You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
224 lines
8.3 KiB
224 lines
8.3 KiB
6 years ago
|
// Copyright 2018 Google LLC
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
|
||
|
syntax = "proto3";
|
||
|
|
||
|
package google.iam.credentials.v1;
|
||
|
|
||
|
import "google/protobuf/duration.proto";
|
||
|
import "google/protobuf/timestamp.proto";
|
||
|
|
||
|
option cc_enable_arenas = true;
|
||
|
option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
|
||
|
option java_multiple_files = true;
|
||
|
option java_outer_classname = "IAMCredentialsCommonProto";
|
||
|
option java_package = "com.google.cloud.iam.credentials.v1";
|
||
|
|
||
|
message GenerateAccessTokenRequest {
|
||
|
// The resource name of the service account for which the credentials
|
||
|
// are requested, in the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
|
||
|
string name = 1;
|
||
|
|
||
|
// The sequence of service accounts in a delegation chain. Each service
|
||
|
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on its next service account in the chain. The last service account in the
|
||
|
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on the service account that is specified in the `name` field of the
|
||
|
// request.
|
||
|
//
|
||
|
// The delegates must have the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
|
||
|
repeated string delegates = 2;
|
||
|
|
||
|
// Code to identify the scopes to be included in the OAuth 2.0 access token.
|
||
|
// See https://developers.google.com/identity/protocols/googlescopes for more
|
||
|
// information.
|
||
|
// At least one value required.
|
||
|
repeated string scope = 4;
|
||
|
|
||
|
// The desired lifetime duration of the access token in seconds.
|
||
|
// Must be set to a value less than or equal to 3600 (1 hour). If a value is
|
||
|
// not specified, the token's lifetime will be set to a default value of one
|
||
|
// hour.
|
||
|
google.protobuf.Duration lifetime = 7;
|
||
|
}
|
||
|
|
||
|
message GenerateAccessTokenResponse {
|
||
|
// The OAuth 2.0 access token.
|
||
|
string access_token = 1;
|
||
|
|
||
|
// Token expiration time.
|
||
|
// The expiration time is always set.
|
||
|
google.protobuf.Timestamp expire_time = 3;
|
||
|
}
|
||
|
|
||
|
message SignBlobRequest {
|
||
|
// The resource name of the service account for which the credentials
|
||
|
// are requested, in the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
|
||
|
string name = 1;
|
||
|
|
||
|
// The sequence of service accounts in a delegation chain. Each service
|
||
|
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on its next service account in the chain. The last service account in the
|
||
|
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on the service account that is specified in the `name` field of the
|
||
|
// request.
|
||
|
//
|
||
|
// The delegates must have the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
|
||
|
repeated string delegates = 3;
|
||
|
|
||
|
// The bytes to sign.
|
||
|
bytes payload = 5;
|
||
|
}
|
||
|
|
||
|
message SignBlobResponse {
|
||
|
// The ID of the key used to sign the blob.
|
||
|
string key_id = 1;
|
||
|
|
||
|
// The signed blob.
|
||
|
bytes signed_blob = 4;
|
||
|
}
|
||
|
|
||
|
message SignJwtRequest {
|
||
|
// The resource name of the service account for which the credentials
|
||
|
// are requested, in the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
|
||
|
string name = 1;
|
||
|
|
||
|
// The sequence of service accounts in a delegation chain. Each service
|
||
|
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on its next service account in the chain. The last service account in the
|
||
|
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on the service account that is specified in the `name` field of the
|
||
|
// request.
|
||
|
//
|
||
|
// The delegates must have the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
|
||
|
repeated string delegates = 3;
|
||
|
|
||
|
// The JWT payload to sign: a JSON object that contains a JWT Claims Set.
|
||
|
string payload = 5;
|
||
|
}
|
||
|
|
||
|
message SignJwtResponse {
|
||
|
// The ID of the key used to sign the JWT.
|
||
|
string key_id = 1;
|
||
|
|
||
|
// The signed JWT.
|
||
|
string signed_jwt = 2;
|
||
|
}
|
||
|
|
||
|
message GenerateIdTokenRequest {
|
||
|
// The resource name of the service account for which the credentials
|
||
|
// are requested, in the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
|
||
|
string name = 1;
|
||
|
|
||
|
// The sequence of service accounts in a delegation chain. Each service
|
||
|
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on its next service account in the chain. The last service account in the
|
||
|
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
||
|
// on the service account that is specified in the `name` field of the
|
||
|
// request.
|
||
|
//
|
||
|
// The delegates must have the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
|
||
|
repeated string delegates = 2;
|
||
|
|
||
|
// The audience for the token, such as the API or account that this token
|
||
|
// grants access to.
|
||
|
string audience = 3;
|
||
|
|
||
|
// Include the service account email in the token. If set to `true`, the
|
||
|
// token will contain `email` and `email_verified` claims.
|
||
|
bool include_email = 4;
|
||
|
}
|
||
|
|
||
|
message GenerateIdTokenResponse {
|
||
|
// The OpenId Connect ID token.
|
||
|
string token = 1;
|
||
|
}
|
||
|
|
||
|
message GenerateIdentityBindingAccessTokenRequest {
|
||
|
// The resource name of the service account for which the credentials
|
||
|
// are requested, in the following format:
|
||
|
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
|
||
|
string name = 1;
|
||
|
|
||
|
// Code to identify the scopes to be included in the OAuth 2.0 access token.
|
||
|
// See https://developers.google.com/identity/protocols/googlescopes for more
|
||
|
// information.
|
||
|
// At least one value required.
|
||
|
repeated string scope = 2;
|
||
|
|
||
|
// Required. Input token.
|
||
|
// Must be in JWT format according to
|
||
|
// RFC7523 (https://tools.ietf.org/html/rfc7523)
|
||
|
// and must have 'kid' field in the header.
|
||
|
// Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
|
||
|
// Mandatory payload fields (along the lines of RFC 7523, section 3):
|
||
|
// - iss: issuer of the token. Must provide a discovery document at
|
||
|
// $iss/.well-known/openid-configuration . The document needs to be
|
||
|
// formatted according to section 4.2 of the OpenID Connect Discovery
|
||
|
// 1.0 specification.
|
||
|
// - iat: Issue time in seconds since epoch. Must be in the past.
|
||
|
// - exp: Expiration time in seconds since epoch. Must be less than 48 hours
|
||
|
// after iat. We recommend to create tokens that last shorter than 6
|
||
|
// hours to improve security unless business reasons mandate longer
|
||
|
// expiration times. Shorter token lifetimes are generally more secure
|
||
|
// since tokens that have been exfiltrated by attackers can be used for
|
||
|
// a shorter time. you can configure the maximum lifetime of the
|
||
|
// incoming token in the configuration of the mapper.
|
||
|
// The resulting Google token will expire within an hour or at "exp",
|
||
|
// whichever is earlier.
|
||
|
// - sub: JWT subject, identity asserted in the JWT.
|
||
|
// - aud: Configured in the mapper policy. By default the service account
|
||
|
// email.
|
||
|
//
|
||
|
// Claims from the incoming token can be transferred into the output token
|
||
|
// accoding to the mapper configuration. The outgoing claim size is limited.
|
||
|
// Outgoing claims size must be less than 4kB serialized as JSON without
|
||
|
// whitespace.
|
||
|
//
|
||
|
// Example header:
|
||
|
// {
|
||
|
// "alg": "RS256",
|
||
|
// "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
|
||
|
// }
|
||
|
// Example payload:
|
||
|
// {
|
||
|
// "iss": "https://accounts.google.com",
|
||
|
// "iat": 1517963104,
|
||
|
// "exp": 1517966704,
|
||
|
// "aud": "https://iamcredentials.googleapis.com/",
|
||
|
// "sub": "113475438248934895348",
|
||
|
// "my_claims": {
|
||
|
// "additional_claim": "value"
|
||
|
// }
|
||
|
// }
|
||
|
string jwt = 3;
|
||
|
}
|
||
|
|
||
|
message GenerateIdentityBindingAccessTokenResponse {
|
||
|
// The OAuth 2.0 access token.
|
||
|
string access_token = 1;
|
||
|
|
||
|
// Token expiration time.
|
||
|
// The expiration time is always set.
|
||
|
google.protobuf.Timestamp expire_time = 2;
|
||
|
}
|