mirror of
https://github.com/OMGeeky/google-apis-rs.git
synced 2026-01-06 19:45:20 +01:00
429 lines
18 KiB
JSON
429 lines
18 KiB
JSON
{
|
|
"version": "v1",
|
|
"baseUrl": "https://iamcredentials.googleapis.com/",
|
|
"servicePath": "",
|
|
"description": "IAM Service Account Credentials API",
|
|
"kind": "discovery#restDescription",
|
|
"basePath": "",
|
|
"id": "iamcredentials:v1",
|
|
"documentationLink": "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials",
|
|
"revision": "20181004",
|
|
"discoveryVersion": "v1",
|
|
"version_module": true,
|
|
"schemas": {
|
|
"GenerateIdentityBindingAccessTokenResponse": {
|
|
"type": "object",
|
|
"properties": {
|
|
"accessToken": {
|
|
"description": "The OAuth 2.0 access token.",
|
|
"type": "string"
|
|
},
|
|
"expireTime": {
|
|
"description": "Token expiration time.\nThe expiration time is always set.",
|
|
"format": "google-datetime",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"id": "GenerateIdentityBindingAccessTokenResponse"
|
|
},
|
|
"GenerateIdentityBindingAccessTokenRequest": {
|
|
"type": "object",
|
|
"properties": {
|
|
"scope": {
|
|
"description": "Code to identify the scopes to be included in the OAuth 2.0 access token.\nSee https://developers.google.com/identity/protocols/googlescopes for more\ninformation.\nAt least one value required.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"jwt": {
|
|
"description": "Required. Input token.\nMust be in JWT format according to\nRFC7523 (https://tools.ietf.org/html/rfc7523)\nand must have 'kid' field in the header.\nSupported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).\nMandatory payload fields (along the lines of RFC 7523, section 3):\n- iss: issuer of the token. Must provide a discovery document at\n $iss/.well-known/openid-configuration . The document needs to be\n formatted according to section 4.2 of the OpenID Connect Discovery\n 1.0 specification.\n- iat: Issue time in seconds since epoch. Must be in the past.\n- exp: Expiration time in seconds since epoch. Must be less than 48 hours\n after iat. We recommend to create tokens that last shorter than 6\n hours to improve security unless business reasons mandate longer\n expiration times. Shorter token lifetimes are generally more secure\n since tokens that have been exfiltrated by attackers can be used for\n a shorter time. you can configure the maximum lifetime of the\n incoming token in the configuration of the mapper.\n The resulting Google token will expire within an hour or at \"exp\",\n whichever is earlier.\n- sub: JWT subject, identity asserted in the JWT.\n- aud: Configured in the mapper policy. By default the service account\n email.\n\nClaims from the incoming token can be transferred into the output token\naccoding to the mapper configuration. The outgoing claim size is limited.\nOutgoing claims size must be less than 4kB serialized as JSON without\nwhitespace.\n\nExample header:\n{\n \"alg\": \"RS256\",\n \"kid\": \"92a4265e14ab04d4d228a48d10d4ca31610936f8\"\n}\nExample payload:\n{\n \"iss\": \"https://accounts.google.com\",\n \"iat\": 1517963104,\n \"exp\": 1517966704,\n \"aud\": \"https://iamcredentials.googleapis.com/google.iam.credentials.v1.CloudGaia\",\n \"sub\": \"113475438248934895348\",\n \"my_claims\": {\n \"additional_claim\": \"value\"\n }\n}",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"id": "GenerateIdentityBindingAccessTokenRequest"
|
|
},
|
|
"GenerateAccessTokenRequest": {
|
|
"type": "object",
|
|
"properties": {
|
|
"delegates": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`"
|
|
},
|
|
"lifetime": {
|
|
"description": "The desired lifetime duration of the access token in seconds.\nMust be set to a value less than or equal to 3600 (1 hour). If a value is\nnot specified, the token's lifetime will be set to a default value of one\nhour.",
|
|
"format": "google-duration",
|
|
"type": "string"
|
|
},
|
|
"scope": {
|
|
"description": "Code to identify the scopes to be included in the OAuth 2.0 access token.\nSee https://developers.google.com/identity/protocols/googlescopes for more\ninformation.\nAt least one value required.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"id": "GenerateAccessTokenRequest"
|
|
},
|
|
"GenerateAccessTokenResponse": {
|
|
"type": "object",
|
|
"properties": {
|
|
"expireTime": {
|
|
"description": "Token expiration time.\nThe expiration time is always set.",
|
|
"format": "google-datetime",
|
|
"type": "string"
|
|
},
|
|
"accessToken": {
|
|
"description": "The OAuth 2.0 access token.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"id": "GenerateAccessTokenResponse"
|
|
},
|
|
"SignBlobRequest": {
|
|
"type": "object",
|
|
"properties": {
|
|
"payload": {
|
|
"description": "The bytes to sign.",
|
|
"format": "byte",
|
|
"type": "string"
|
|
},
|
|
"delegates": {
|
|
"description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"id": "SignBlobRequest"
|
|
},
|
|
"SignBlobResponse": {
|
|
"type": "object",
|
|
"properties": {
|
|
"keyId": {
|
|
"description": "The ID of the key used to sign the blob.",
|
|
"type": "string"
|
|
},
|
|
"signedBlob": {
|
|
"type": "string",
|
|
"description": "The signed blob.",
|
|
"format": "byte"
|
|
}
|
|
},
|
|
"id": "SignBlobResponse"
|
|
},
|
|
"SignJwtResponse": {
|
|
"id": "SignJwtResponse",
|
|
"type": "object",
|
|
"properties": {
|
|
"keyId": {
|
|
"description": "The ID of the key used to sign the JWT.",
|
|
"type": "string"
|
|
},
|
|
"signedJwt": {
|
|
"description": "The signed JWT.",
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"SignJwtRequest": {
|
|
"type": "object",
|
|
"properties": {
|
|
"payload": {
|
|
"description": "The JWT payload to sign: a JSON object that contains a JWT Claims Set.",
|
|
"type": "string"
|
|
},
|
|
"delegates": {
|
|
"description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"id": "SignJwtRequest"
|
|
},
|
|
"GenerateIdTokenResponse": {
|
|
"type": "object",
|
|
"properties": {
|
|
"token": {
|
|
"description": "The OpenId Connect ID token.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"id": "GenerateIdTokenResponse"
|
|
},
|
|
"GenerateIdTokenRequest": {
|
|
"type": "object",
|
|
"properties": {
|
|
"includeEmail": {
|
|
"type": "boolean",
|
|
"description": "Include the service account email in the token. If set to `true`, the\ntoken will contain `email` and `email_verified` claims."
|
|
},
|
|
"delegates": {
|
|
"description": "The sequence of service accounts in a delegation chain. Each service\naccount must be granted the `roles/iam.serviceAccountTokenCreator` role\non its next service account in the chain. The last service account in the\nchain must be granted the `roles/iam.serviceAccountTokenCreator` role\non the service account that is specified in the `name` field of the\nrequest.\n\nThe delegates must have the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"audience": {
|
|
"description": "The audience for the token, such as the API or account that this token\ngrants access to.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"id": "GenerateIdTokenRequest"
|
|
}
|
|
},
|
|
"icons": {
|
|
"x32": "http://www.google.com/images/icons/product/search-32.gif",
|
|
"x16": "http://www.google.com/images/icons/product/search-16.gif"
|
|
},
|
|
"protocol": "rest",
|
|
"canonicalName": "IAM Credentials",
|
|
"auth": {
|
|
"oauth2": {
|
|
"scopes": {
|
|
"https://www.googleapis.com/auth/cloud-platform": {
|
|
"description": "View and manage your data across Google Cloud Platform services"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"rootUrl": "https://iamcredentials.googleapis.com/",
|
|
"ownerDomain": "google.com",
|
|
"name": "iamcredentials",
|
|
"batchPath": "batch",
|
|
"fullyEncodeReservedExpansion": true,
|
|
"title": "IAM Service Account Credentials API",
|
|
"ownerName": "Google",
|
|
"resources": {
|
|
"projects": {
|
|
"resources": {
|
|
"serviceAccounts": {
|
|
"methods": {
|
|
"generateAccessToken": {
|
|
"request": {
|
|
"$ref": "GenerateAccessTokenRequest"
|
|
},
|
|
"description": "Generates an OAuth 2.0 access token for a service account.",
|
|
"response": {
|
|
"$ref": "GenerateAccessTokenResponse"
|
|
},
|
|
"parameterOrder": [
|
|
"name"
|
|
],
|
|
"httpMethod": "POST",
|
|
"scopes": [
|
|
"https://www.googleapis.com/auth/cloud-platform"
|
|
],
|
|
"parameters": {
|
|
"name": {
|
|
"description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.",
|
|
"required": true,
|
|
"type": "string",
|
|
"pattern": "^projects/[^/]+/serviceAccounts/[^/]+$",
|
|
"location": "path"
|
|
}
|
|
},
|
|
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateAccessToken",
|
|
"path": "v1/{+name}:generateAccessToken",
|
|
"id": "iamcredentials.projects.serviceAccounts.generateAccessToken"
|
|
},
|
|
"generateIdToken": {
|
|
"scopes": [
|
|
"https://www.googleapis.com/auth/cloud-platform"
|
|
],
|
|
"parameters": {
|
|
"name": {
|
|
"pattern": "^projects/[^/]+/serviceAccounts/[^/]+$",
|
|
"location": "path",
|
|
"description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.",
|
|
"required": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateIdToken",
|
|
"path": "v1/{+name}:generateIdToken",
|
|
"id": "iamcredentials.projects.serviceAccounts.generateIdToken",
|
|
"request": {
|
|
"$ref": "GenerateIdTokenRequest"
|
|
},
|
|
"description": "Generates an OpenID Connect ID token for a service account.",
|
|
"response": {
|
|
"$ref": "GenerateIdTokenResponse"
|
|
},
|
|
"parameterOrder": [
|
|
"name"
|
|
],
|
|
"httpMethod": "POST"
|
|
},
|
|
"signBlob": {
|
|
"path": "v1/{+name}:signBlob",
|
|
"id": "iamcredentials.projects.serviceAccounts.signBlob",
|
|
"description": "Signs a blob using a service account's system-managed private key.",
|
|
"request": {
|
|
"$ref": "SignBlobRequest"
|
|
},
|
|
"response": {
|
|
"$ref": "SignBlobResponse"
|
|
},
|
|
"parameterOrder": [
|
|
"name"
|
|
],
|
|
"httpMethod": "POST",
|
|
"parameters": {
|
|
"name": {
|
|
"pattern": "^projects/[^/]+/serviceAccounts/[^/]+$",
|
|
"location": "path",
|
|
"description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.",
|
|
"required": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"scopes": [
|
|
"https://www.googleapis.com/auth/cloud-platform"
|
|
],
|
|
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signBlob"
|
|
},
|
|
"signJwt": {
|
|
"httpMethod": "POST",
|
|
"parameterOrder": [
|
|
"name"
|
|
],
|
|
"response": {
|
|
"$ref": "SignJwtResponse"
|
|
},
|
|
"parameters": {
|
|
"name": {
|
|
"location": "path",
|
|
"description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.",
|
|
"required": true,
|
|
"type": "string",
|
|
"pattern": "^projects/[^/]+/serviceAccounts/[^/]+$"
|
|
}
|
|
},
|
|
"scopes": [
|
|
"https://www.googleapis.com/auth/cloud-platform"
|
|
],
|
|
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signJwt",
|
|
"id": "iamcredentials.projects.serviceAccounts.signJwt",
|
|
"path": "v1/{+name}:signJwt",
|
|
"description": "Signs a JWT using a service account's system-managed private key.",
|
|
"request": {
|
|
"$ref": "SignJwtRequest"
|
|
}
|
|
},
|
|
"generateIdentityBindingAccessToken": {
|
|
"description": "",
|
|
"request": {
|
|
"$ref": "GenerateIdentityBindingAccessTokenRequest"
|
|
},
|
|
"httpMethod": "POST",
|
|
"parameterOrder": [
|
|
"name"
|
|
],
|
|
"response": {
|
|
"$ref": "GenerateIdentityBindingAccessTokenResponse"
|
|
},
|
|
"parameters": {
|
|
"name": {
|
|
"location": "path",
|
|
"description": "The resource name of the service account for which the credentials\nare requested, in the following format:\n`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.",
|
|
"required": true,
|
|
"type": "string",
|
|
"pattern": "^projects/[^/]+/serviceAccounts/[^/]+$"
|
|
}
|
|
},
|
|
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:generateIdentityBindingAccessToken",
|
|
"id": "iamcredentials.projects.serviceAccounts.generateIdentityBindingAccessToken",
|
|
"path": "v1/{+name}:generateIdentityBindingAccessToken"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"parameters": {
|
|
"fields": {
|
|
"location": "query",
|
|
"description": "Selector specifying which fields to include in a partial response.",
|
|
"type": "string"
|
|
},
|
|
"uploadType": {
|
|
"location": "query",
|
|
"description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
|
|
"type": "string"
|
|
},
|
|
"callback": {
|
|
"description": "JSONP",
|
|
"type": "string",
|
|
"location": "query"
|
|
},
|
|
"oauth_token": {
|
|
"location": "query",
|
|
"description": "OAuth 2.0 token for the current user.",
|
|
"type": "string"
|
|
},
|
|
"$.xgafv": {
|
|
"enumDescriptions": [
|
|
"v1 error format",
|
|
"v2 error format"
|
|
],
|
|
"location": "query",
|
|
"enum": [
|
|
"1",
|
|
"2"
|
|
],
|
|
"description": "V1 error format.",
|
|
"type": "string"
|
|
},
|
|
"alt": {
|
|
"enum": [
|
|
"json",
|
|
"media",
|
|
"proto"
|
|
],
|
|
"type": "string",
|
|
"enumDescriptions": [
|
|
"Responses with Content-Type of application/json",
|
|
"Media download with context-dependent Content-Type",
|
|
"Responses with Content-Type of application/x-protobuf"
|
|
],
|
|
"location": "query",
|
|
"description": "Data format for response.",
|
|
"default": "json"
|
|
},
|
|
"access_token": {
|
|
"type": "string",
|
|
"location": "query",
|
|
"description": "OAuth access token."
|
|
},
|
|
"key": {
|
|
"location": "query",
|
|
"description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
|
|
"type": "string"
|
|
},
|
|
"upload_protocol": {
|
|
"location": "query",
|
|
"description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
|
|
"type": "string"
|
|
},
|
|
"quotaUser": {
|
|
"location": "query",
|
|
"description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
|
|
"type": "string"
|
|
},
|
|
"prettyPrint": {
|
|
"type": "boolean",
|
|
"default": "true",
|
|
"location": "query",
|
|
"description": "Returns response with indentations and line breaks."
|
|
}
|
|
}
|
|
}
|