Add protos as an artifact to library (#7205)

packages/google-cloud-iam/google/cloud/iam_credentials_v1/proto/common.proto

@@ -0,0 +1,224 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.credentials.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
+option java_multiple_files = true;
+option java_outer_classname = "IAMCredentialsCommonProto";
+option java_package = "com.google.cloud.iam.credentials.v1";
+
+
+message GenerateAccessTokenRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // The sequence of service accounts in a delegation chain. Each service
+  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on its next service account in the chain. The last service account in the
+  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on the service account that is specified in the `name` field of the
+  // request.
+  //
+  // The delegates must have the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  repeated string delegates = 2;
+
+  // Code to identify the scopes to be included in the OAuth 2.0 access token.
+  // See https://developers.google.com/identity/protocols/googlescopes for more
+  // information.
+  // At least one value required.
+  repeated string scope = 4;
+
+  // The desired lifetime duration of the access token in seconds.
+  // Must be set to a value less than or equal to 3600 (1 hour). If a value is
+  // not specified, the token's lifetime will be set to a default value of one
+  // hour.
+  google.protobuf.Duration lifetime = 7;
+}
+
+message GenerateAccessTokenResponse {
+  // The OAuth 2.0 access token.
+  string access_token = 1;
+
+  // Token expiration time.
+  // The expiration time is always set.
+  google.protobuf.Timestamp expire_time = 3;
+}
+
+message SignBlobRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // The sequence of service accounts in a delegation chain. Each service
+  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on its next service account in the chain. The last service account in the
+  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on the service account that is specified in the `name` field of the
+  // request.
+  //
+  // The delegates must have the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  repeated string delegates = 3;
+
+  // The bytes to sign.
+  bytes payload = 5;
+}
+
+message SignBlobResponse {
+  // The ID of the key used to sign the blob.
+  string key_id = 1;
+
+  // The signed blob.
+  bytes signed_blob = 4;
+}
+
+message SignJwtRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // The sequence of service accounts in a delegation chain. Each service
+  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on its next service account in the chain. The last service account in the
+  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on the service account that is specified in the `name` field of the
+  // request.
+  //
+  // The delegates must have the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  repeated string delegates = 3;
+
+  // The JWT payload to sign: a JSON object that contains a JWT Claims Set.
+  string payload = 5;
+}
+
+message SignJwtResponse {
+  // The ID of the key used to sign the JWT.
+  string key_id = 1;
+
+  // The signed JWT.
+  string signed_jwt = 2;
+}
+
+message GenerateIdTokenRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // The sequence of service accounts in a delegation chain. Each service
+  // account must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on its next service account in the chain. The last service account in the
+  // chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+  // on the service account that is specified in the `name` field of the
+  // request.
+  //
+  // The delegates must have the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
+  repeated string delegates = 2;
+
+  // The audience for the token, such as the API or account that this token
+  // grants access to.
+  string audience = 3;
+
+  // Include the service account email in the token. If set to `true`, the
+  // token will contain `email` and `email_verified` claims.
+  bool include_email = 4;
+}
+
+message GenerateIdTokenResponse {
+  // The OpenId Connect ID token.
+  string token = 1;
+}
+
+message GenerateIdentityBindingAccessTokenRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // Code to identify the scopes to be included in the OAuth 2.0 access token.
+  // See https://developers.google.com/identity/protocols/googlescopes for more
+  // information.
+  // At least one value required.
+  repeated string scope = 2;
+
+  // Required. Input token.
+  // Must be in JWT format according to
+  // RFC7523 (https://tools.ietf.org/html/rfc7523)
+  // and must have 'kid' field in the header.
+  // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+  // Mandatory payload fields (along the lines of RFC 7523, section 3):
+  // - iss: issuer of the token. Must provide a discovery document at
+  //        $iss/.well-known/openid-configuration . The document needs to be
+  //        formatted according to section 4.2 of the OpenID Connect Discovery
+  //        1.0 specification.
+  // - iat: Issue time in seconds since epoch. Must be in the past.
+  // - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+  //        after iat. We recommend to create tokens that last shorter than 6
+  //        hours to improve security unless business reasons mandate longer
+  //        expiration times. Shorter token lifetimes are generally more secure
+  //        since tokens that have been exfiltrated by attackers can be used for
+  //        a shorter time. you can configure the maximum lifetime of the
+  //        incoming token in the configuration of the mapper.
+  //        The resulting Google token will expire within an hour or at "exp",
+  //        whichever is earlier.
+  // - sub: JWT subject, identity asserted in the JWT.
+  // - aud: Configured in the mapper policy. By default the service account
+  //        email.
+  //
+  // Claims from the incoming token can be transferred into the output token
+  // accoding to the mapper configuration. The outgoing claim size is limited.
+  // Outgoing claims size must be less than 4kB serialized as JSON without
+  // whitespace.
+  //
+  // Example header:
+  // {
+  //   "alg": "RS256",
+  //   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+  // }
+  // Example payload:
+  // {
+  //   "iss": "https://accounts.google.com",
+  //   "iat": 1517963104,
+  //   "exp": 1517966704,
+  //   "aud": "https://iamcredentials.googleapis.com/",
+  //   "sub": "113475438248934895348",
+  //   "my_claims": {
+  //     "additional_claim": "value"
+  //   }
+  // }
+  string jwt = 3;
+}
+
+message GenerateIdentityBindingAccessTokenResponse {
+  // The OAuth 2.0 access token.
+  string access_token = 1;
+
+  // Token expiration time.
+  // The expiration time is always set.
+  google.protobuf.Timestamp expire_time = 2;
+}

packages/google-cloud-iam/google/cloud/iam_credentials_v1/proto/iamcredentials.proto

@@ -0,0 +1,81 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.credentials.v1;
+
+import "google/api/annotations.proto";
+import "google/iam/credentials/v1/common.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
+option java_multiple_files = true;
+option java_outer_classname = "IAMCredentialsProto";
+option java_package = "com.google.cloud.iam.credentials.v1";
+
+
+// A service account is a special type of Google account that belongs to your
+// application or a virtual machine (VM), instead of to an individual end user.
+// Your application assumes the identity of the service account to call Google
+// APIs, so that the users aren't directly involved.
+//
+// Service account credentials are used to temporarily assume the identity
+// of the service account. Supported credential types include OAuth 2.0 access
+// tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and
+// more.
+service IAMCredentials {
+  // Generates an OAuth 2.0 access token for a service account.
+  rpc GenerateAccessToken(GenerateAccessTokenRequest) returns (GenerateAccessTokenResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken"
+      body: "*"
+    };
+  }
+
+  // Generates an OpenID Connect ID token for a service account.
+  rpc GenerateIdToken(GenerateIdTokenRequest) returns (GenerateIdTokenResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdToken"
+      body: "*"
+    };
+  }
+
+  // Signs a blob using a service account's system-managed private key.
+  rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
+      body: "*"
+    };
+  }
+
+  // Signs a JWT using a service account's system-managed private key.
+  rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
+      body: "*"
+    };
+  }
+
+  // Exchange a JWT signed by third party identity provider to an OAuth 2.0
+  // access token
+  rpc GenerateIdentityBindingAccessToken(
+      GenerateIdentityBindingAccessTokenRequest)
+      returns (GenerateIdentityBindingAccessTokenResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdentityBindingAccessToken"
+      body: "*"
+    };
+  }
+}

packages/google-cloud-iam/synth.metadata

@@ -1,19 +1,19 @@
 {
-  "updateTime": "2019-01-17T13:19:36.096921Z",
+  "updateTime": "2019-01-24T05:39:59.371229Z",
   "sources": [
     {
       "generator": {
         "name": "artman",
-        "version": "0.16.6",
-        "dockerImage": "googleapis/artman@sha256:12722f2ca3fbc3b53cc6aa5f0e569d7d221b46bd876a2136497089dec5e3634e"
+        "version": "0.16.7",
+        "dockerImage": "googleapis/artman@sha256:d6c8ced606eb49973ca95d2af7c55a681acc042db0f87d135968349e7bf6dd80"
       }
     },
     {
       "git": {
         "name": "googleapis",
         "remote": "https://github.com/googleapis/googleapis.git",
-        "sha": "0ac60e21a1aa86c07c1836865b35308ba8178b05",
-        "internalRef": "229626798"
+        "sha": "9aac88a22468b1e291937f55fa1ef237adfdc63e",
+        "internalRef": "230568136"
       }
     },
     {
@@ -28,7 +28,7 @@
     {
       "client": {
         "source": "googleapis",
-        "apiName": "iam",
+        "apiName": "iam_credentials",
         "apiVersion": "v1",
         "language": "python",
         "generator": "gapic",

packages/google-cloud-iam/synth.py

@@ -24,10 +24,11 @@
 # Generate automl GAPIC layer
 # ----------------------------------------------------------------------------
 library = gapic.py_library(
-    "iam",
+    "iam_credentials",
     "v1",
     config_path="/google/iam/credentials/artman_iamcredentials_v1.yaml",
-    artman_output_name="iamcredentials-v1"
+    artman_output_name="iamcredentials-v1",
+    include_protos=True,
 )
 
 excludes = [