Package com.google.iam.admin.v1

Class IAMGrpc.IAMFutureStub

  • Enclosing class:
    IAMGrpc
    public static final class IAMGrpc.IAMFutureStub
extends io.grpc.stub.AbstractFutureStub<IAMGrpc.IAMFutureStub>
    A stub to allow clients to do ListenableFuture-style rpc calls to service IAM. 
     Creates and manages Identity and Access Management (IAM) resources.
 You can use this service to work with all of the following resources:
 * **Service accounts**, which identify an application or a virtual machine
   (VM) instance rather than a person
 * **Service account keys**, which service accounts use to authenticate with
   Google APIs
 * **IAM policies for service accounts**, which specify the roles that a
   principal has for the service account
 * **IAM custom roles**, which help you limit the number of permissions that
   you grant to principals
 In addition, you can use this service to complete the following tasks, among
 others:
 * Test whether a service account can use specific permissions
 * Check which roles you can grant for a specific resource
 * Lint, or validate, condition expressions in an IAM policy
 When you read data from the IAM API, each read is eventually consistent. In
 other words, if you write data with the IAM API, then immediately read that
 data, the read operation might return an older version of the data. To deal
 with this behavior, your application can retry the request with truncated
 exponential backoff.
 In contrast, writing data to the IAM API is sequentially consistent. In other
 words, write operations are always processed in the order in which they were
 received.

    • Method Detail

      • listServiceAccounts

        public com.google.common.util.concurrent.ListenableFuture<ListServiceAccountsResponse> listServiceAccounts​(ListServiceAccountsRequest request)
         Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.

      • getServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccount> getServiceAccount​(GetServiceAccountRequest request)
         Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

      • createServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccount> createServiceAccount​(CreateServiceAccountRequest request)
         Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

      • updateServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccount> updateServiceAccount​(ServiceAccount request)
         **Note:** We are in the process of deprecating this method. Use
 [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead.
 Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
 You can update only the `display_name` field.

      • patchServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccount> patchServiceAccount​(PatchServiceAccountRequest request)
         Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

      • deleteServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<com.google.protobuf.Empty> deleteServiceAccount​(DeleteServiceAccountRequest request)
         Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
 **Warning:** After you delete a service account, you might not be able to
 undelete it. If you know that you need to re-enable the service account in
 the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.
 If you delete a service account, IAM permanently removes the service
 account 30 days later. Google Cloud cannot recover the service account
 after it is permanently removed, even if you file a support request.
 To help avoid unplanned outages, we recommend that you disable the service
 account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the
 service account, then wait at least 24 hours and watch for unintended
 consequences. If there are no unintended consequences, you can delete the
 service account.

      • undeleteServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<UndeleteServiceAccountResponse> undeleteServiceAccount​(UndeleteServiceAccountRequest request)
         Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].
 **Important:** It is not always possible to restore a deleted service
 account. Use this method only as a last resort.
 After you delete a service account, IAM permanently removes the service
 account 30 days later. There is no way to restore a deleted service account
 that has been permanently removed.

      • enableServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<com.google.protobuf.Empty> enableServiceAccount​(EnableServiceAccountRequest request)
         Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by
 [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].
 If the service account is already enabled, then this method has no effect.
 If the service account was disabled by other means—for example, if Google
 disabled the service account because it was compromised—you cannot use this
 method to enable the service account.

      • disableServiceAccount

        public com.google.common.util.concurrent.ListenableFuture<com.google.protobuf.Empty> disableServiceAccount​(DisableServiceAccountRequest request)
         Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.
 If an application uses the service account to authenticate, that
 application can no longer call Google APIs or access Google Cloud
 resources. Existing access tokens for the service account are rejected, and
 requests for new access tokens will fail.
 To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you
 re-enable the service account, its existing access tokens will be accepted,
 and you can request new access tokens.
 To help avoid unplanned outages, we recommend that you disable the service
 account before you delete it. Use this method to disable the service
 account, then wait at least 24 hours and watch for unintended consequences.
 If there are no unintended consequences, you can delete the service account
 with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].

      • getServiceAccountKey

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccountKey> getServiceAccountKey​(GetServiceAccountKeyRequest request)
         Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

      • createServiceAccountKey

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccountKey> createServiceAccountKey​(CreateServiceAccountKeyRequest request)
         Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

      • uploadServiceAccountKey

        public com.google.common.util.concurrent.ListenableFuture<ServiceAccountKey> uploadServiceAccountKey​(UploadServiceAccountKeyRequest request)
         Uploads the public key portion of a key pair that you manage, and
 associates the public key with a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
 After you upload the public key, you can use the private key from the key
 pair as a service account key.

      • deleteServiceAccountKey

        public com.google.common.util.concurrent.ListenableFuture<com.google.protobuf.Empty> deleteServiceAccountKey​(DeleteServiceAccountKeyRequest request)
         Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not
 revoke short-lived credentials that have been issued based on the service
 account key.

      • disableServiceAccountKey

        public com.google.common.util.concurrent.ListenableFuture<com.google.protobuf.Empty> disableServiceAccountKey​(DisableServiceAccountKeyRequest request)
         Disable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. A disabled service account key can be
 re-enabled with [EnableServiceAccountKey][google.iam.admin.v1.IAM.EnableServiceAccountKey].

      • enableServiceAccountKey

        public com.google.common.util.concurrent.ListenableFuture<com.google.protobuf.Empty> enableServiceAccountKey​(EnableServiceAccountKeyRequest request)
         Enable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

      • signBlob

        @Deprecated
public com.google.common.util.concurrent.ListenableFuture<SignBlobResponse> signBlob​(SignBlobRequest request)
        Deprecated.
         **Note:** This method is deprecated. Use the
 [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob)
 method in the IAM Service Account Credentials API instead. If you currently
 use this method, see the [migration
 guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
 instructions.
 Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

      • signJwt

        @Deprecated
public com.google.common.util.concurrent.ListenableFuture<SignJwtResponse> signJwt​(SignJwtRequest request)
        Deprecated.
         **Note:** This method is deprecated. Use the
 [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt)
 method in the IAM Service Account Credentials API instead. If you currently
 use this method, see the [migration
 guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
 instructions.
 Signs a JSON Web Token (JWT) using the system-managed private key for a
 [ServiceAccount][google.iam.admin.v1.ServiceAccount].

      • getIamPolicy

        public com.google.common.util.concurrent.ListenableFuture<com.google.iam.v1.Policy> getIamPolicy​(com.google.iam.v1.GetIamPolicyRequest request)
         Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM
 policy specifies which principals have access to the service account.
 This method does not tell you whether the service account has been granted
 any roles on other resources. To check whether a service account has role
 grants on a resource, use the `getIamPolicy` method for that resource. For
 example, to view the role grants for a project, call the Resource Manager
 API's
 [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
 method.

      • setIamPolicy

        public com.google.common.util.concurrent.ListenableFuture<com.google.iam.v1.Policy> setIamPolicy​(com.google.iam.v1.SetIamPolicyRequest request)
         Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
 Use this method to grant or revoke access to the service account. For
 example, you could grant a principal the ability to impersonate the service
 account.
 This method does not enable the service account to access other resources.
 To grant roles to a service account on a resource, follow these steps:
 1. Call the resource's `getIamPolicy` method to get its current IAM policy.
 2. Edit the policy so that it binds the service account to an IAM role for
 the resource.
 3. Call the resource's `setIamPolicy` method to update its IAM policy.
 For detailed instructions, see
 [Manage access to project, folders, and
 organizations](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts)
 or [Manage access to other
 resources](https://cloud.google.com/iam/help/access/manage-other-resources).

      • testIamPermissions

        public com.google.common.util.concurrent.ListenableFuture<com.google.iam.v1.TestIamPermissionsResponse> testIamPermissions​(com.google.iam.v1.TestIamPermissionsRequest request)
         Tests whether the caller has the specified permissions on a
 [ServiceAccount][google.iam.admin.v1.ServiceAccount].

      • queryGrantableRoles

        public com.google.common.util.concurrent.ListenableFuture<QueryGrantableRolesResponse> queryGrantableRoles​(QueryGrantableRolesRequest request)
         Lists roles that can be granted on a Google Cloud resource. A role is
 grantable if the IAM policy for the resource can contain bindings to the
 role.

      • listRoles

        public com.google.common.util.concurrent.ListenableFuture<ListRolesResponse> listRoles​(ListRolesRequest request)
         Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role
 that is defined for an organization or project.

      • getRole

        public com.google.common.util.concurrent.ListenableFuture<Role> getRole​(GetRoleRequest request)
         Gets the definition of a [Role][google.iam.admin.v1.Role].

      • createRole

        public com.google.common.util.concurrent.ListenableFuture<Role> createRole​(CreateRoleRequest request)
         Creates a new custom [Role][google.iam.admin.v1.Role].

      • updateRole

        public com.google.common.util.concurrent.ListenableFuture<Role> updateRole​(UpdateRoleRequest request)
         Updates the definition of a custom [Role][google.iam.admin.v1.Role].

      • deleteRole

        public com.google.common.util.concurrent.ListenableFuture<Role> deleteRole​(DeleteRoleRequest request)
         Deletes a custom [Role][google.iam.admin.v1.Role].
 When you delete a custom role, the following changes occur immediately:
 * You cannot bind a principal to the custom role in an IAM
 [Policy][google.iam.v1.Policy].
 * Existing bindings to the custom role are not changed, but they have no
 effect.
 * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom
 role.
 You have 7 days to undelete the custom role. After 7 days, the following
 changes occur:
 * The custom role is permanently deleted and cannot be recovered.
 * If an IAM policy contains a binding to the custom role, the binding is
 permanently removed.

      • undeleteRole

        public com.google.common.util.concurrent.ListenableFuture<Role> undeleteRole​(UndeleteRoleRequest request)
         Undeletes a custom [Role][google.iam.admin.v1.Role].

      • queryTestablePermissions

        public com.google.common.util.concurrent.ListenableFuture<QueryTestablePermissionsResponse> queryTestablePermissions​(QueryTestablePermissionsRequest request)
         Lists every permission that you can test on a resource. A permission is
 testable if you can check whether a principal has that permission on the
 resource.

      • queryAuditableServices

        public com.google.common.util.concurrent.ListenableFuture<QueryAuditableServicesResponse> queryAuditableServices​(QueryAuditableServicesRequest request)
         Returns a list of services that allow you to opt into audit logs that are
 not generated by default.
 To learn more about audit logs, see the [Logging
 documentation](https://cloud.google.com/logging/docs/audit).

      • lintPolicy

        public com.google.common.util.concurrent.ListenableFuture<LintPolicyResponse> lintPolicy​(LintPolicyRequest request)
         Lints, or validates, an IAM policy. Currently checks the
 [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition
 expression for a role binding.
 Successful calls to this method always return an HTTP `200 OK` status code,
 even if the linter detects an issue in the IAM policy.