// Copyright 2018 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.iam.credentials.v1; import "google/protobuf/duration.proto"; import "google/protobuf/timestamp.proto"; option cc_enable_arenas = true; option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials"; option java_multiple_files = true; option java_outer_classname = "IAMCredentialsCommonProto"; option java_package = "com.google.cloud.iam.credentials.v1"; message GenerateAccessTokenRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. string name = 1; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role // on its next service account in the chain. The last service account in the // chain must be granted the `roles/iam.serviceAccountTokenCreator` role // on the service account that is specified in the `name` field of the // request. // // The delegates must have the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` repeated string delegates = 2; // Code to identify the scopes to be included in the OAuth 2.0 access token. // See https://developers.google.com/identity/protocols/googlescopes for more // information. // At least one value required. repeated string scope = 4; // The desired lifetime duration of the access token in seconds. // Must be set to a value less than or equal to 3600 (1 hour). If a value is // not specified, the token's lifetime will be set to a default value of one // hour. google.protobuf.Duration lifetime = 7; } message GenerateAccessTokenResponse { // The OAuth 2.0 access token. string access_token = 1; // Token expiration time. // The expiration time is always set. google.protobuf.Timestamp expire_time = 3; } message SignBlobRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. string name = 1; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role // on its next service account in the chain. The last service account in the // chain must be granted the `roles/iam.serviceAccountTokenCreator` role // on the service account that is specified in the `name` field of the // request. // // The delegates must have the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` repeated string delegates = 3; // The bytes to sign. bytes payload = 5; } message SignBlobResponse { // The ID of the key used to sign the blob. string key_id = 1; // The signed blob. bytes signed_blob = 4; } message SignJwtRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. string name = 1; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role // on its next service account in the chain. The last service account in the // chain must be granted the `roles/iam.serviceAccountTokenCreator` role // on the service account that is specified in the `name` field of the // request. // // The delegates must have the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` repeated string delegates = 3; // The JWT payload to sign: a JSON object that contains a JWT Claims Set. string payload = 5; } message SignJwtResponse { // The ID of the key used to sign the JWT. string key_id = 1; // The signed JWT. string signed_jwt = 2; } message GenerateIdTokenRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. string name = 1; // The sequence of service accounts in a delegation chain. Each service // account must be granted the `roles/iam.serviceAccountTokenCreator` role // on its next service account in the chain. The last service account in the // chain must be granted the `roles/iam.serviceAccountTokenCreator` role // on the service account that is specified in the `name` field of the // request. // // The delegates must have the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}` repeated string delegates = 2; // The audience for the token, such as the API or account that this token // grants access to. string audience = 3; // Include the service account email in the token. If set to `true`, the // token will contain `email` and `email_verified` claims. bool include_email = 4; } message GenerateIdTokenResponse { // The OpenId Connect ID token. string token = 1; } message GenerateIdentityBindingAccessTokenRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. string name = 1; // Code to identify the scopes to be included in the OAuth 2.0 access token. // See https://developers.google.com/identity/protocols/googlescopes for more // information. // At least one value required. repeated string scope = 2; // Required. Input token. // Must be in JWT format according to // RFC7523 (https://tools.ietf.org/html/rfc7523) // and must have 'kid' field in the header. // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon). // Mandatory payload fields (along the lines of RFC 7523, section 3): // - iss: issuer of the token. Must provide a discovery document at // $iss/.well-known/openid-configuration . The document needs to be // formatted according to section 4.2 of the OpenID Connect Discovery // 1.0 specification. // - iat: Issue time in seconds since epoch. Must be in the past. // - exp: Expiration time in seconds since epoch. Must be less than 48 hours // after iat. We recommend to create tokens that last shorter than 6 // hours to improve security unless business reasons mandate longer // expiration times. Shorter token lifetimes are generally more secure // since tokens that have been exfiltrated by attackers can be used for // a shorter time. you can configure the maximum lifetime of the // incoming token in the configuration of the mapper. // The resulting Google token will expire within an hour or at "exp", // whichever is earlier. // - sub: JWT subject, identity asserted in the JWT. // - aud: Configured in the mapper policy. By default the service account // email. // // Claims from the incoming token can be transferred into the output token // accoding to the mapper configuration. The outgoing claim size is limited. // Outgoing claims size must be less than 4kB serialized as JSON without // whitespace. // // Example header: // { // "alg": "RS256", // "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" // } // Example payload: // { // "iss": "https://accounts.google.com", // "iat": 1517963104, // "exp": 1517966704, // "aud": "https://iamcredentials.googleapis.com/", // "sub": "113475438248934895348", // "my_claims": { // "additional_claim": "value" // } // } string jwt = 3; } message GenerateIdentityBindingAccessTokenResponse { // The OAuth 2.0 access token. string access_token = 1; // Token expiration time. // The expiration time is always set. google.protobuf.Timestamp expire_time = 2; }