V1 error format. access_token: OAuth access token. alt: Data format for response. callback: JSONP fields: Selector specifying which fields to include in a partial response. key: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. oauth_token: OAuth 2.0 token for the current user. prettyPrint: Returns response with indentations and line breaks. quotaUser: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. trace: A tracing token of the form "token:" to include in api requests. uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). c$\rSrSrSrSrSrSrSrg)*StandardQueryParameters.AltValueValuesEnumibzData format for response. Values: json: Responses with Content-Type of application/json media: Media download with context-dependent Content-Type proto: Responses with Content-Type of application/x-protobuf rr r rN) rrrrrjsonmediaprotorrrrAltValueValuesEnumrfbs D E Errjc \rSrSrSrSrSrSrg)-StandardQueryParameters.FXgafvValueValuesEnuminzFV1 error format. Values: _1: v1 error format _2: v2 error format rr rN)rrrrr_1_2rrrrFXgafvValueValuesEnumrlns B Brror r rrg)defaultr%T rN)rrrrrrEnumrjro EnumFieldf__xgafvr access_tokenaltcallbackfieldskey oauth_tokenr' prettyPrint quotaUsertrace uploadTypeupload_protocolrrrrrdrdGs4 9>>  inn  !8! <(&&q),0!VD#  " "1 %(   #&a #%%a(+&&q$7+##A&)    #%$$R(*))"-/rrdc^\rSrSrSr\R "S5r\R "SSS9rSr g) WorkforcePoolAllowedLocationsiaRepresents a list of allowed locations for given workforce pool. Fields: encodedLocations: Output only. The hex encoded bitmap of the trust boundary locations locations: Output only. The human readable trust boundary locations. For example, ["us-central1", "europe-west1"] r r Tr rNrRrrrrrrUrrc^\rSrSrSr\R "S5r\R "SSS9rSr g) $WorkloadIdentityPoolAllowedLocationsia&Represents a list of allowed locations for given workload identity pool. Fields: encodedLocations: Output only. The hex encoded bitmap of the trust boundary locations locations: Output only. The human readable trust boundary locations. For example, ["us-central1", "europe-west1"] r r Tr rNrRrrrrrrUrrr{z$.xgafvrm1rn2N) r __future__rapitools.base.protorpcliterrapitools.base.pyrpackageMessagerrr#r+r/r7r:r?rCrFrKrPrHr[rMrardrrAddCustomJsonFieldMappingAddCustomJsonEnumMappingrorrrrs'<% #2!2!2#2L ()"3"3 (9Y..9<#i//#$1iFWFW11U^UfUf11iFWFW1$1)BSBS1"1iFWFW1A9;L;LA"?):K:K?" 6Y%6%6 6$i''$*'y(('0%Y&&%2'i'''2<.i//<.~ 6I$5$5 6 69+<+< 6 ""Z4!!114>!!114>r