| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="iamcredentials_v1.html">IAM Service Account Credentials API</a> . <a href="iamcredentials_v1.projects.html">projects</a> . <a href="iamcredentials_v1.projects.serviceAccounts.html">serviceAccounts</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#generateAccessToken">generateAccessToken(name, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Generates an OAuth 2.0 access token for a service account.</p> |
| <p class="toc_element"> |
| <code><a href="#generateIdToken">generateIdToken(name, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Generates an OpenID Connect ID token for a service account.</p> |
| <p class="toc_element"> |
| <code><a href="#signBlob">signBlob(name, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Signs a blob using a service account's system-managed private key.</p> |
| <p class="toc_element"> |
| <code><a href="#signJwt">signJwt(name, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Signs a JWT using a service account's system-managed private key.</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="generateAccessToken">generateAccessToken(name, body=None, x__xgafv=None)</code> |
| <pre>Generates an OAuth 2.0 access token for a service account. |
| |
| Args: |
| name: string, Required. The resource name of the service account for which the credentials |
| are requested, in the following format: |
| `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| character is required; replacing it with a project ID is invalid. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "delegates": [ # The sequence of service accounts in a delegation chain. Each service |
| # account must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on its next service account in the chain. The last service account in the |
| # chain must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on the service account that is specified in the `name` field of the |
| # request. |
| # |
| # The delegates must have the following format: |
| # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| # character is required; replacing it with a project ID is invalid. |
| "A String", |
| ], |
| "scope": [ # Required. Code to identify the scopes to be included in the OAuth 2.0 access token. |
| # See https://developers.google.com/identity/protocols/googlescopes for more |
| # information. |
| # At least one value required. |
| "A String", |
| ], |
| "lifetime": "A String", # The desired lifetime duration of the access token in seconds. |
| # Must be set to a value less than or equal to 3600 (1 hour). If a value is |
| # not specified, the token's lifetime will be set to a default value of one |
| # hour. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "expireTime": "A String", # Token expiration time. |
| # The expiration time is always set. |
| "accessToken": "A String", # The OAuth 2.0 access token. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="generateIdToken">generateIdToken(name, body=None, x__xgafv=None)</code> |
| <pre>Generates an OpenID Connect ID token for a service account. |
| |
| Args: |
| name: string, Required. The resource name of the service account for which the credentials |
| are requested, in the following format: |
| `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| character is required; replacing it with a project ID is invalid. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "audience": "A String", # Required. The audience for the token, such as the API or account that this token |
| # grants access to. |
| "includeEmail": True or False, # Include the service account email in the token. If set to `true`, the |
| # token will contain `email` and `email_verified` claims. |
| "delegates": [ # The sequence of service accounts in a delegation chain. Each service |
| # account must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on its next service account in the chain. The last service account in the |
| # chain must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on the service account that is specified in the `name` field of the |
| # request. |
| # |
| # The delegates must have the following format: |
| # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| # character is required; replacing it with a project ID is invalid. |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "token": "A String", # The OpenId Connect ID token. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="signBlob">signBlob(name, body=None, x__xgafv=None)</code> |
| <pre>Signs a blob using a service account's system-managed private key. |
| |
| Args: |
| name: string, Required. The resource name of the service account for which the credentials |
| are requested, in the following format: |
| `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| character is required; replacing it with a project ID is invalid. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "payload": "A String", # Required. The bytes to sign. |
| "delegates": [ # The sequence of service accounts in a delegation chain. Each service |
| # account must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on its next service account in the chain. The last service account in the |
| # chain must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on the service account that is specified in the `name` field of the |
| # request. |
| # |
| # The delegates must have the following format: |
| # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| # character is required; replacing it with a project ID is invalid. |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "keyId": "A String", # The ID of the key used to sign the blob. The key used for signing will |
| # remain valid for at least 12 hours after the blob is signed. To verify the |
| # signature, you can retrieve the public key in several formats from the |
| # following endpoints: |
| # |
| # - RSA public key wrapped in an X.509 v3 certificate: |
| # `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}` |
| # - Raw key in JSON format: |
| # `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` |
| # - JSON Web Key (JWK): |
| # `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}` |
| "signedBlob": "A String", # The signature for the blob. Does not include the original blob. |
| # |
| # After the key pair referenced by the `key_id` response field expires, |
| # Google no longer exposes the public key that can be used to verify the |
| # blob. As a result, the receiver can no longer verify the signature. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="signJwt">signJwt(name, body=None, x__xgafv=None)</code> |
| <pre>Signs a JWT using a service account's system-managed private key. |
| |
| Args: |
| name: string, Required. The resource name of the service account for which the credentials |
| are requested, in the following format: |
| `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| character is required; replacing it with a project ID is invalid. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "payload": "A String", # Required. The JWT payload to sign. Must be a serialized JSON object that contains a |
| # JWT Claims Set. For example: `{"sub": "user@example.com", "iat": 313435}` |
| # |
| # If the JWT Claims Set contains an expiration time (`exp`) claim, it must be |
| # an integer timestamp that is not in the past and no more than 12 hours in |
| # the future. |
| "delegates": [ # The sequence of service accounts in a delegation chain. Each service |
| # account must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on its next service account in the chain. The last service account in the |
| # chain must be granted the `roles/iam.serviceAccountTokenCreator` role |
| # on the service account that is specified in the `name` field of the |
| # request. |
| # |
| # The delegates must have the following format: |
| # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard |
| # character is required; replacing it with a project ID is invalid. |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "keyId": "A String", # The ID of the key used to sign the JWT. The key used for signing will |
| # remain valid for at least 12 hours after the JWT is signed. To verify the |
| # signature, you can retrieve the public key in several formats from the |
| # following endpoints: |
| # |
| # - RSA public key wrapped in an X.509 v3 certificate: |
| # `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}` |
| # - Raw key in JSON format: |
| # `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}` |
| # - JSON Web Key (JWK): |
| # `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}` |
| "signedJwt": "A String", # The signed JWT. Contains the automatically generated header; the |
| # client-supplied payload; and the signature, which is generated using the |
| # key referenced by the `kid` field in the header. |
| # |
| # After the key pair referenced by the `key_id` response field expires, |
| # Google no longer exposes the public key that can be used to verify the JWT. |
| # As a result, the receiver can no longer verify the signature. |
| }</pre> |
| </div> |
| |
| </body></html> |
