1- // Copyright 2018 Google LLC
1+ // Copyright 2019 Google LLC.
22//
33// Licensed under the Apache License, Version 2.0 (the "License");
44// you may not use this file except in compliance with the License.
1111// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212// See the License for the specific language governing permissions and
1313// limitations under the License.
14+ //
1415
1516syntax = "proto3" ;
1617
1718package google.iam.credentials.v1 ;
1819
20+ import "google/api/field_behavior.proto" ;
21+ import "google/api/resource.proto" ;
1922import "google/protobuf/duration.proto" ;
2023import "google/protobuf/timestamp.proto" ;
2124
@@ -24,12 +27,22 @@ option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;cr
2427option java_multiple_files = true ;
2528option java_outer_classname = "IAMCredentialsCommonProto" ;
2629option java_package = "com.google.cloud.iam.credentials.v1" ;
30+ option (google.api.resource_definition ) = {
31+ type : "iam.googleapis.com/ServiceAccount"
32+ pattern : "projects/{project}/serviceAccounts/{service_account}"
33+ };
2734
2835message GenerateAccessTokenRequest {
29- // The resource name of the service account for which the credentials
36+ // Required. The resource name of the service account for which the credentials
3037 // are requested, in the following format:
31- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
32- string name = 1 ;
38+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
39+ // character is required; replacing it with a project ID is invalid.
40+ string name = 1 [
41+ (google.api.field_behavior ) = REQUIRED ,
42+ (google.api.resource_reference ) = {
43+ type : "iam.googleapis.com/ServiceAccount"
44+ }
45+ ];
3346
3447 // The sequence of service accounts in a delegation chain. Each service
3548 // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@@ -39,14 +52,15 @@ message GenerateAccessTokenRequest {
3952 // request.
4053 //
4154 // The delegates must have the following format:
42- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
55+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
56+ // character is required; replacing it with a project ID is invalid.
4357 repeated string delegates = 2 ;
4458
45- // Code to identify the scopes to be included in the OAuth 2.0 access token.
59+ // Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
4660 // See https://developers.google.com/identity/protocols/googlescopes for more
4761 // information.
4862 // At least one value required.
49- repeated string scope = 4 ;
63+ repeated string scope = 4 [ (google.api .field_behavior ) = REQUIRED ] ;
5064
5165 // The desired lifetime duration of the access token in seconds.
5266 // Must be set to a value less than or equal to 3600 (1 hour). If a value is
@@ -65,10 +79,16 @@ message GenerateAccessTokenResponse {
6579}
6680
6781message SignBlobRequest {
68- // The resource name of the service account for which the credentials
82+ // Required. The resource name of the service account for which the credentials
6983 // are requested, in the following format:
70- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
71- string name = 1 ;
84+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
85+ // character is required; replacing it with a project ID is invalid.
86+ string name = 1 [
87+ (google.api.field_behavior ) = REQUIRED ,
88+ (google.api.resource_reference ) = {
89+ type : "iam.googleapis.com/ServiceAccount"
90+ }
91+ ];
7292
7393 // The sequence of service accounts in a delegation chain. Each service
7494 // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@@ -78,11 +98,12 @@ message SignBlobRequest {
7898 // request.
7999 //
80100 // The delegates must have the following format:
81- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
101+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
102+ // character is required; replacing it with a project ID is invalid.
82103 repeated string delegates = 3 ;
83104
84- // The bytes to sign.
85- bytes payload = 5 ;
105+ // Required. The bytes to sign.
106+ bytes payload = 5 [ (google.api .field_behavior ) = REQUIRED ] ;
86107}
87108
88109message SignBlobResponse {
@@ -94,10 +115,16 @@ message SignBlobResponse {
94115}
95116
96117message SignJwtRequest {
97- // The resource name of the service account for which the credentials
118+ // Required. The resource name of the service account for which the credentials
98119 // are requested, in the following format:
99- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
100- string name = 1 ;
120+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
121+ // character is required; replacing it with a project ID is invalid.
122+ string name = 1 [
123+ (google.api.field_behavior ) = REQUIRED ,
124+ (google.api.resource_reference ) = {
125+ type : "iam.googleapis.com/ServiceAccount"
126+ }
127+ ];
101128
102129 // The sequence of service accounts in a delegation chain. Each service
103130 // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@@ -107,11 +134,12 @@ message SignJwtRequest {
107134 // request.
108135 //
109136 // The delegates must have the following format:
110- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
137+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
138+ // character is required; replacing it with a project ID is invalid.
111139 repeated string delegates = 3 ;
112140
113- // The JWT payload to sign: a JSON object that contains a JWT Claims Set.
114- string payload = 5 ;
141+ // Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
142+ string payload = 5 [ (google.api .field_behavior ) = REQUIRED ] ;
115143}
116144
117145message SignJwtResponse {
@@ -123,10 +151,16 @@ message SignJwtResponse {
123151}
124152
125153message GenerateIdTokenRequest {
126- // The resource name of the service account for which the credentials
154+ // Required. The resource name of the service account for which the credentials
127155 // are requested, in the following format:
128- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
129- string name = 1 ;
156+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
157+ // character is required; replacing it with a project ID is invalid.
158+ string name = 1 [
159+ (google.api.field_behavior ) = REQUIRED ,
160+ (google.api.resource_reference ) = {
161+ type : "iam.googleapis.com/ServiceAccount"
162+ }
163+ ];
130164
131165 // The sequence of service accounts in a delegation chain. Each service
132166 // account must be granted the `roles/iam.serviceAccountTokenCreator` role
@@ -136,12 +170,13 @@ message GenerateIdTokenRequest {
136170 // request.
137171 //
138172 // The delegates must have the following format:
139- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
173+ // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
174+ // character is required; replacing it with a project ID is invalid.
140175 repeated string delegates = 2 ;
141176
142- // The audience for the token, such as the API or account that this token
177+ // Required. The audience for the token, such as the API or account that this token
143178 // grants access to.
144- string audience = 3 ;
179+ string audience = 3 [ (google.api .field_behavior ) = REQUIRED ] ;
145180
146181 // Include the service account email in the token. If set to `true`, the
147182 // token will contain `email` and `email_verified` claims.
0 commit comments