diff options
Diffstat (limited to 'google/iam/credentials/v1/common.proto')
-rw-r--r-- | google/iam/credentials/v1/common.proto | 223 |
1 files changed, 223 insertions, 0 deletions
diff --git a/google/iam/credentials/v1/common.proto b/google/iam/credentials/v1/common.proto new file mode 100644 index 000000000..09e8ea8bb --- /dev/null +++ b/google/iam/credentials/v1/common.proto @@ -0,0 +1,223 @@ +// Copyright 2018 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.iam.credentials.v1; + +import "google/protobuf/duration.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials"; +option java_multiple_files = true; +option java_outer_classname = "IAMCredentialsCommonProto"; +option java_package = "com.google.cloud.iam.credentials.v1"; + +message GenerateAccessTokenRequest { + // The resource name of the service account for which the credentials + // are requested, in the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. + string name = 1; + + // The sequence of service accounts in a delegation chain. Each service + // account must be granted the `roles/iam.serviceAccountTokenCreator` role + // on its next service account in the chain. The last service account in the + // chain must be granted the `roles/iam.serviceAccountTokenCreator` role + // on the service account that is specified in the `name` field of the + // request. + // + // The delegates must have the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + repeated string delegates = 2; + + // Code to identify the scopes to be included in the OAuth 2.0 access token. + // See https://developers.google.com/identity/protocols/googlescopes for more + // information. + // At least one value required. + repeated string scope = 4; + + // The desired lifetime duration of the access token in seconds. + // Must be set to a value less than or equal to 3600 (1 hour). If a value is + // not specified, the token's lifetime will be set to a default value of one + // hour. + google.protobuf.Duration lifetime = 7; +} + +message GenerateAccessTokenResponse { + // The OAuth 2.0 access token. + string access_token = 1; + + // Token expiration time. + // The expiration time is always set. + google.protobuf.Timestamp expire_time = 3; +} + +message SignBlobRequest { + // The resource name of the service account for which the credentials + // are requested, in the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. + string name = 1; + + // The sequence of service accounts in a delegation chain. Each service + // account must be granted the `roles/iam.serviceAccountTokenCreator` role + // on its next service account in the chain. The last service account in the + // chain must be granted the `roles/iam.serviceAccountTokenCreator` role + // on the service account that is specified in the `name` field of the + // request. + // + // The delegates must have the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + repeated string delegates = 3; + + // The bytes to sign. + bytes payload = 5; +} + +message SignBlobResponse { + // The ID of the key used to sign the blob. + string key_id = 1; + + // The signed blob. + bytes signed_blob = 4; +} + +message SignJwtRequest { + // The resource name of the service account for which the credentials + // are requested, in the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. + string name = 1; + + // The sequence of service accounts in a delegation chain. Each service + // account must be granted the `roles/iam.serviceAccountTokenCreator` role + // on its next service account in the chain. The last service account in the + // chain must be granted the `roles/iam.serviceAccountTokenCreator` role + // on the service account that is specified in the `name` field of the + // request. + // + // The delegates must have the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + repeated string delegates = 3; + + // The JWT payload to sign: a JSON object that contains a JWT Claims Set. + string payload = 5; +} + +message SignJwtResponse { + // The ID of the key used to sign the JWT. + string key_id = 1; + + // The signed JWT. + string signed_jwt = 2; +} + +message GenerateIdTokenRequest { + // The resource name of the service account for which the credentials + // are requested, in the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. + string name = 1; + + // The sequence of service accounts in a delegation chain. Each service + // account must be granted the `roles/iam.serviceAccountTokenCreator` role + // on its next service account in the chain. The last service account in the + // chain must be granted the `roles/iam.serviceAccountTokenCreator` role + // on the service account that is specified in the `name` field of the + // request. + // + // The delegates must have the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` + repeated string delegates = 2; + + // The audience for the token, such as the API or account that this token + // grants access to. + string audience = 3; + + // Include the service account email in the token. If set to `true`, the + // token will contain `email` and `email_verified` claims. + bool include_email = 4; +} + +message GenerateIdTokenResponse { + // The OpenId Connect ID token. + string token = 1; +} + +message GenerateIdentityBindingAccessTokenRequest { + // The resource name of the service account for which the credentials + // are requested, in the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. + string name = 1; + + // Code to identify the scopes to be included in the OAuth 2.0 access token. + // See https://developers.google.com/identity/protocols/googlescopes for more + // information. + // At least one value required. + repeated string scope = 2; + + // Required. Input token. + // Must be in JWT format according to + // RFC7523 (https://tools.ietf.org/html/rfc7523) + // and must have 'kid' field in the header. + // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon). + // Mandatory payload fields (along the lines of RFC 7523, section 3): + // - iss: issuer of the token. Must provide a discovery document at + // $iss/.well-known/openid-configuration . The document needs to be + // formatted according to section 4.2 of the OpenID Connect Discovery + // 1.0 specification. + // - iat: Issue time in seconds since epoch. Must be in the past. + // - exp: Expiration time in seconds since epoch. Must be less than 48 hours + // after iat. We recommend to create tokens that last shorter than 6 + // hours to improve security unless business reasons mandate longer + // expiration times. Shorter token lifetimes are generally more secure + // since tokens that have been exfiltrated by attackers can be used for + // a shorter time. you can configure the maximum lifetime of the + // incoming token in the configuration of the mapper. + // The resulting Google token will expire within an hour or at "exp", + // whichever is earlier. + // - sub: JWT subject, identity asserted in the JWT. + // - aud: Configured in the mapper policy. By default the service account + // email. + // + // Claims from the incoming token can be transferred into the output token + // accoding to the mapper configuration. The outgoing claim size is limited. + // Outgoing claims size must be less than 4kB serialized as JSON without + // whitespace. + // + // Example header: + // { + // "alg": "RS256", + // "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" + // } + // Example payload: + // { + // "iss": "https://accounts.google.com", + // "iat": 1517963104, + // "exp": 1517966704, + // "aud": "https://iamcredentials.googleapis.com/", + // "sub": "113475438248934895348", + // "my_claims": { + // "additional_claim": "value" + // } + // } + string jwt = 3; +} + +message GenerateIdentityBindingAccessTokenResponse { + // The OAuth 2.0 access token. + string access_token = 1; + + // Token expiration time. + // The expiration time is always set. + google.protobuf.Timestamp expire_time = 2; +} |