1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="iamcredentials_v1.html">IAM Service Account Credentials API</a> . <a href="iamcredentials_v1.projects.html">projects</a> . <a href="iamcredentials_v1.projects.serviceAccounts.html">serviceAccounts</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#close">close()</a></code></p> 79<p class="firstline">Close httplib2 connections.</p> 80<p class="toc_element"> 81 <code><a href="#generateAccessToken">generateAccessToken(name, body=None, x__xgafv=None)</a></code></p> 82<p class="firstline">Generates an OAuth 2.0 access token for a service account.</p> 83<p class="toc_element"> 84 <code><a href="#generateIdToken">generateIdToken(name, body=None, x__xgafv=None)</a></code></p> 85<p class="firstline">Generates an OpenID Connect ID token for a service account.</p> 86<p class="toc_element"> 87 <code><a href="#signBlob">signBlob(name, body=None, x__xgafv=None)</a></code></p> 88<p class="firstline">Signs a blob using a service account's system-managed private key.</p> 89<p class="toc_element"> 90 <code><a href="#signJwt">signJwt(name, body=None, x__xgafv=None)</a></code></p> 91<p class="firstline">Signs a JWT using a service account's system-managed private key.</p> 92<h3>Method Details</h3> 93<div class="method"> 94 <code class="details" id="close">close()</code> 95 <pre>Close httplib2 connections.</pre> 96</div> 97 98<div class="method"> 99 <code class="details" id="generateAccessToken">generateAccessToken(name, body=None, x__xgafv=None)</code> 100 <pre>Generates an OAuth 2.0 access token for a service account. 101 102Args: 103 name: string, Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. (required) 104 body: object, The request body. 105 The object takes the form of: 106 107{ 108 "delegates": [ # The sequence of service accounts in a delegation chain. This field is required for [delegated requests](https://cloud.google.com/iam/help/credentials/delegated-request). For [direct requests](https://cloud.google.com/iam/help/credentials/direct-request), which are more common, do not specify this field. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. 109 "A String", 110 ], 111 "lifetime": "A String", # The desired lifetime duration of the access token in seconds. By default, the maximum allowed value is 1 hour. To set a lifetime of up to 12 hours, you can add the service account as an allowed value in an Organization Policy that enforces the `constraints/iam.allowServiceAccountCredentialLifetimeExtension` constraint. See detailed instructions at https://cloud.google.com/iam/help/credentials/lifetime If a value is not specified, the token's lifetime will be set to a default value of 1 hour. 112 "scope": [ # Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required. 113 "A String", 114 ], 115} 116 117 x__xgafv: string, V1 error format. 118 Allowed values 119 1 - v1 error format 120 2 - v2 error format 121 122Returns: 123 An object of the form: 124 125 { 126 "accessToken": "A String", # The OAuth 2.0 access token. 127 "expireTime": "A String", # Token expiration time. The expiration time is always set. 128}</pre> 129</div> 130 131<div class="method"> 132 <code class="details" id="generateIdToken">generateIdToken(name, body=None, x__xgafv=None)</code> 133 <pre>Generates an OpenID Connect ID token for a service account. 134 135Args: 136 name: string, Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. (required) 137 body: object, The request body. 138 The object takes the form of: 139 140{ 141 "audience": "A String", # Required. The audience for the token, such as the API or account that this token grants access to. 142 "delegates": [ # The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. 143 "A String", 144 ], 145 "includeEmail": True or False, # Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims. 146} 147 148 x__xgafv: string, V1 error format. 149 Allowed values 150 1 - v1 error format 151 2 - v2 error format 152 153Returns: 154 An object of the form: 155 156 { 157 "token": "A String", # The OpenId Connect ID token. 158}</pre> 159</div> 160 161<div class="method"> 162 <code class="details" id="signBlob">signBlob(name, body=None, x__xgafv=None)</code> 163 <pre>Signs a blob using a service account's system-managed private key. 164 165Args: 166 name: string, Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. (required) 167 body: object, The request body. 168 The object takes the form of: 169 170{ 171 "delegates": [ # The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. 172 "A String", 173 ], 174 "payload": "A String", # Required. The bytes to sign. 175} 176 177 x__xgafv: string, V1 error format. 178 Allowed values 179 1 - v1 error format 180 2 - v2 error format 181 182Returns: 183 An object of the form: 184 185 { 186 "keyId": "A String", # The ID of the key used to sign the blob. The key used for signing will remain valid for at least 12 hours after the blob is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints: - RSA public key wrapped in an X.509 v3 certificate: `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}` - Raw key in JSON format: `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` - JSON Web Key (JWK): `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}` 187 "signedBlob": "A String", # The signature for the blob. Does not include the original blob. After the key pair referenced by the `key_id` response field expires, Google no longer exposes the public key that can be used to verify the blob. As a result, the receiver can no longer verify the signature. 188}</pre> 189</div> 190 191<div class="method"> 192 <code class="details" id="signJwt">signJwt(name, body=None, x__xgafv=None)</code> 193 <pre>Signs a JWT using a service account's system-managed private key. 194 195Args: 196 name: string, Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. (required) 197 body: object, The request body. 198 The object takes the form of: 199 200{ 201 "delegates": [ # The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. 202 "A String", 203 ], 204 "payload": "A String", # Required. The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: `{"sub": "[email protected]", "iat": 313435}` If the JWT Claims Set contains an expiration time (`exp`) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future. 205} 206 207 x__xgafv: string, V1 error format. 208 Allowed values 209 1 - v1 error format 210 2 - v2 error format 211 212Returns: 213 An object of the form: 214 215 { 216 "keyId": "A String", # The ID of the key used to sign the JWT. The key used for signing will remain valid for at least 12 hours after the JWT is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints: - RSA public key wrapped in an X.509 v3 certificate: `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}` - Raw key in JSON format: `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` - JSON Web Key (JWK): `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}` 217 "signedJwt": "A String", # The signed JWT. Contains the automatically generated header; the client-supplied payload; and the signature, which is generated using the key referenced by the `kid` field in the header. After the key pair referenced by the `key_id` response field expires, Google no longer exposes the public key that can be used to verify the JWT. As a result, the receiver can no longer verify the signature. 218}</pre> 219</div> 220 221</body></html>