Account Trait

API Service: AccountApi

Method	Request Type	Response Type	Description
GetAccount	GetAccountRequest	Account
ListAccounts	ListAccountsRequest	ListAccountsResponse
CreateAccount	CreateAccountRequest	Account
UpdateAccount	UpdateAccountRequest	Account
UpdateAccountPassword	UpdateAccountPasswordRequest	UpdateAccountPasswordResponse	Updates the password for a user account. If the new_password does not comply with the password policy, the request will fail with INVALID_ARGUMENT. If the old_password is supplied and does not match the current password, the request will fail with FAILED_PRECONDITION.
RotateAccountClientSecret	RotateAccountClientSecretRequest	RotateAccountClientSecretResponse	Generates and returns a new client_secret for a service account. The new client_secret will only be returned once, and cannot be retrieved later. Optionally keeps the previous client_secret valid for a period of time, to allow for zero-downtime rotation. At most two secrets are valid at any one time for a service account - if an even older secret is still within the rotation grace period, it is immediately invalidated.
DeleteAccount	DeleteAccountRequest	DeleteAccountResponse
GetRole	GetRoleRequest	Role
ListRoles	ListRolesRequest	ListRolesResponse
CreateRole	CreateRoleRequest	Role
UpdateRole	UpdateRoleRequest	Role
DeleteRole	DeleteRoleRequest	DeleteRoleResponse
GetRoleAssignment	GetRoleAssignmentRequest	RoleAssignment
ListRoleAssignments	ListRoleAssignmentsRequest	ListRoleAssignmentsResponse
CreateRoleAssignment	CreateRoleAssignmentRequest	RoleAssignment
DeleteRoleAssignment	DeleteRoleAssignmentRequest	DeleteRoleAssignmentResponse

Info Service: AccountInfo

Method	Request Type	Response Type	Description
GetPermission	GetPermissionRequest	Permission
ListPermissions	ListPermissionsRequest	ListPermissionsResponse
GetAccountLimits	GetAccountLimitsRequest	AccountLimits

GetAccountRequest

Field Name	Type	Description
name	string	The name of the node where the account is located. Optional - if absent, the node you are connected to is assumed.
id	string

CreateAccountRequest

Field Name	Type	Description
name	string	The name of the node to create the account on. Optional - if absent, the node you are connected to is assumed.
account	Account	The account to create.
password	string	For user accounts, the initial password to set. If absent, the account will be created without a password. The password must then be set with UpdateAccountPassword before the account can be used. Follows the same rules as UpdateAccountPassword.new_password.

ListAccountsRequest

Field Name	Type	Description
name	string	The name of the node to list accounts for. Optional - if absent, the node you are connected to is assumed.
page_size	int32	The maximum number of accounts to return in a single response. If there are more results available, the response will contain a next_page_token to get them.
page_token	string	Token from previous ListAccounts response, to get the next page of results.

ListAccountsResponse

Field Name	Type	Description
accounts	repeated Account
next_page_token	string	Opaque value which can be provided to ListAccounts to get the next page of results. Absent if there are no more results.
total_size	int32	The total number of accounts available matching the request. May be inaccurate if the number of matching accounts changes between the first and last pages being fetched.

UpdateAccountRequest

Field Name	Type	Description
name	string	The name of the node where the account is located. Optional - if absent, the node you are connected to is assumed.
account	Account	The updated account data. The account to update is identified by account.id, which must be present.
update_mask	google.protobuf.FieldMask

UpdateAccountPasswordRequest

Field Name	Type	Description
name	string	The name of the node where the account is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the account to update the password for.
new_password	string	The new password to set. The password must be between 10 and 72 characters long. Leading and trailing whitespace is stripped.
old_password	string	The old password to verify. Required unless you have 'account:admin' permission.

UpdateAccountPasswordResponse

No fields defined.

RotateAccountClientSecretRequest

Field Name	Type	Description
name	string	The name of the node where the account is located.
id	string	The id of the account to update the service credentials for. Must be a service account.
previous_secret_expire_time	google.protobuf.Timestamp	If present, the previous client_secret will remain valid for authentication until this time. If absent, the previous client_secret is immediately invalidated.

RotateAccountClientSecretResponse

Field Name	Type	Description
client_secret	string	The new client_secret for the account.

DeleteAccountRequest

Field Name	Type	Description
name	string	The name of the node where the account is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the account to delete.
allow_missing	bool	If true, no error will be returned if the account does not exist.

DeleteAccountResponse

No fields defined.

GetRoleRequest

Field Name	Type	Description
name	string	The name of the node where the role is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the role to get.

ListRolesRequest

Field Name	Type	Description
name	string	The name of the node to list roles for.
page_size	int32	The maximum number of roles to return in a single response. If there are more results available, the response will contain a next_page_token to get them.
page_token	string	Token from previous ListRoles response, to get the next page of results.

ListRolesResponse

Field Name	Type	Description
roles	repeated Role
next_page_token	string	Opaque value which can be provided to ListRoles to get the next page of results. Absent if there are no more results.
total_size	int32	The total number of roles available matching the request. May be inaccurate if the number of matching roles changes between the first and last pages being fetched.

CreateRoleRequest

Field Name	Type	Description
name	string	The name of the node where the role is located.
role	Role	The role to create.

UpdateRoleRequest

Field Name	Type	Description
name	string	The name of the node where the role is located. Optional - if absent, the node you are connected to is assumed.
role	Role	The updated role data. The role to update is identified by role.id, which must be present.
update_mask	google.protobuf.FieldMask

DeleteRoleRequest

Field Name	Type	Description
name	string	The name of the node where the role is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the role to delete.
allow_missing	bool	If true, no error will be returned if the role does not exist.

DeleteRoleResponse

No fields defined.

GetRoleAssignmentRequest

Field Name	Type	Description
name	string	The name of the node where the role assignment is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the role assignment to get.

ListRoleAssignmentsRequest

Field Name	Type	Description
name	string	The name of the node to list role assignments for.
page_size	int32	The maximum number of role assignments to return in a single response. If there are more results available, the response will contain a next_page_token to get them.
page_token	string	Token from previous ListRoleAssignments response, to get the next page of results.
filter	string	Expression to limit the RoleAssignments returned. If absent, all RoleAssignments are returned. Supported syntax: 'account_id = <id>' - return only RoleAssignments for the specified account 'role_id = <id>' - return only RoleAssignments for the specified role If a page_token is supplied, the filter must be the same as the filter used to get the page_token.

ListRoleAssignmentsResponse

Field Name	Type	Description
role_assignments	repeated RoleAssignment
next_page_token	string	Opaque value which can be provided to ListRoleAssignments to get the next page of results. Absent if there are no more results.
total_size	int32	The total number of role assignments available matching the request. May be inaccurate if the number of matching role assignments changes between the first and last pages being fetched.

CreateRoleAssignmentRequest

Field Name	Type	Description
name	string	The name of the node where the role assignment is located. Optional - if absent, the node you are connected to is assumed.
role_assignment	RoleAssignment	The role assignment to create.

DeleteRoleAssignmentRequest

Field Name	Type	Description
name	string	The name of the node where the role assignment is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the role assignment to delete.
allow_missing	bool	If true, no error will be returned if the role assignment does not exist.

DeleteRoleAssignmentResponse

No fields defined.

GetPermissionRequest

Field Name	Type	Description
name	string	The name of the node where the permission is located. Optional - if absent, the node you are connected to is assumed.
id	string	The id of the permission to get.

ListPermissionsRequest

Field Name	Type	Description
name	string	The name of the node to list permissions for.
page_size	int32	The maximum number of permissions to return in a single response. If there are more results available, the response will contain a next_page_token to get them.
page_token	string	Token from previous ListPermissions response, to get the next page of results.

ListPermissionsResponse

Field Name	Type	Description
permissions	repeated Permission
next_page_token	string	Opaque value which can be provided to ListPermissions to get the next page of results. Absent if there are no more results.
total_size	int32	The total number of permissions available matching the request.

GetAccountLimitsRequest

Field Name	Type	Description
name	string	The name of the node. Defaults to the node you are connected to.

Account

Field Name	Type	Description
id	string	Unique identifier for this account. Consistent for the life of the account. Generated automatically on account creation. For service accounts, this is the OAuth2 Client ID for authenticating.
create_time	google.protobuf.Timestamp	The time this account was created. Output only.
type	Account.Type	Describes which type of account this is, which changes how authentication is handled. Required for account creation. Immutable.
display_name	string	A human-readable name for this account, for display purposes. Required.
description	string	A longer human-readable description of this account. Optional.
user_details	UserAccount
service_details	ServiceAccount

Account.Type

Name	Number	Description
ACCOUNT_TYPE_UNSPECIFIED	0
USER_ACCOUNT	1
SERVICE_ACCOUNT	2

UserAccount

Field Name	Type	Description
username	string	Used for username/password login. A valid username is between 3 and 100 characters. ASCII alphanumerics, and the following special characters are allowed: .-_@
has_password	bool	Output only. True if a password is set for this account.

ServiceAccount

Field Name	Type	Description
client_id	string	The OAuth2 Client ID to use when authenticating against this service account.
client_secret	string	The OAuth2 Client Secret to use when authenticating against this service account. This field is only populated in the response from CreateAccount and RotateAccountServiceCredentials. The secret is not stored in the system and cannot be retrieved later.
previous_secret_expire_time	google.protobuf.Timestamp	Output only. If present, then the client_secret has been recently rotated, and the previous secret value is still valid until this time.

Role

A Role is a named collection of permissions.

Roles are assigned to accounts using RoleAssignments.

Field Name	Type	Description
id	string	Unique identifier for this role assigned by the system.
display_name	string	Short human-readable name for this role, for display purposes. Required. Must be unique.
description	string	Longer human-readable description of this role, for display purposes. Optional.
permission_ids	repeated string	The permissions granted by this role.
legacy_role_name	string	Output only. Optional. For roles which map to hardcoded roles in the legacy authentication system. Legacy roles cannot be used in scoped RoleAssignments.
protected	bool	Output only. If true, this role is necessary for the system to function, and cannot be modified or deleted.

RoleAssignment

A RoleAssignment is an assignment of a Role to an Account. It is a sub-resource of the Account.

Field Name	Type	Description
id	string	Unique identifier for this role assignment assigned by the system.
account_id	string	The account this role assignment is associated with.
role_id	string	The role this assignment grants.
scope	RoleAssignment.Scope	The scope of the role assignment. If present, the permissions in the role are only granted for the resources in the scope. Otherwise, the permissions in the role apply to all resources.

RoleAssignment.Scope

Field Name	Type	Description
resource_type	RoleAssignment.ResourceType
resource	string

RoleAssignment.ResourceType

Name	Number	Description
RESOURCE_TYPE_UNSPECIFIED	0
NAMED_RESOURCE	1	Matches a single resource with the specified Smart Core name.
NAMED_RESOURCE_PATH_PREFIX	2	Matches resources whose Smart Core name starts with the specified prefix, separated from an optional suffix by a '/'. Example: Scope { resource_type: NAMED_RESOURCE_PATH_PREFIX resource: "foo/bar" } Matches resources with Smart Core names: - foo/bar - foo/bar/baz Does not match: - foo/barbaz
NODE	3	Matches resources advertised by the Smart Core node with the given name.
SUBSYSTEM	4	Matches resources whose advertised metadata subsystem property matches the specified value.
ZONE	5	Matches resources whose advertised metadata zone property matches the specified value.

Permission

A permission is a named action that can be granted to a role. The set of valid permissions is determined statically by the system, and cannot be modified at runtime.

Field Name	Type	Description
id	string	Unique identifier for this permission. Will remain stable for the lifetime of the system.
display_name	string
description	string

AccountLimits

Field Name	Type	Description
username	AccountLimits.Field
password	AccountLimits.Field
display_name	AccountLimits.Field
description	AccountLimits.Field

AccountLimits.Field

Field Name	Type	Description
min_length	int32
max_length	int32