{ "auth": { "oauth2": { "scopes": { "https://www.googleapis.com/auth/cloud-platform": { "description": "View and manage your data across Google Cloud Platform services" } } } }, "basePath": "", "baseUrl": "https://iamcredentials.googleapis.com/", "batchPath": "batch", "canonicalName": "IAM Credentials", "description": "Creates short-lived, limited-privilege credentials for IAM service accounts.", "discoveryVersion": "v1", "documentationLink": "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials", "fullyEncodeReservedExpansion": true, "icons": { "x16": "http://www.google.com/images/icons/product/search-16.gif", "x32": "http://www.google.com/images/icons/product/search-32.gif" }, "id": "iamcredentials:v1", "kind": "discovery#restDescription", "mtlsRootUrl": "https://iamcredentials.mtls.googleapis.com/", "name": "iamcredentials", "ownerDomain": "google.com", "ownerName": "Google", "parameters": { "$.xgafv": { "description": "V1 error format.", "enum": [ "1", "2" ], "enumDescriptions": [ "v1 error format", "v2 error format" ], "location": "query", "type": "string" }, "access_token": { "description": "OAuth access token.", "location": "query", "type": "string" }, "alt": { "default": "json", "description": "Data format for response.", "enum": [ "json", "media", "proto" ], "enumDescriptions": [ "Responses with Content-Type of application/json", "Media download with context-dependent Content-Type", "Responses with Content-Type of application/x-protobuf" ], "location": "query", "type": "string" }, "callback": { "description": "JSONP", "location": "query", "type": "string" }, "fields": { "description": "Selector specifying which fields to include in a partial response.", "location": "query", "type": "string" }, "key": { "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.", "location": "query", "type": "string" }, "oauth_token": { "description": "OAuth 2.0 token for the current user.", "location": "query", "type": "string" }, "prettyPrint": { "default": "true", "description": "Returns response with indentations and line breaks.", "location": "query", "type": "boolean" }, "quotaUser": { "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.", "location": "query", "type": "string" }, "uploadType": { "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").", "location": "query", "type": "string" }, "upload_protocol": { "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").", "location": "query", "type": "string" } }, "protocol": "rest", "resources": { "projects": { "resources": { "serviceAccounts": { "methods": { "generateAccessToken": { "description": "Generates an OAuth 2.0 access token for a service account.", "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateAccessToken", "httpMethod": "POST", "id": "iamcredentials.projects.serviceAccounts.generateAccessToken", "parameterOrder": [ "name" ], "parameters": { "name": { "description": "Required. The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "location": "path", "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", "required": true, "type": "string" } }, "path": "v1/{+name}:generateAccessToken", "request": { "$ref": "GenerateAccessTokenRequest" }, "response": { "$ref": "GenerateAccessTokenResponse" }, "scopes": [ "https://www.googleapis.com/auth/cloud-platform" ] }, "generateIdToken": { "description": "Generates an OpenID Connect ID token for a service account.", "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateIdToken", "httpMethod": "POST", "id": "iamcredentials.projects.serviceAccounts.generateIdToken", "parameterOrder": [ "name" ], "parameters": { "name": { "description": "Required. The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "location": "path", "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", "required": true, "type": "string" } }, "path": "v1/{+name}:generateIdToken", "request": { "$ref": "GenerateIdTokenRequest" }, "response": { "$ref": "GenerateIdTokenResponse" }, "scopes": [ "https://www.googleapis.com/auth/cloud-platform" ] }, "signBlob": { "description": "Signs a blob using a service account's system-managed private key.", "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signBlob", "httpMethod": "POST", "id": "iamcredentials.projects.serviceAccounts.signBlob", "parameterOrder": [ "name" ], "parameters": { "name": { "description": "Required. The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "location": "path", "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", "required": true, "type": "string" } }, "path": "v1/{+name}:signBlob", "request": { "$ref": "SignBlobRequest" }, "response": { "$ref": "SignBlobResponse" }, "scopes": [ "https://www.googleapis.com/auth/cloud-platform" ] }, "signJwt": { "description": "Signs a JWT using a service account's system-managed private key.", "flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signJwt", "httpMethod": "POST", "id": "iamcredentials.projects.serviceAccounts.signJwt", "parameterOrder": [ "name" ], "parameters": { "name": { "description": "Required. The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "location": "path", "pattern": "^projects/[^/]+/serviceAccounts/[^/]+$", "required": true, "type": "string" } }, "path": "v1/{+name}:signJwt", "request": { "$ref": "SignJwtRequest" }, "response": { "$ref": "SignJwtResponse" }, "scopes": [ "https://www.googleapis.com/auth/cloud-platform" ] } } } } } }, "revision": "20200327", "rootUrl": "https://iamcredentials.googleapis.com/", "schemas": { "GenerateAccessTokenRequest": { "id": "GenerateAccessTokenRequest", "properties": { "delegates": { "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "items": { "type": "string" }, "type": "array" }, "lifetime": { "description": "The desired lifetime duration of the access token in seconds.\nMust be set to a value less than or equal to 3600 (1 hour). If a value is\nnot specified, the token's lifetime will be set to a default value of one\nhour.", "format": "google-duration", "type": "string" }, "scope": { "description": "Required. Code to identify the scopes to be included in the OAuth 2.0 access token.\nSee https://developers.google.com/identity/protocols/googlescopes for more\ninformation.\nAt least one value required.", "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "GenerateAccessTokenResponse": { "id": "GenerateAccessTokenResponse", "properties": { "accessToken": { "description": "The OAuth 2.0 access token.", "type": "string" }, "expireTime": { "description": "Token expiration time.\nThe expiration time is always set.", "format": "google-datetime", "type": "string" } }, "type": "object" }, "GenerateIdTokenRequest": { "id": "GenerateIdTokenRequest", "properties": { "audience": { "description": "Required. The audience for the token, such as the API or account that this token\ngrants access to.", "type": "string" }, "delegates": { "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "items": { "type": "string" }, "type": "array" }, "includeEmail": { "description": "Include the service account email in the token. If set to `true`, the\ntoken will contain `email` and `email_verified` claims.", "type": "boolean" } }, "type": "object" }, "GenerateIdTokenResponse": { "id": "GenerateIdTokenResponse", "properties": { "token": { "description": "The OpenId Connect ID token.", "type": "string" } }, "type": "object" }, "SignBlobRequest": { "id": "SignBlobRequest", "properties": { "delegates": { "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "items": { "type": "string" }, "type": "array" }, "payload": { "description": "Required. The bytes to sign.", "format": "byte", "type": "string" } }, "type": "object" }, "SignBlobResponse": { "id": "SignBlobResponse", "properties": { "keyId": { "description": "The ID of the key used to sign the blob.", "type": "string" }, "signedBlob": { "description": "The signed blob.", "format": "byte", "type": "string" } }, "type": "object" }, "SignJwtRequest": { "id": "SignJwtRequest", "properties": { "delegates": { "description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard\ncharacter is required; replacing it with a project ID is invalid.", "items": { "type": "string" }, "type": "array" }, "payload": { "description": "Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.", "type": "string" } }, "type": "object" }, "SignJwtResponse": { "id": "SignJwtResponse", "properties": { "keyId": { "description": "The ID of the key used to sign the JWT.", "type": "string" }, "signedJwt": { "description": "The signed JWT.", "type": "string" } }, "type": "object" } }, "servicePath": "", "title": "IAM Service Account Credentials API", "version": "v1", "version_module": true }