1<?php 2/* 3 * Copyright 2014 Google Inc. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); you may not 6 * use this file except in compliance with the License. You may obtain a copy of 7 * the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 14 * License for the specific language governing permissions and limitations under 15 * the License. 16 */ 17 18namespace Google\Service\Iam\Resource; 19 20use Google\Service\Iam\CreateServiceAccountRequest; 21use Google\Service\Iam\DisableServiceAccountRequest; 22use Google\Service\Iam\EnableServiceAccountRequest; 23use Google\Service\Iam\IamEmpty; 24use Google\Service\Iam\ListServiceAccountsResponse; 25use Google\Service\Iam\PatchServiceAccountRequest; 26use Google\Service\Iam\Policy; 27use Google\Service\Iam\ServiceAccount; 28use Google\Service\Iam\SetIamPolicyRequest; 29use Google\Service\Iam\SignBlobRequest; 30use Google\Service\Iam\SignBlobResponse; 31use Google\Service\Iam\SignJwtRequest; 32use Google\Service\Iam\SignJwtResponse; 33use Google\Service\Iam\TestIamPermissionsRequest; 34use Google\Service\Iam\TestIamPermissionsResponse; 35use Google\Service\Iam\UndeleteServiceAccountRequest; 36use Google\Service\Iam\UndeleteServiceAccountResponse; 37 38/** 39 * The "serviceAccounts" collection of methods. 40 * Typical usage is: 41 * <code> 42 * $iamService = new Google\Service\Iam(...); 43 * $serviceAccounts = $iamService->serviceAccounts; 44 * </code> 45 */ 46class ProjectsServiceAccounts extends \Google\Service\Resource 47{ 48 /** 49 * Creates a ServiceAccount. (serviceAccounts.create) 50 * 51 * @param string $name Required. The resource name of the project associated 52 * with the service accounts, such as `projects/my-project-123`. 53 * @param CreateServiceAccountRequest $postBody 54 * @param array $optParams Optional parameters. 55 * @return ServiceAccount 56 */ 57 public function create($name, CreateServiceAccountRequest $postBody, $optParams = []) 58 { 59 $params = ['name' => $name, 'postBody' => $postBody]; 60 $params = array_merge($params, $optParams); 61 return $this->call('create', [$params], ServiceAccount::class); 62 } 63 /** 64 * Deletes a ServiceAccount. **Warning:** After you delete a service account, 65 * you might not be able to undelete it. If you know that you need to re-enable 66 * the service account in the future, use DisableServiceAccount instead. If you 67 * delete a service account, IAM permanently removes the service account 30 days 68 * later. Google Cloud cannot recover the service account after it is 69 * permanently removed, even if you file a support request. To help avoid 70 * unplanned outages, we recommend that you disable the service account before 71 * you delete it. Use DisableServiceAccount to disable the service account, then 72 * wait at least 24 hours and watch for unintended consequences. If there are no 73 * unintended consequences, you can delete the service account. 74 * (serviceAccounts.delete) 75 * 76 * @param string $name Required. The resource name of the service account in the 77 * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using 78 * `-` as a wildcard for the `PROJECT_ID` will infer the project from the 79 * account. The `ACCOUNT` value can be the `email` address or the `unique_id` of 80 * the service account. 81 * @param array $optParams Optional parameters. 82 * @return IamEmpty 83 */ 84 public function delete($name, $optParams = []) 85 { 86 $params = ['name' => $name]; 87 $params = array_merge($params, $optParams); 88 return $this->call('delete', [$params], IamEmpty::class); 89 } 90 /** 91 * Disables a ServiceAccount immediately. If an application uses the service 92 * account to authenticate, that application can no longer call Google APIs or 93 * access Google Cloud resources. Existing access tokens for the service account 94 * are rejected, and requests for new access tokens will fail. To re-enable the 95 * service account, use EnableServiceAccount. After you re-enable the service 96 * account, its existing access tokens will be accepted, and you can request new 97 * access tokens. To help avoid unplanned outages, we recommend that you disable 98 * the service account before you delete it. Use this method to disable the 99 * service account, then wait at least 24 hours and watch for unintended 100 * consequences. If there are no unintended consequences, you can delete the 101 * service account with DeleteServiceAccount. (serviceAccounts.disable) 102 * 103 * @param string $name The resource name of the service account in the following 104 * format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a 105 * wildcard for the `PROJECT_ID` will infer the project from the account. The 106 * `ACCOUNT` value can be the `email` address or the `unique_id` of the service 107 * account. 108 * @param DisableServiceAccountRequest $postBody 109 * @param array $optParams Optional parameters. 110 * @return IamEmpty 111 */ 112 public function disable($name, DisableServiceAccountRequest $postBody, $optParams = []) 113 { 114 $params = ['name' => $name, 'postBody' => $postBody]; 115 $params = array_merge($params, $optParams); 116 return $this->call('disable', [$params], IamEmpty::class); 117 } 118 /** 119 * Enables a ServiceAccount that was disabled by DisableServiceAccount. If the 120 * service account is already enabled, then this method has no effect. If the 121 * service account was disabled by other means—for example, if Google disabled 122 * the service account because it was compromised—you cannot use this method to 123 * enable the service account. (serviceAccounts.enable) 124 * 125 * @param string $name The resource name of the service account in the following 126 * format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a 127 * wildcard for the `PROJECT_ID` will infer the project from the account. The 128 * `ACCOUNT` value can be the `email` address or the `unique_id` of the service 129 * account. 130 * @param EnableServiceAccountRequest $postBody 131 * @param array $optParams Optional parameters. 132 * @return IamEmpty 133 */ 134 public function enable($name, EnableServiceAccountRequest $postBody, $optParams = []) 135 { 136 $params = ['name' => $name, 'postBody' => $postBody]; 137 $params = array_merge($params, $optParams); 138 return $this->call('enable', [$params], IamEmpty::class); 139 } 140 /** 141 * Gets a ServiceAccount. (serviceAccounts.get) 142 * 143 * @param string $name Required. The resource name of the service account in the 144 * following format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using 145 * `-` as a wildcard for the `PROJECT_ID` will infer the project from the 146 * account. The `ACCOUNT` value can be the `email` address or the `unique_id` of 147 * the service account. 148 * @param array $optParams Optional parameters. 149 * @return ServiceAccount 150 */ 151 public function get($name, $optParams = []) 152 { 153 $params = ['name' => $name]; 154 $params = array_merge($params, $optParams); 155 return $this->call('get', [$params], ServiceAccount::class); 156 } 157 /** 158 * Gets the IAM policy that is attached to a ServiceAccount. This IAM policy 159 * specifies which principals have access to the service account. This method 160 * does not tell you whether the service account has been granted any roles on 161 * other resources. To check whether a service account has role grants on a 162 * resource, use the `getIamPolicy` method for that resource. For example, to 163 * view the role grants for a project, call the Resource Manager API's 164 * [`projects.getIamPolicy`](https://cloud.google.com/resource- 165 * manager/reference/rest/v1/projects/getIamPolicy) method. 166 * (serviceAccounts.getIamPolicy) 167 * 168 * @param string $resource REQUIRED: The resource for which the policy is being 169 * requested. See the operation documentation for the appropriate value for this 170 * field. 171 * @param array $optParams Optional parameters. 172 * 173 * @opt_param int options.requestedPolicyVersion Optional. The maximum policy 174 * version that will be used to format the policy. Valid values are 0, 1, and 3. 175 * Requests specifying an invalid value will be rejected. Requests for policies 176 * with any conditional role bindings must specify version 3. Policies with no 177 * conditional role bindings may specify any valid value or leave the field 178 * unset. The policy in the response might use the policy version that you 179 * specified, or it might use a lower policy version. For example, if you 180 * specify version 3, but the policy has no conditional role bindings, the 181 * response uses version 1. To learn which resources support conditions in their 182 * IAM policies, see the [IAM 183 * documentation](https://cloud.google.com/iam/help/conditions/resource- 184 * policies). 185 * @return Policy 186 */ 187 public function getIamPolicy($resource, $optParams = []) 188 { 189 $params = ['resource' => $resource]; 190 $params = array_merge($params, $optParams); 191 return $this->call('getIamPolicy', [$params], Policy::class); 192 } 193 /** 194 * Lists every ServiceAccount that belongs to a specific project. 195 * (serviceAccounts.listProjectsServiceAccounts) 196 * 197 * @param string $name Required. The resource name of the project associated 198 * with the service accounts, such as `projects/my-project-123`. 199 * @param array $optParams Optional parameters. 200 * 201 * @opt_param int pageSize Optional limit on the number of service accounts to 202 * include in the response. Further accounts can subsequently be obtained by 203 * including the ListServiceAccountsResponse.next_page_token in a subsequent 204 * request. The default is 20, and the maximum is 100. 205 * @opt_param string pageToken Optional pagination token returned in an earlier 206 * ListServiceAccountsResponse.next_page_token. 207 * @return ListServiceAccountsResponse 208 */ 209 public function listProjectsServiceAccounts($name, $optParams = []) 210 { 211 $params = ['name' => $name]; 212 $params = array_merge($params, $optParams); 213 return $this->call('list', [$params], ListServiceAccountsResponse::class); 214 } 215 /** 216 * Patches a ServiceAccount. (serviceAccounts.patch) 217 * 218 * @param string $name The resource name of the service account. Use one of the 219 * following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` 220 * * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you 221 * can use the `-` wildcard character instead of the project ID: * 222 * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * 223 * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` 224 * wildcard character, because it can cause response messages to contain 225 * misleading error codes. For example, if you try to get the service account 226 * `projects/-/serviceAccounts/fake@example.com`, which does not exist, the 227 * response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` 228 * error. 229 * @param PatchServiceAccountRequest $postBody 230 * @param array $optParams Optional parameters. 231 * @return ServiceAccount 232 */ 233 public function patch($name, PatchServiceAccountRequest $postBody, $optParams = []) 234 { 235 $params = ['name' => $name, 'postBody' => $postBody]; 236 $params = array_merge($params, $optParams); 237 return $this->call('patch', [$params], ServiceAccount::class); 238 } 239 /** 240 * Sets the IAM policy that is attached to a ServiceAccount. Use this method to 241 * grant or revoke access to the service account. For example, you could grant a 242 * principal the ability to impersonate the service account. This method does 243 * not enable the service account to access other resources. To grant roles to a 244 * service account on a resource, follow these steps: 1. Call the resource's 245 * `getIamPolicy` method to get its current IAM policy. 2. Edit the policy so 246 * that it binds the service account to an IAM role for the resource. 3. Call 247 * the resource's `setIamPolicy` method to update its IAM policy. For detailed 248 * instructions, see [Manage access to project, folders, and 249 * organizations](https://cloud.google.com/iam/help/service-accounts/granting- 250 * access-to-service-accounts) or [Manage access to other 251 * resources](https://cloud.google.com/iam/help/access/manage-other-resources). 252 * (serviceAccounts.setIamPolicy) 253 * 254 * @param string $resource REQUIRED: The resource for which the policy is being 255 * specified. See the operation documentation for the appropriate value for this 256 * field. 257 * @param SetIamPolicyRequest $postBody 258 * @param array $optParams Optional parameters. 259 * @return Policy 260 */ 261 public function setIamPolicy($resource, SetIamPolicyRequest $postBody, $optParams = []) 262 { 263 $params = ['resource' => $resource, 'postBody' => $postBody]; 264 $params = array_merge($params, $optParams); 265 return $this->call('setIamPolicy', [$params], Policy::class); 266 } 267 /** 268 * **Note:** This method is deprecated. Use the 269 * [`signBlob`](https://cloud.google.com/iam/help/rest- 270 * credentials/v1/projects.serviceAccounts/signBlob) method in the IAM Service 271 * Account Credentials API instead. If you currently use this method, see the 272 * [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) 273 * for instructions. Signs a blob using the system-managed private key for a 274 * ServiceAccount. (serviceAccounts.signBlob) 275 * 276 * @param string $name Required. Deprecated. [Migrate to Service Account 277 * Credentials API](https://cloud.google.com/iam/help/credentials/migrate-api). 278 * The resource name of the service account in the following format: 279 * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard 280 * for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` 281 * value can be the `email` address or the `unique_id` of the service account. 282 * @param SignBlobRequest $postBody 283 * @param array $optParams Optional parameters. 284 * @return SignBlobResponse 285 */ 286 public function signBlob($name, SignBlobRequest $postBody, $optParams = []) 287 { 288 $params = ['name' => $name, 'postBody' => $postBody]; 289 $params = array_merge($params, $optParams); 290 return $this->call('signBlob', [$params], SignBlobResponse::class); 291 } 292 /** 293 * **Note:** This method is deprecated. Use the 294 * [`signJwt`](https://cloud.google.com/iam/help/rest- 295 * credentials/v1/projects.serviceAccounts/signJwt) method in the IAM Service 296 * Account Credentials API instead. If you currently use this method, see the 297 * [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) 298 * for instructions. Signs a JSON Web Token (JWT) using the system-managed 299 * private key for a ServiceAccount. (serviceAccounts.signJwt) 300 * 301 * @param string $name Required. Deprecated. [Migrate to Service Account 302 * Credentials API](https://cloud.google.com/iam/help/credentials/migrate-api). 303 * The resource name of the service account in the following format: 304 * `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. Using `-` as a wildcard 305 * for the `PROJECT_ID` will infer the project from the account. The `ACCOUNT` 306 * value can be the `email` address or the `unique_id` of the service account. 307 * @param SignJwtRequest $postBody 308 * @param array $optParams Optional parameters. 309 * @return SignJwtResponse 310 */ 311 public function signJwt($name, SignJwtRequest $postBody, $optParams = []) 312 { 313 $params = ['name' => $name, 'postBody' => $postBody]; 314 $params = array_merge($params, $optParams); 315 return $this->call('signJwt', [$params], SignJwtResponse::class); 316 } 317 /** 318 * Tests whether the caller has the specified permissions on a ServiceAccount. 319 * (serviceAccounts.testIamPermissions) 320 * 321 * @param string $resource REQUIRED: The resource for which the policy detail is 322 * being requested. See the operation documentation for the appropriate value 323 * for this field. 324 * @param TestIamPermissionsRequest $postBody 325 * @param array $optParams Optional parameters. 326 * @return TestIamPermissionsResponse 327 */ 328 public function testIamPermissions($resource, TestIamPermissionsRequest $postBody, $optParams = []) 329 { 330 $params = ['resource' => $resource, 'postBody' => $postBody]; 331 $params = array_merge($params, $optParams); 332 return $this->call('testIamPermissions', [$params], TestIamPermissionsResponse::class); 333 } 334 /** 335 * Restores a deleted ServiceAccount. **Important:** It is not always possible 336 * to restore a deleted service account. Use this method only as a last resort. 337 * After you delete a service account, IAM permanently removes the service 338 * account 30 days later. There is no way to restore a deleted service account 339 * that has been permanently removed. (serviceAccounts.undelete) 340 * 341 * @param string $name The resource name of the service account in the following 342 * format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT_UNIQUE_ID}`. Using 343 * `-` as a wildcard for the `PROJECT_ID` will infer the project from the 344 * account. 345 * @param UndeleteServiceAccountRequest $postBody 346 * @param array $optParams Optional parameters. 347 * @return UndeleteServiceAccountResponse 348 */ 349 public function undelete($name, UndeleteServiceAccountRequest $postBody, $optParams = []) 350 { 351 $params = ['name' => $name, 'postBody' => $postBody]; 352 $params = array_merge($params, $optParams); 353 return $this->call('undelete', [$params], UndeleteServiceAccountResponse::class); 354 } 355 /** 356 * **Note:** We are in the process of deprecating this method. Use 357 * PatchServiceAccount instead. Updates a ServiceAccount. You can update only 358 * the `display_name` field. (serviceAccounts.update) 359 * 360 * @param string $name The resource name of the service account. Use one of the 361 * following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` 362 * * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you 363 * can use the `-` wildcard character instead of the project ID: * 364 * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * 365 * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` 366 * wildcard character, because it can cause response messages to contain 367 * misleading error codes. For example, if you try to get the service account 368 * `projects/-/serviceAccounts/fake@example.com`, which does not exist, the 369 * response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` 370 * error. 371 * @param ServiceAccount $postBody 372 * @param array $optParams Optional parameters. 373 * @return ServiceAccount 374 */ 375 public function update($name, ServiceAccount $postBody, $optParams = []) 376 { 377 $params = ['name' => $name, 'postBody' => $postBody]; 378 $params = array_merge($params, $optParams); 379 return $this->call('update', [$params], ServiceAccount::class); 380 } 381} 382 383// Adding a class alias for backwards compatibility with the previous class name. 384class_alias(ProjectsServiceAccounts::class, 'Google_Service_Iam_Resource_ProjectsServiceAccounts'); 385