aboutsummaryrefslogtreecommitdiff
path: root/google/iam/credentials/v1/common.proto
diff options
context:
space:
mode:
Diffstat (limited to 'google/iam/credentials/v1/common.proto')
-rw-r--r--google/iam/credentials/v1/common.proto223
1 files changed, 223 insertions, 0 deletions
diff --git a/google/iam/credentials/v1/common.proto b/google/iam/credentials/v1/common.proto
new file mode 100644
index 000000000..09e8ea8bb
--- /dev/null
+++ b/google/iam/credentials/v1/common.proto
@@ -0,0 +1,223 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.credentials.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
+option java_multiple_files = true;
+option java_outer_classname = "IAMCredentialsCommonProto";
+option java_package = "com.google.cloud.iam.credentials.v1";
+
+message GenerateAccessTokenRequest {
+ // The resource name of the service account for which the credentials
+ // are requested, in the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ string name = 1;
+
+ // The sequence of service accounts in a delegation chain. Each service
+ // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on its next service account in the chain. The last service account in the
+ // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on the service account that is specified in the `name` field of the
+ // request.
+ //
+ // The delegates must have the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ repeated string delegates = 2;
+
+ // Code to identify the scopes to be included in the OAuth 2.0 access token.
+ // See https://developers.google.com/identity/protocols/googlescopes for more
+ // information.
+ // At least one value required.
+ repeated string scope = 4;
+
+ // The desired lifetime duration of the access token in seconds.
+ // Must be set to a value less than or equal to 3600 (1 hour). If a value is
+ // not specified, the token's lifetime will be set to a default value of one
+ // hour.
+ google.protobuf.Duration lifetime = 7;
+}
+
+message GenerateAccessTokenResponse {
+ // The OAuth 2.0 access token.
+ string access_token = 1;
+
+ // Token expiration time.
+ // The expiration time is always set.
+ google.protobuf.Timestamp expire_time = 3;
+}
+
+message SignBlobRequest {
+ // The resource name of the service account for which the credentials
+ // are requested, in the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ string name = 1;
+
+ // The sequence of service accounts in a delegation chain. Each service
+ // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on its next service account in the chain. The last service account in the
+ // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on the service account that is specified in the `name` field of the
+ // request.
+ //
+ // The delegates must have the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ repeated string delegates = 3;
+
+ // The bytes to sign.
+ bytes payload = 5;
+}
+
+message SignBlobResponse {
+ // The ID of the key used to sign the blob.
+ string key_id = 1;
+
+ // The signed blob.
+ bytes signed_blob = 4;
+}
+
+message SignJwtRequest {
+ // The resource name of the service account for which the credentials
+ // are requested, in the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ string name = 1;
+
+ // The sequence of service accounts in a delegation chain. Each service
+ // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on its next service account in the chain. The last service account in the
+ // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on the service account that is specified in the `name` field of the
+ // request.
+ //
+ // The delegates must have the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ repeated string delegates = 3;
+
+ // The JWT payload to sign: a JSON object that contains a JWT Claims Set.
+ string payload = 5;
+}
+
+message SignJwtResponse {
+ // The ID of the key used to sign the JWT.
+ string key_id = 1;
+
+ // The signed JWT.
+ string signed_jwt = 2;
+}
+
+message GenerateIdTokenRequest {
+ // The resource name of the service account for which the credentials
+ // are requested, in the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ string name = 1;
+
+ // The sequence of service accounts in a delegation chain. Each service
+ // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on its next service account in the chain. The last service account in the
+ // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+ // on the service account that is specified in the `name` field of the
+ // request.
+ //
+ // The delegates must have the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+ repeated string delegates = 2;
+
+ // The audience for the token, such as the API or account that this token
+ // grants access to.
+ string audience = 3;
+
+ // Include the service account email in the token. If set to `true`, the
+ // token will contain `email` and `email_verified` claims.
+ bool include_email = 4;
+}
+
+message GenerateIdTokenResponse {
+ // The OpenId Connect ID token.
+ string token = 1;
+}
+
+message GenerateIdentityBindingAccessTokenRequest {
+ // The resource name of the service account for which the credentials
+ // are requested, in the following format:
+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+ string name = 1;
+
+ // Code to identify the scopes to be included in the OAuth 2.0 access token.
+ // See https://developers.google.com/identity/protocols/googlescopes for more
+ // information.
+ // At least one value required.
+ repeated string scope = 2;
+
+ // Required. Input token.
+ // Must be in JWT format according to
+ // RFC7523 (https://tools.ietf.org/html/rfc7523)
+ // and must have 'kid' field in the header.
+ // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+ // Mandatory payload fields (along the lines of RFC 7523, section 3):
+ // - iss: issuer of the token. Must provide a discovery document at
+ // $iss/.well-known/openid-configuration . The document needs to be
+ // formatted according to section 4.2 of the OpenID Connect Discovery
+ // 1.0 specification.
+ // - iat: Issue time in seconds since epoch. Must be in the past.
+ // - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+ // after iat. We recommend to create tokens that last shorter than 6
+ // hours to improve security unless business reasons mandate longer
+ // expiration times. Shorter token lifetimes are generally more secure
+ // since tokens that have been exfiltrated by attackers can be used for
+ // a shorter time. you can configure the maximum lifetime of the
+ // incoming token in the configuration of the mapper.
+ // The resulting Google token will expire within an hour or at "exp",
+ // whichever is earlier.
+ // - sub: JWT subject, identity asserted in the JWT.
+ // - aud: Configured in the mapper policy. By default the service account
+ // email.
+ //
+ // Claims from the incoming token can be transferred into the output token
+ // accoding to the mapper configuration. The outgoing claim size is limited.
+ // Outgoing claims size must be less than 4kB serialized as JSON without
+ // whitespace.
+ //
+ // Example header:
+ // {
+ // "alg": "RS256",
+ // "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+ // }
+ // Example payload:
+ // {
+ // "iss": "https://accounts.google.com",
+ // "iat": 1517963104,
+ // "exp": 1517966704,
+ // "aud": "https://iamcredentials.googleapis.com/",
+ // "sub": "113475438248934895348",
+ // "my_claims": {
+ // "additional_claim": "value"
+ // }
+ // }
+ string jwt = 3;
+}
+
+message GenerateIdentityBindingAccessTokenResponse {
+ // The OAuth 2.0 access token.
+ string access_token = 1;
+
+ // Token expiration time.
+ // The expiration time is always set.
+ google.protobuf.Timestamp expire_time = 2;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 06:00:33 +0000