Iam

google_cloud_iam_admin_v1::client

Struct Iam 

Source 
pub struct Iam { /* private fields */ }
Expand description

Implements a client for the Identity and Access Management (IAM) API.

§Example

let client = Iam::builder().build().await?;
// use `client` to make requests to the Identity and Access Management (IAM) API.

§Service Description

Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

  • Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
  • Service account keys, which service accounts use to authenticate with Google APIs
  • IAM policies for service accounts, which specify the roles that a principal has for the service account
  • IAM custom roles, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

  • Test whether a service account can use specific permissions
  • Check which roles you can grant for a specific resource
  • Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

§Configuration

To configure Iam use the with_* methods in the type returned by builder(). The default configuration should work for most applications. Common configuration changes include

  • with_endpoint(): by default this client uses the global default endpoint (https://iam.googleapis.com). Applications using regional endpoints or running in restricted networks (e.g. a network configured override this default.
  • with_credentials(): by default this client uses Application Default Credentials. Applications using custom authentication may need to override this default.

§Pooling and Cloning

Iam holds a connection pool internally, it is advised to create one and the reuse it. You do not need to wrap Iam in an Rc or Arc to reuse it, because it already uses an Arc internally.

Implementations§

Source§

impl Iam

Source

pub fn builder() -> ClientBuilder

Returns a builder for Iam.

let client = Iam::builder().build().await?;
Source

pub fn from_stub<T>(stub: T) -> Self
where T: Iam + 'static,

Creates a new client from the provided stub.

The most common case for calling this function is in tests mocking the client’s behavior.

Source

pub fn list_service_accounts(&self) -> ListServiceAccounts

Lists every ServiceAccount that belongs to a specific project.

Source

pub fn get_service_account(&self) -> GetServiceAccount

Gets a ServiceAccount.

Source

pub fn create_service_account(&self) -> CreateServiceAccount

Creates a ServiceAccount.

Source

pub fn update_service_account(&self) -> UpdateServiceAccount

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead.

Updates a ServiceAccount.

You can update only the display_name field.

Source

pub fn patch_service_account(&self) -> PatchServiceAccount

Patches a ServiceAccount.

Source

pub fn delete_service_account(&self) -> DeleteServiceAccount

Deletes a ServiceAccount.

Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

Source

pub fn undelete_service_account(&self) -> UndeleteServiceAccount

Restores a deleted ServiceAccount.

Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

Source

pub fn enable_service_account(&self) -> EnableServiceAccount

Enables a ServiceAccount that was disabled by DisableServiceAccount.

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

Source

pub fn disable_service_account(&self) -> DisableServiceAccount

Disables a ServiceAccount immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

Source

pub fn list_service_account_keys(&self) -> ListServiceAccountKeys

Lists every ServiceAccountKey for a service account.

Source

pub fn get_service_account_key(&self) -> GetServiceAccountKey

Gets a ServiceAccountKey.

Source

pub fn create_service_account_key(&self) -> CreateServiceAccountKey

Creates a ServiceAccountKey.

Source

pub fn upload_service_account_key(&self) -> UploadServiceAccountKey

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

Source

pub fn delete_service_account_key(&self) -> DeleteServiceAccountKey

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

Source

pub fn disable_service_account_key(&self) -> DisableServiceAccountKey

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

Source

pub fn enable_service_account_key(&self) -> EnableServiceAccountKey

Enable a ServiceAccountKey.

Source

pub fn sign_blob(&self) -> SignBlob

👎Deprecated

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a ServiceAccount.

Source

pub fn sign_jwt(&self) -> SignJwt

👎Deprecated

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

Source

pub fn get_iam_policy(&self) -> GetIamPolicy

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API’s projects.getIamPolicy method.

Source

pub fn set_iam_policy(&self) -> SetIamPolicy

Sets the IAM policy that is attached to a ServiceAccount.

Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

  1. Call the resource’s getIamPolicy method to get its current IAM policy.
  2. Edit the policy so that it binds the service account to an IAM role for the resource.
  3. Call the resource’s setIamPolicy method to update its IAM policy.

For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

Source

pub fn test_iam_permissions(&self) -> TestIamPermissions

Tests whether the caller has the specified permissions on a ServiceAccount.

Source

pub fn query_grantable_roles(&self) -> QueryGrantableRoles

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Source

pub fn list_roles(&self) -> ListRoles

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Source

pub fn get_role(&self) -> GetRole

Gets the definition of a Role.

Source

pub fn create_role(&self) -> CreateRole

Creates a new custom Role.

Source

pub fn update_role(&self) -> UpdateRole

Updates the definition of a custom Role.

Source

pub fn delete_role(&self) -> DeleteRole

Deletes a custom Role.

When you delete a custom role, the following changes occur immediately:

  • You cannot bind a principal to the custom role in an IAM Policy.
  • Existing bindings to the custom role are not changed, but they have no effect.
  • By default, the response from ListRoles does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

  • The custom role is permanently deleted and cannot be recovered.
  • If an IAM policy contains a binding to the custom role, the binding is permanently removed.
Source

pub fn undelete_role(&self) -> UndeleteRole

Undeletes a custom Role.

Source

pub fn query_testable_permissions(&self) -> QueryTestablePermissions

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

Source

pub fn query_auditable_services(&self) -> QueryAuditableServices

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

Source

pub fn lint_policy(&self) -> LintPolicy

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Trait Implementations§

Source§

impl Clone for Iam

Source§

fn clone(&self) -> Iam

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Iam

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl Freeze for Iam

§

impl !RefUnwindSafe for Iam

§

impl Send for Iam

§

impl Sync for Iam

§

impl Unpin for Iam

§

impl !UnwindSafe for Iam

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,