google_cloud_iam_admin_v1/client.rs
1// Copyright 2025 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// https://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15// Code generated by sidekick. DO NOT EDIT.
16#![allow(rustdoc::redundant_explicit_links)]
17#![allow(rustdoc::broken_intra_doc_links)]
18
19/// Implements a client for the Identity and Access Management (IAM) API.
20///
21/// # Example
22/// ```
23/// # tokio_test::block_on(async {
24/// # use google_cloud_iam_admin_v1::client::Iam;
25/// let client = Iam::builder().build().await?;
26/// // use `client` to make requests to the Identity and Access Management (IAM) API.
27/// # gax::client_builder::Result::<()>::Ok(()) });
28/// ```
29///
30/// # Service Description
31///
32/// Creates and manages Identity and Access Management (IAM) resources.
33///
34/// You can use this service to work with all of the following resources:
35///
36/// * **Service accounts**, which identify an application or a virtual machine
37/// (VM) instance rather than a person
38/// * **Service account keys**, which service accounts use to authenticate with
39/// Google APIs
40/// * **IAM policies for service accounts**, which specify the roles that a
41/// principal has for the service account
42/// * **IAM custom roles**, which help you limit the number of permissions that
43/// you grant to principals
44///
45/// In addition, you can use this service to complete the following tasks, among
46/// others:
47///
48/// * Test whether a service account can use specific permissions
49/// * Check which roles you can grant for a specific resource
50/// * Lint, or validate, condition expressions in an IAM policy
51///
52/// When you read data from the IAM API, each read is eventually consistent. In
53/// other words, if you write data with the IAM API, then immediately read that
54/// data, the read operation might return an older version of the data. To deal
55/// with this behavior, your application can retry the request with truncated
56/// exponential backoff.
57///
58/// In contrast, writing data to the IAM API is sequentially consistent. In other
59/// words, write operations are always processed in the order in which they were
60/// received.
61///
62/// # Configuration
63///
64/// To configure `Iam` use the `with_*` methods in the type returned
65/// by [builder()][Iam::builder]. The default configuration should
66/// work for most applications. Common configuration changes include
67///
68/// * [with_endpoint()]: by default this client uses the global default endpoint
69/// (`https://iam.googleapis.com`). Applications using regional
70/// endpoints or running in restricted networks (e.g. a network configured
71// with [Private Google Access with VPC Service Controls]) may want to
72/// override this default.
73/// * [with_credentials()]: by default this client uses
74/// [Application Default Credentials]. Applications using custom
75/// authentication may need to override this default.
76///
77/// [with_endpoint()]: super::builder::iam::ClientBuilder::with_endpoint
78/// [with_credentials()]: super::builder::iam::ClientBuilder::credentials
79/// [Private Google Access with VPC Service Controls]: https://cloud.google.com/vpc-service-controls/docs/private-connectivity
80/// [Application Default Credentials]: https://cloud.google.com/docs/authentication#adc
81///
82/// # Pooling and Cloning
83///
84/// `Iam` holds a connection pool internally, it is advised to
85/// create one and the reuse it. You do not need to wrap `Iam` in
86/// an [Rc](std::rc::Rc) or [Arc](std::sync::Arc) to reuse it, because it
87/// already uses an `Arc` internally.
88#[derive(Clone, Debug)]
89pub struct Iam {
90 inner: std::sync::Arc<dyn super::stub::dynamic::Iam>,
91}
92
93impl Iam {
94 /// Returns a builder for [Iam].
95 ///
96 /// ```
97 /// # tokio_test::block_on(async {
98 /// # use google_cloud_iam_admin_v1::client::Iam;
99 /// let client = Iam::builder().build().await?;
100 /// # gax::client_builder::Result::<()>::Ok(()) });
101 /// ```
102 pub fn builder() -> super::builder::iam::ClientBuilder {
103 gax::client_builder::internal::new_builder(super::builder::iam::client::Factory)
104 }
105
106 /// Creates a new client from the provided stub.
107 ///
108 /// The most common case for calling this function is in tests mocking the
109 /// client's behavior.
110 pub fn from_stub<T>(stub: T) -> Self
111 where
112 T: super::stub::Iam + 'static,
113 {
114 Self {
115 inner: std::sync::Arc::new(stub),
116 }
117 }
118
119 pub(crate) async fn new(
120 config: gaxi::options::ClientConfig,
121 ) -> gax::client_builder::Result<Self> {
122 let inner = Self::build_inner(config).await?;
123 Ok(Self { inner })
124 }
125
126 async fn build_inner(
127 conf: gaxi::options::ClientConfig,
128 ) -> gax::client_builder::Result<std::sync::Arc<dyn super::stub::dynamic::Iam>> {
129 if gaxi::options::tracing_enabled(&conf) {
130 return Ok(std::sync::Arc::new(Self::build_with_tracing(conf).await?));
131 }
132 Ok(std::sync::Arc::new(Self::build_transport(conf).await?))
133 }
134
135 async fn build_transport(
136 conf: gaxi::options::ClientConfig,
137 ) -> gax::client_builder::Result<impl super::stub::Iam> {
138 super::transport::Iam::new(conf).await
139 }
140
141 async fn build_with_tracing(
142 conf: gaxi::options::ClientConfig,
143 ) -> gax::client_builder::Result<impl super::stub::Iam> {
144 Self::build_transport(conf)
145 .await
146 .map(super::tracing::Iam::new)
147 }
148
149 /// Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.
150 ///
151 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
152 pub fn list_service_accounts(&self) -> super::builder::iam::ListServiceAccounts {
153 super::builder::iam::ListServiceAccounts::new(self.inner.clone())
154 }
155
156 /// Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
157 ///
158 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
159 pub fn get_service_account(&self) -> super::builder::iam::GetServiceAccount {
160 super::builder::iam::GetServiceAccount::new(self.inner.clone())
161 }
162
163 /// Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
164 ///
165 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
166 pub fn create_service_account(&self) -> super::builder::iam::CreateServiceAccount {
167 super::builder::iam::CreateServiceAccount::new(self.inner.clone())
168 }
169
170 /// **Note:** We are in the process of deprecating this method. Use
171 /// [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead.
172 ///
173 /// Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
174 ///
175 /// You can update only the `display_name` field.
176 ///
177 /// [google.iam.admin.v1.IAM.PatchServiceAccount]: crate::client::Iam::patch_service_account
178 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
179 pub fn update_service_account(&self) -> super::builder::iam::UpdateServiceAccount {
180 super::builder::iam::UpdateServiceAccount::new(self.inner.clone())
181 }
182
183 /// Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
184 ///
185 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
186 pub fn patch_service_account(&self) -> super::builder::iam::PatchServiceAccount {
187 super::builder::iam::PatchServiceAccount::new(self.inner.clone())
188 }
189
190 /// Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
191 ///
192 /// **Warning:** After you delete a service account, you might not be able to
193 /// undelete it. If you know that you need to re-enable the service account in
194 /// the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.
195 ///
196 /// If you delete a service account, IAM permanently removes the service
197 /// account 30 days later. Google Cloud cannot recover the service account
198 /// after it is permanently removed, even if you file a support request.
199 ///
200 /// To help avoid unplanned outages, we recommend that you disable the service
201 /// account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the
202 /// service account, then wait at least 24 hours and watch for unintended
203 /// consequences. If there are no unintended consequences, you can delete the
204 /// service account.
205 ///
206 /// [google.iam.admin.v1.IAM.DisableServiceAccount]: crate::client::Iam::disable_service_account
207 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
208 pub fn delete_service_account(&self) -> super::builder::iam::DeleteServiceAccount {
209 super::builder::iam::DeleteServiceAccount::new(self.inner.clone())
210 }
211
212 /// Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].
213 ///
214 /// **Important:** It is not always possible to restore a deleted service
215 /// account. Use this method only as a last resort.
216 ///
217 /// After you delete a service account, IAM permanently removes the service
218 /// account 30 days later. There is no way to restore a deleted service account
219 /// that has been permanently removed.
220 ///
221 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
222 pub fn undelete_service_account(&self) -> super::builder::iam::UndeleteServiceAccount {
223 super::builder::iam::UndeleteServiceAccount::new(self.inner.clone())
224 }
225
226 /// Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by
227 /// [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].
228 ///
229 /// If the service account is already enabled, then this method has no effect.
230 ///
231 /// If the service account was disabled by other means—for example, if Google
232 /// disabled the service account because it was compromised—you cannot use this
233 /// method to enable the service account.
234 ///
235 /// [google.iam.admin.v1.IAM.DisableServiceAccount]: crate::client::Iam::disable_service_account
236 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
237 pub fn enable_service_account(&self) -> super::builder::iam::EnableServiceAccount {
238 super::builder::iam::EnableServiceAccount::new(self.inner.clone())
239 }
240
241 /// Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.
242 ///
243 /// If an application uses the service account to authenticate, that
244 /// application can no longer call Google APIs or access Google Cloud
245 /// resources. Existing access tokens for the service account are rejected, and
246 /// requests for new access tokens will fail.
247 ///
248 /// To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you
249 /// re-enable the service account, its existing access tokens will be accepted,
250 /// and you can request new access tokens.
251 ///
252 /// To help avoid unplanned outages, we recommend that you disable the service
253 /// account before you delete it. Use this method to disable the service
254 /// account, then wait at least 24 hours and watch for unintended consequences.
255 /// If there are no unintended consequences, you can delete the service account
256 /// with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].
257 ///
258 /// [google.iam.admin.v1.IAM.DeleteServiceAccount]: crate::client::Iam::delete_service_account
259 /// [google.iam.admin.v1.IAM.EnableServiceAccount]: crate::client::Iam::enable_service_account
260 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
261 pub fn disable_service_account(&self) -> super::builder::iam::DisableServiceAccount {
262 super::builder::iam::DisableServiceAccount::new(self.inner.clone())
263 }
264
265 /// Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.
266 ///
267 /// [google.iam.admin.v1.ServiceAccountKey]: crate::model::ServiceAccountKey
268 pub fn list_service_account_keys(&self) -> super::builder::iam::ListServiceAccountKeys {
269 super::builder::iam::ListServiceAccountKeys::new(self.inner.clone())
270 }
271
272 /// Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
273 ///
274 /// [google.iam.admin.v1.ServiceAccountKey]: crate::model::ServiceAccountKey
275 pub fn get_service_account_key(&self) -> super::builder::iam::GetServiceAccountKey {
276 super::builder::iam::GetServiceAccountKey::new(self.inner.clone())
277 }
278
279 /// Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
280 ///
281 /// [google.iam.admin.v1.ServiceAccountKey]: crate::model::ServiceAccountKey
282 pub fn create_service_account_key(&self) -> super::builder::iam::CreateServiceAccountKey {
283 super::builder::iam::CreateServiceAccountKey::new(self.inner.clone())
284 }
285
286 /// Uploads the public key portion of a key pair that you manage, and
287 /// associates the public key with a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
288 ///
289 /// After you upload the public key, you can use the private key from the key
290 /// pair as a service account key.
291 ///
292 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
293 pub fn upload_service_account_key(&self) -> super::builder::iam::UploadServiceAccountKey {
294 super::builder::iam::UploadServiceAccountKey::new(self.inner.clone())
295 }
296
297 /// Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not
298 /// revoke short-lived credentials that have been issued based on the service
299 /// account key.
300 ///
301 /// [google.iam.admin.v1.ServiceAccountKey]: crate::model::ServiceAccountKey
302 pub fn delete_service_account_key(&self) -> super::builder::iam::DeleteServiceAccountKey {
303 super::builder::iam::DeleteServiceAccountKey::new(self.inner.clone())
304 }
305
306 /// Disable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. A disabled service account key can be
307 /// re-enabled with [EnableServiceAccountKey][google.iam.admin.v1.IAM.EnableServiceAccountKey].
308 ///
309 /// [google.iam.admin.v1.IAM.EnableServiceAccountKey]: crate::client::Iam::enable_service_account_key
310 /// [google.iam.admin.v1.ServiceAccountKey]: crate::model::ServiceAccountKey
311 pub fn disable_service_account_key(&self) -> super::builder::iam::DisableServiceAccountKey {
312 super::builder::iam::DisableServiceAccountKey::new(self.inner.clone())
313 }
314
315 /// Enable a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
316 ///
317 /// [google.iam.admin.v1.ServiceAccountKey]: crate::model::ServiceAccountKey
318 pub fn enable_service_account_key(&self) -> super::builder::iam::EnableServiceAccountKey {
319 super::builder::iam::EnableServiceAccountKey::new(self.inner.clone())
320 }
321
322 /// **Note:** This method is deprecated. Use the
323 /// [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob)
324 /// method in the IAM Service Account Credentials API instead. If you currently
325 /// use this method, see the [migration
326 /// guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
327 /// instructions.
328 ///
329 /// Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
330 ///
331 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
332 #[deprecated]
333 pub fn sign_blob(&self) -> super::builder::iam::SignBlob {
334 super::builder::iam::SignBlob::new(self.inner.clone())
335 }
336
337 /// **Note:** This method is deprecated. Use the
338 /// [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt)
339 /// method in the IAM Service Account Credentials API instead. If you currently
340 /// use this method, see the [migration
341 /// guide](https://cloud.google.com/iam/help/credentials/migrate-api) for
342 /// instructions.
343 ///
344 /// Signs a JSON Web Token (JWT) using the system-managed private key for a
345 /// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
346 ///
347 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
348 #[deprecated]
349 pub fn sign_jwt(&self) -> super::builder::iam::SignJwt {
350 super::builder::iam::SignJwt::new(self.inner.clone())
351 }
352
353 /// Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM
354 /// policy specifies which principals have access to the service account.
355 ///
356 /// This method does not tell you whether the service account has been granted
357 /// any roles on other resources. To check whether a service account has role
358 /// grants on a resource, use the `getIamPolicy` method for that resource. For
359 /// example, to view the role grants for a project, call the Resource Manager
360 /// API's
361 /// [`projects.getIamPolicy`](https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy)
362 /// method.
363 ///
364 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
365 pub fn get_iam_policy(&self) -> super::builder::iam::GetIamPolicy {
366 super::builder::iam::GetIamPolicy::new(self.inner.clone())
367 }
368
369 /// Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
370 ///
371 /// Use this method to grant or revoke access to the service account. For
372 /// example, you could grant a principal the ability to impersonate the service
373 /// account.
374 ///
375 /// This method does not enable the service account to access other resources.
376 /// To grant roles to a service account on a resource, follow these steps:
377 ///
378 /// 1. Call the resource's `getIamPolicy` method to get its current IAM policy.
379 /// 1. Edit the policy so that it binds the service account to an IAM role for
380 /// the resource.
381 /// 1. Call the resource's `setIamPolicy` method to update its IAM policy.
382 ///
383 /// For detailed instructions, see
384 /// [Manage access to project, folders, and
385 /// organizations](https://cloud.google.com/iam/help/service-accounts/granting-access-to-service-accounts)
386 /// or [Manage access to other
387 /// resources](https://cloud.google.com/iam/help/access/manage-other-resources).
388 ///
389 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
390 pub fn set_iam_policy(&self) -> super::builder::iam::SetIamPolicy {
391 super::builder::iam::SetIamPolicy::new(self.inner.clone())
392 }
393
394 /// Tests whether the caller has the specified permissions on a
395 /// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
396 ///
397 /// [google.iam.admin.v1.ServiceAccount]: crate::model::ServiceAccount
398 pub fn test_iam_permissions(&self) -> super::builder::iam::TestIamPermissions {
399 super::builder::iam::TestIamPermissions::new(self.inner.clone())
400 }
401
402 /// Lists roles that can be granted on a Google Cloud resource. A role is
403 /// grantable if the IAM policy for the resource can contain bindings to the
404 /// role.
405 pub fn query_grantable_roles(&self) -> super::builder::iam::QueryGrantableRoles {
406 super::builder::iam::QueryGrantableRoles::new(self.inner.clone())
407 }
408
409 /// Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role
410 /// that is defined for an organization or project.
411 ///
412 /// [google.iam.admin.v1.Role]: crate::model::Role
413 pub fn list_roles(&self) -> super::builder::iam::ListRoles {
414 super::builder::iam::ListRoles::new(self.inner.clone())
415 }
416
417 /// Gets the definition of a [Role][google.iam.admin.v1.Role].
418 ///
419 /// [google.iam.admin.v1.Role]: crate::model::Role
420 pub fn get_role(&self) -> super::builder::iam::GetRole {
421 super::builder::iam::GetRole::new(self.inner.clone())
422 }
423
424 /// Creates a new custom [Role][google.iam.admin.v1.Role].
425 ///
426 /// [google.iam.admin.v1.Role]: crate::model::Role
427 pub fn create_role(&self) -> super::builder::iam::CreateRole {
428 super::builder::iam::CreateRole::new(self.inner.clone())
429 }
430
431 /// Updates the definition of a custom [Role][google.iam.admin.v1.Role].
432 ///
433 /// [google.iam.admin.v1.Role]: crate::model::Role
434 pub fn update_role(&self) -> super::builder::iam::UpdateRole {
435 super::builder::iam::UpdateRole::new(self.inner.clone())
436 }
437
438 /// Deletes a custom [Role][google.iam.admin.v1.Role].
439 ///
440 /// When you delete a custom role, the following changes occur immediately:
441 ///
442 /// * You cannot bind a principal to the custom role in an IAM
443 /// [Policy][google.iam.v1.Policy].
444 /// * Existing bindings to the custom role are not changed, but they have no
445 /// effect.
446 /// * By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom
447 /// role.
448 ///
449 /// You have 7 days to undelete the custom role. After 7 days, the following
450 /// changes occur:
451 ///
452 /// * The custom role is permanently deleted and cannot be recovered.
453 /// * If an IAM policy contains a binding to the custom role, the binding is
454 /// permanently removed.
455 ///
456 /// [google.iam.admin.v1.IAM.ListRoles]: crate::client::Iam::list_roles
457 /// [google.iam.admin.v1.Role]: crate::model::Role
458 /// [google.iam.v1.Policy]: iam_v1::model::Policy
459 pub fn delete_role(&self) -> super::builder::iam::DeleteRole {
460 super::builder::iam::DeleteRole::new(self.inner.clone())
461 }
462
463 /// Undeletes a custom [Role][google.iam.admin.v1.Role].
464 ///
465 /// [google.iam.admin.v1.Role]: crate::model::Role
466 pub fn undelete_role(&self) -> super::builder::iam::UndeleteRole {
467 super::builder::iam::UndeleteRole::new(self.inner.clone())
468 }
469
470 /// Lists every permission that you can test on a resource. A permission is
471 /// testable if you can check whether a principal has that permission on the
472 /// resource.
473 pub fn query_testable_permissions(&self) -> super::builder::iam::QueryTestablePermissions {
474 super::builder::iam::QueryTestablePermissions::new(self.inner.clone())
475 }
476
477 /// Returns a list of services that allow you to opt into audit logs that are
478 /// not generated by default.
479 ///
480 /// To learn more about audit logs, see the [Logging
481 /// documentation](https://cloud.google.com/logging/docs/audit).
482 pub fn query_auditable_services(&self) -> super::builder::iam::QueryAuditableServices {
483 super::builder::iam::QueryAuditableServices::new(self.inner.clone())
484 }
485
486 /// Lints, or validates, an IAM policy. Currently checks the
487 /// [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition
488 /// expression for a role binding.
489 ///
490 /// Successful calls to this method always return an HTTP `200 OK` status code,
491 /// even if the linter detects an issue in the IAM policy.
492 ///
493 /// [google.iam.v1.Binding.condition]: iam_v1::model::Binding::condition
494 pub fn lint_policy(&self) -> super::builder::iam::LintPolicy {
495 super::builder::iam::LintPolicy::new(self.inner.clone())
496 }
497}