1<?php
2/*
3 * Copyright 2014 Google Inc.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
6 * use this file except in compliance with the License. You may obtain a copy of
7 * the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 * License for the specific language governing permissions and limitations under
15 * the License.
16 */
17
18namespace Google\Service\Iam\Resource;
19
20use Google\Service\Iam\CreateServiceAccountRequest;
21use Google\Service\Iam\DisableServiceAccountRequest;
22use Google\Service\Iam\EnableServiceAccountRequest;
23use Google\Service\Iam\IamEmpty;
24use Google\Service\Iam\ListServiceAccountsResponse;
25use Google\Service\Iam\PatchServiceAccountRequest;
26use Google\Service\Iam\Policy;
27use Google\Service\Iam\ServiceAccount;
28use Google\Service\Iam\SetIamPolicyRequest;
29use Google\Service\Iam\SignBlobRequest;
30use Google\Service\Iam\SignBlobResponse;
31use Google\Service\Iam\SignJwtRequest;
32use Google\Service\Iam\SignJwtResponse;
33use Google\Service\Iam\TestIamPermissionsRequest;
34use Google\Service\Iam\TestIamPermissionsResponse;
35use Google\Service\Iam\UndeleteServiceAccountRequest;
36use Google\Service\Iam\UndeleteServiceAccountResponse;
37
38/**
39 * The "serviceAccounts" collection of methods.
40 * Typical usage is:
41 *  <code>
42 *   $iamService = new Google\Service\Iam(...);
43 *   $serviceAccounts = $iamService->serviceAccounts;
44 *  </code>
45 */
46class ProjectsServiceAccounts extends \Google\Service\Resource
47{
48  /**
49   * Creates a ServiceAccount. (serviceAccounts.create)
50   *
51   * @param string $name Required. The resource name of the project associated
52   * with the service accounts, such as `projects/my-project-123`.
53   * @param CreateServiceAccountRequest $postBody
54   * @param array $optParams Optional parameters.
55   * @return ServiceAccount
56   */
57  public function create($name, CreateServiceAccountRequest $postBody, $optParams = [])
58  {
59    $params = ['name' => $name, 'postBody' => $postBody];
60    $params = array_merge($params, $optParams);
61    return $this->call('create', [$params], ServiceAccount::class);
62  }
63  /**
64   * Deletes a ServiceAccount. **Warning:** After you delete a service account,
65   * you might not be able to undelete it. If you know that you need to re-enable
66   * the service account in the future, use DisableServiceAccount instead. If you
67   * delete a service account, IAM permanently removes the service account 30 days
68   * later. Google Cloud cannot recover the service account after it is
69   * permanently removed, even if you file a support request. To help avoid
70   * unplanned outages, we recommend that you disable the service account before
71   * you delete it. Use DisableServiceAccount to disable the service account, then
72   * wait at least 24 hours and watch for unintended consequences. If there are no
73   * unintended consequences, you can delete the service account.
74   * (serviceAccounts.delete)
75   *
76   * @param string $name Required. The resource name of the service account in the
77   * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using
78   * `-` as a wildcard for the `PROJECT_ID` will infer the project from the
79   * account. The `ACCOUNT` value can be the `email` address or the `unique_id` of
80   * the service account.
81   * @param array $optParams Optional parameters.
82   * @return IamEmpty
83   */
84  public function delete($name, $optParams = [])
85  {
86    $params = ['name' => $name];
87    $params = array_merge($params, $optParams);
88    return $this->call('delete', [$params], IamEmpty::class);
89  }
90  /**
91   * Disables a ServiceAccount immediately. If an application uses the service
92   * account to authenticate, that application can no longer call Google APIs or
93   * access Google Cloud resources. Existing access tokens for the service account
94   * are rejected, and requests for new access tokens will fail. To re-enable the
95   * service account, use EnableServiceAccount. After you re-enable the service
96   * account, its existing access tokens will be accepted, and you can request new
97   * access tokens. To help avoid unplanned outages, we recommend that you disable
98   * the service account before you delete it. Use this method to disable the
99   * service account, then wait at least 24 hours and watch for unintended
100   * consequences. If there are no unintended consequences, you can delete the
101   * service account with DeleteServiceAccount. (serviceAccounts.disable)
102   *
103   * @param string $name The resource name of the service account in the following
104   * format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a
105   * wildcard for the `PROJECT_ID` will infer the project from the account. The
106   * `ACCOUNT` value can be the `email` address or the `unique_id` of the service
107   * account.
108   * @param DisableServiceAccountRequest $postBody
109   * @param array $optParams Optional parameters.
110   * @return IamEmpty
111   */
112  public function disable($name, DisableServiceAccountRequest $postBody, $optParams = [])
113  {
114    $params = ['name' => $name, 'postBody' => $postBody];
115    $params = array_merge($params, $optParams);
116    return $this->call('disable', [$params], IamEmpty::class);
117  }
118  /**
119   * Enables a ServiceAccount that was disabled by DisableServiceAccount. If the
120   * service account is already enabled, then this method has no effect. If the
121   * service account was disabled by other means—for example, if Google disabled
122   * the service account because it was compromised—you cannot use this method to
123   * enable the service account. (serviceAccounts.enable)
124   *
125   * @param string $name The resource name of the service account in the following
126   * format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a
127   * wildcard for the `PROJECT_ID` will infer the project from the account. The
128   * `ACCOUNT` value can be the `email` address or the `unique_id` of the service
129   * account.
130   * @param EnableServiceAccountRequest $postBody
131   * @param array $optParams Optional parameters.
132   * @return IamEmpty
133   */
134  public function enable($name, EnableServiceAccountRequest $postBody, $optParams = [])
135  {
136    $params = ['name' => $name, 'postBody' => $postBody];
137    $params = array_merge($params, $optParams);
138    return $this->call('enable', [$params], IamEmpty::class);
139  }
140  /**
141   * Gets a ServiceAccount. (serviceAccounts.get)
142   *
143   * @param string $name Required. The resource name of the service account in the
144   * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using
145   * `-` as a wildcard for the `PROJECT_ID` will infer the project from the
146   * account. The `ACCOUNT` value can be the `email` address or the `unique_id` of
147   * the service account.
148   * @param array $optParams Optional parameters.
149   * @return ServiceAccount
150   */
151  public function get($name, $optParams = [])
152  {
153    $params = ['name' => $name];
154    $params = array_merge($params, $optParams);
155    return $this->call('get', [$params], ServiceAccount::class);
156  }
157  /**
158   * Gets the IAM policy that is attached to a ServiceAccount. This IAM policy
159   * specifies which principals have access to the service account. This method
160   * does not tell you whether the service account has been granted any roles on
161   * other resources. To check whether a service account has role grants on a
162   * resource, use the `getIamPolicy` method for that resource. For example, to
163   * view the role grants for a project, call the Resource Manager API's
164   * [`projects.getIamPolicy`](https://cloud.google.com/resource-
165   * manager/reference/rest/v1/projects/getIamPolicy) method.
166   * (serviceAccounts.getIamPolicy)
167   *
168   * @param string $resource REQUIRED: The resource for which the policy is being
169   * requested. See the operation documentation for the appropriate value for this
170   * field.
171   * @param array $optParams Optional parameters.
172   *
173   * @opt_param int options.requestedPolicyVersion Optional. The maximum policy
174   * version that will be used to format the policy. Valid values are 0, 1, and 3.
175   * Requests specifying an invalid value will be rejected. Requests for policies
176   * with any conditional role bindings must specify version 3. Policies with no
177   * conditional role bindings may specify any valid value or leave the field
178   * unset. The policy in the response might use the policy version that you
179   * specified, or it might use a lower policy version. For example, if you
180   * specify version 3, but the policy has no conditional role bindings, the
181   * response uses version 1. To learn which resources support conditions in their
182   * IAM policies, see the [IAM
183   * documentation](https://cloud.google.com/iam/help/conditions/resource-
184   * policies).
185   * @return Policy
186   */
187  public function getIamPolicy($resource, $optParams = [])
188  {
189    $params = ['resource' => $resource];
190    $params = array_merge($params, $optParams);
191    return $this->call('getIamPolicy', [$params], Policy::class);
192  }
193  /**
194   * Lists every ServiceAccount that belongs to a specific project.
195   * (serviceAccounts.listProjectsServiceAccounts)
196   *
197   * @param string $name Required. The resource name of the project associated
198   * with the service accounts, such as `projects/my-project-123`.
199   * @param array $optParams Optional parameters.
200   *
201   * @opt_param int pageSize Optional limit on the number of service accounts to
202   * include in the response. Further accounts can subsequently be obtained by
203   * including the ListServiceAccountsResponse.next_page_token in a subsequent
204   * request. The default is 20, and the maximum is 100.
205   * @opt_param string pageToken Optional pagination token returned in an earlier
206   * ListServiceAccountsResponse.next_page_token.
207   * @return ListServiceAccountsResponse
208   */
209  public function listProjectsServiceAccounts($name, $optParams = [])
210  {
211    $params = ['name' => $name];
212    $params = array_merge($params, $optParams);
213    return $this->call('list', [$params], ListServiceAccountsResponse::class);
214  }
215  /**
216   * Patches a ServiceAccount. (serviceAccounts.patch)
217   *
218   * @param string $name The resource name of the service account. Use one of the
219   * following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
220   * * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you
221   * can use the `-` wildcard character instead of the project ID: *
222   * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
223   * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-`
224   * wildcard character, because it can cause response messages to contain
225   * misleading error codes. For example, if you try to get the service account
226   * `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
227   * response contains an HTTP `403 Forbidden` error instead of a `404 Not Found`
228   * error.
229   * @param PatchServiceAccountRequest $postBody
230   * @param array $optParams Optional parameters.
231   * @return ServiceAccount
232   */
233  public function patch($name, PatchServiceAccountRequest $postBody, $optParams = [])
234  {
235    $params = ['name' => $name, 'postBody' => $postBody];
236    $params = array_merge($params, $optParams);
237    return $this->call('patch', [$params], ServiceAccount::class);
238  }
239  /**
240   * Sets the IAM policy that is attached to a ServiceAccount. Use this method to
241   * grant or revoke access to the service account. For example, you could grant a
242   * principal the ability to impersonate the service account. This method does
243   * not enable the service account to access other resources. To grant roles to a
244   * service account on a resource, follow these steps: 1. Call the resource's
245   * `getIamPolicy` method to get its current IAM policy. 2. Edit the policy so
246   * that it binds the service account to an IAM role for the resource. 3. Call
247   * the resource's `setIamPolicy` method to update its IAM policy. For detailed
248   * instructions, see [Manage access to project, folders, and
249   * organizations](https://cloud.google.com/iam/help/service-accounts/granting-
250   * access-to-service-accounts) or [Manage access to other
251   * resources](https://cloud.google.com/iam/help/access/manage-other-resources).
252   * (serviceAccounts.setIamPolicy)
253   *
254   * @param string $resource REQUIRED: The resource for which the policy is being
255   * specified. See the operation documentation for the appropriate value for this
256   * field.
257   * @param SetIamPolicyRequest $postBody
258   * @param array $optParams Optional parameters.
259   * @return Policy
260   */
261  public function setIamPolicy($resource, SetIamPolicyRequest $postBody, $optParams = [])
262  {
263    $params = ['resource' => $resource, 'postBody' => $postBody];
264    $params = array_merge($params, $optParams);
265    return $this->call('setIamPolicy', [$params], Policy::class);
266  }
267  /**
268   * **Note:** This method is deprecated. Use the
269   * [`signBlob`](https://cloud.google.com/iam/help/rest-
270   * credentials/v1/projects.serviceAccounts/signBlob) method in the IAM Service
271   * Account Credentials API instead. If you currently use this method, see the
272   * [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api)
273   * for instructions. Signs a blob using the system-managed private key for a
274   * ServiceAccount. (serviceAccounts.signBlob)
275   *
276   * @param string $name Required. Deprecated. [Migrate to Service Account
277   * Credentials API](https://cloud.google.com/iam/help/credentials/migrate-api).
278   * The resource name of the service account in the following format:
279   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard
280   * for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT`
281   * value can be the `email` address or the `unique_id` of the service account.
282   * @param SignBlobRequest $postBody
283   * @param array $optParams Optional parameters.
284   * @return SignBlobResponse
285   */
286  public function signBlob($name, SignBlobRequest $postBody, $optParams = [])
287  {
288    $params = ['name' => $name, 'postBody' => $postBody];
289    $params = array_merge($params, $optParams);
290    return $this->call('signBlob', [$params], SignBlobResponse::class);
291  }
292  /**
293   * **Note:** This method is deprecated. Use the
294   * [`signJwt`](https://cloud.google.com/iam/help/rest-
295   * credentials/v1/projects.serviceAccounts/signJwt) method in the IAM Service
296   * Account Credentials API instead. If you currently use this method, see the
297   * [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api)
298   * for instructions. Signs a JSON Web Token (JWT) using the system-managed
299   * private key for a ServiceAccount. (serviceAccounts.signJwt)
300   *
301   * @param string $name Required. Deprecated. [Migrate to Service Account
302   * Credentials API](https://cloud.google.com/iam/help/credentials/migrate-api).
303   * The resource name of the service account in the following format:
304   * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard
305   * for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT`
306   * value can be the `email` address or the `unique_id` of the service account.
307   * @param SignJwtRequest $postBody
308   * @param array $optParams Optional parameters.
309   * @return SignJwtResponse
310   */
311  public function signJwt($name, SignJwtRequest $postBody, $optParams = [])
312  {
313    $params = ['name' => $name, 'postBody' => $postBody];
314    $params = array_merge($params, $optParams);
315    return $this->call('signJwt', [$params], SignJwtResponse::class);
316  }
317  /**
318   * Tests whether the caller has the specified permissions on a ServiceAccount.
319   * (serviceAccounts.testIamPermissions)
320   *
321   * @param string $resource REQUIRED: The resource for which the policy detail is
322   * being requested. See the operation documentation for the appropriate value
323   * for this field.
324   * @param TestIamPermissionsRequest $postBody
325   * @param array $optParams Optional parameters.
326   * @return TestIamPermissionsResponse
327   */
328  public function testIamPermissions($resource, TestIamPermissionsRequest $postBody, $optParams = [])
329  {
330    $params = ['resource' => $resource, 'postBody' => $postBody];
331    $params = array_merge($params, $optParams);
332    return $this->call('testIamPermissions', [$params], TestIamPermissionsResponse::class);
333  }
334  /**
335   * Restores a deleted ServiceAccount. **Important:** It is not always possible
336   * to restore a deleted service account. Use this method only as a last resort.
337   * After you delete a service account, IAM permanently removes the service
338   * account 30 days later. There is no way to restore a deleted service account
339   * that has been permanently removed. (serviceAccounts.undelete)
340   *
341   * @param string $name The resource name of the service account in the following
342   * format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`. Using
343   * `-` as a wildcard for the `PROJECT_ID` will infer the project from the
344   * account.
345   * @param UndeleteServiceAccountRequest $postBody
346   * @param array $optParams Optional parameters.
347   * @return UndeleteServiceAccountResponse
348   */
349  public function undelete($name, UndeleteServiceAccountRequest $postBody, $optParams = [])
350  {
351    $params = ['name' => $name, 'postBody' => $postBody];
352    $params = array_merge($params, $optParams);
353    return $this->call('undelete', [$params], UndeleteServiceAccountResponse::class);
354  }
355  /**
356   * **Note:** We are in the process of deprecating this method. Use
357   * PatchServiceAccount instead. Updates a ServiceAccount. You can update only
358   * the `display_name` field. (serviceAccounts.update)
359   *
360   * @param string $name The resource name of the service account. Use one of the
361   * following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}`
362   * * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you
363   * can use the `-` wildcard character instead of the project ID: *
364   * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` *
365   * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-`
366   * wildcard character, because it can cause response messages to contain
367   * misleading error codes. For example, if you try to get the service account
368   * `projects/-/serviceAccounts/fake@example.com`, which does not exist, the
369   * response contains an HTTP `403 Forbidden` error instead of a `404 Not Found`
370   * error.
371   * @param ServiceAccount $postBody
372   * @param array $optParams Optional parameters.
373   * @return ServiceAccount
374   */
375  public function update($name, ServiceAccount $postBody, $optParams = [])
376  {
377    $params = ['name' => $name, 'postBody' => $postBody];
378    $params = array_merge($params, $optParams);
379    return $this->call('update', [$params], ServiceAccount::class);
380  }
381}
382
383// Adding a class alias for backwards compatibility with the previous class name.
384class_alias(ProjectsServiceAccounts::class, 'Google_Service_Iam_Resource_ProjectsServiceAccounts');
385