Struct gapi_grpc::google::iam::admin::v1::iam_client::IamClient

pub struct IamClient<T> { /* fields omitted */ }

Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

• Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
• Service account keys, which service accounts use to authenticate with Google APIs
• IAM policies for service accounts, which specify the roles that a member has for the service account
• IAM custom roles, which help you limit the number of permissions that you grant to members

In addition, you can use this service to complete the following tasks, among others:

• Test whether a service account can use specific permissions
• Check which roles you can grant for a specific resource
• Lint, or validate, condition expressions in an IAM policy

Implementations

impl IamClient<Channel>

pub async fn connect<D>(dst: D) -> Result<Self, Error> where
    D: TryInto<Endpoint>,
    D::Error: Into<StdError>, 

Attempt to create a new client by connecting to a given endpoint.

impl<T> IamClient<T> where
    T: GrpcService<BoxBody>,
    T::ResponseBody: Body + HttpBody + Send + 'static,
    T::Error: Into<StdError>,
    <T::ResponseBody as HttpBody>::Error: Into<StdError> + Send, 

pub fn new(inner: T) -> Self

pub fn with_interceptor(inner: T, interceptor: impl Into<Interceptor>) -> Self

pub async fn list_service_accounts(
    &mut self,
    request: impl IntoRequest<ListServiceAccountsRequest>
) -> Result<Response<ListServiceAccountsResponse>, Status>

Lists every [ServiceAccount][google.iam.admin.v1.ServiceAccount] that belongs to a specific project.

pub async fn get_service_account(
    &mut self,
    request: impl IntoRequest<GetServiceAccountRequest>
) -> Result<Response<ServiceAccount>, Status>

Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

pub async fn create_service_account(
    &mut self,
    request: impl IntoRequest<CreateServiceAccountRequest>
) -> Result<Response<ServiceAccount>, Status>

Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

pub async fn update_service_account(
    &mut self,
    request: impl IntoRequest<ServiceAccount>
) -> Result<Response<ServiceAccount>, Status>

Note: We are in the process of deprecating this method. Use [PatchServiceAccount][google.iam.admin.v1.IAM.PatchServiceAccount] instead.

Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

You can update only the display_name and description fields.

pub async fn patch_service_account(
    &mut self,
    request: impl IntoRequest<PatchServiceAccountRequest>
) -> Result<Response<ServiceAccount>, Status>

Patches a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

pub async fn delete_service_account(
    &mut self,
    request: impl IntoRequest<DeleteServiceAccountRequest>
) -> Result<Response<()>, Status>

Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] instead.

If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount] to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

pub async fn undelete_service_account(
    &mut self,
    request: impl IntoRequest<UndeleteServiceAccountRequest>
) -> Result<Response<UndeleteServiceAccountResponse>, Status>

Restores a deleted [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

pub async fn enable_service_account(
    &mut self,
    request: impl IntoRequest<EnableServiceAccountRequest>
) -> Result<Response<()>, Status>

Enables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] that was disabled by [DisableServiceAccount][google.iam.admin.v1.IAM.DisableServiceAccount].

If the service account is already enabled, then this method has no effect.

If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

pub async fn disable_service_account(
    &mut self,
    request: impl IntoRequest<DisableServiceAccountRequest>
) -> Result<Response<()>, Status>

Disables a [ServiceAccount][google.iam.admin.v1.ServiceAccount] immediately.

If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail.

To re-enable the service account, use [EnableServiceAccount][google.iam.admin.v1.IAM.EnableServiceAccount]. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens.

To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with [DeleteServiceAccount][google.iam.admin.v1.IAM.DeleteServiceAccount].

pub async fn list_service_account_keys(
    &mut self,
    request: impl IntoRequest<ListServiceAccountKeysRequest>
) -> Result<Response<ListServiceAccountKeysResponse>, Status>

Lists every [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey] for a service account.

pub async fn get_service_account_key(
    &mut self,
    request: impl IntoRequest<GetServiceAccountKeyRequest>
) -> Result<Response<ServiceAccountKey>, Status>

Gets a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

pub async fn create_service_account_key(
    &mut self,
    request: impl IntoRequest<CreateServiceAccountKeyRequest>
) -> Result<Response<ServiceAccountKey>, Status>

Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].

pub async fn upload_service_account_key(
    &mut self,
    request: impl IntoRequest<UploadServiceAccountKeyRequest>
) -> Result<Response<ServiceAccountKey>, Status>

Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey], using a public key that you provide.

pub async fn delete_service_account_key(
    &mut self,
    request: impl IntoRequest<DeleteServiceAccountKeyRequest>
) -> Result<Response<()>, Status>

Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

pub async fn sign_blob(
    &mut self,
    request: impl IntoRequest<SignBlobRequest>
) -> Result<Response<SignBlobResponse>, Status>

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a blob using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

pub async fn sign_jwt(
    &mut self,
    request: impl IntoRequest<SignJwtRequest>
) -> Result<Response<SignJwtResponse>, Status>

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

pub async fn get_iam_policy(
    &mut self,
    request: impl IntoRequest<GetIamPolicyRequest>
) -> Result<Response<Policy>, Status>

Gets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount]. This IAM policy specifies which members have access to the service account.

This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API’s projects.getIamPolicy method.

pub async fn set_iam_policy(
    &mut self,
    request: impl IntoRequest<SetIamPolicyRequest>
) -> Result<Response<Policy>, Status>

Sets the IAM policy that is attached to a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

Use this method to grant or revoke access to the service account. For example, you could grant a member the ability to impersonate the service account.

This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps:

1. Call the resource’s getIamPolicy method to get its current IAM policy.
2. Edit the policy so that it binds the service account to an IAM role for the resource.
3. Call the resource’s setIamPolicy method to update its IAM policy.

For detailed instructions, see Granting roles to a service account for specific resources.

pub async fn test_iam_permissions(
    &mut self,
    request: impl IntoRequest<TestIamPermissionsRequest>
) -> Result<Response<TestIamPermissionsResponse>, Status>

Tests whether the caller has the specified permissions on a [ServiceAccount][google.iam.admin.v1.ServiceAccount].

pub async fn query_grantable_roles(
    &mut self,
    request: impl IntoRequest<QueryGrantableRolesRequest>
) -> Result<Response<QueryGrantableRolesResponse>, Status>

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

pub async fn list_roles(
    &mut self,
    request: impl IntoRequest<ListRolesRequest>
) -> Result<Response<ListRolesResponse>, Status>

Lists every predefined [Role][google.iam.admin.v1.Role] that IAM supports, or every custom role that is defined for an organization or project.

pub async fn get_role(
    &mut self,
    request: impl IntoRequest<GetRoleRequest>
) -> Result<Response<Role>, Status>

Gets the definition of a [Role][google.iam.admin.v1.Role].

pub async fn create_role(
    &mut self,
    request: impl IntoRequest<CreateRoleRequest>
) -> Result<Response<Role>, Status>

Creates a new custom [Role][google.iam.admin.v1.Role].

pub async fn update_role(
    &mut self,
    request: impl IntoRequest<UpdateRoleRequest>
) -> Result<Response<Role>, Status>

Updates the definition of a custom [Role][google.iam.admin.v1.Role].

pub async fn delete_role(
    &mut self,
    request: impl IntoRequest<DeleteRoleRequest>
) -> Result<Response<Role>, Status>

Deletes a custom [Role][google.iam.admin.v1.Role].

When you delete a custom role, the following changes occur immediately:

• You cannot bind a member to the custom role in an IAM [Policy][google.iam.v1.Policy].
• Existing bindings to the custom role are not changed, but they have no effect.
• By default, the response from [ListRoles][google.iam.admin.v1.IAM.ListRoles] does not include the custom role.

You have 7 days to undelete the custom role. After 7 days, the following changes occur:

• The custom role is permanently deleted and cannot be recovered.
• If an IAM policy contains a binding to the custom role, the binding is permanently removed.

pub async fn undelete_role(
    &mut self,
    request: impl IntoRequest<UndeleteRoleRequest>
) -> Result<Response<Role>, Status>

Undeletes a custom [Role][google.iam.admin.v1.Role].

pub async fn query_testable_permissions(
    &mut self,
    request: impl IntoRequest<QueryTestablePermissionsRequest>
) -> Result<Response<QueryTestablePermissionsResponse>, Status>

Lists every permission that you can test on a resource. A permission is testable if you can check whether a member has that permission on the resource.

pub async fn query_auditable_services(
    &mut self,
    request: impl IntoRequest<QueryAuditableServicesRequest>
) -> Result<Response<QueryAuditableServicesResponse>, Status>

Returns a list of services that allow you to opt into audit logs that are not generated by default.

To learn more about audit logs, see the Logging documentation.

pub async fn lint_policy(
    &mut self,
    request: impl IntoRequest<LintPolicyRequest>
) -> Result<Response<LintPolicyResponse>, Status>

Lints, or validates, an IAM policy. Currently checks the [google.iam.v1.Binding.condition][google.iam.v1.Binding.condition] field, which contains a condition expression for a role binding.

Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

Trait Implementations

impl<T: Clone> Clone for IamClient<T>

fn clone(&self) -> Self

Returns a copy of the value.

pub fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<T> Debug for IamClient<T>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.