impl authZ write and check (depends on spicedb for now)

1 files changed, 1087 insertions, 0 deletions

diff --git a/crates/secd/proto/google/iam/admin/v1/iam.proto b/crates/secd/proto/google/iam/admin/v1/iam.proto
new file mode 100644
index 0000000..804162a
--- /dev/null
+++ b/crates/secd/proto/google/iam/admin/v1/iam.proto
@@ -0,0 +1,1087 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.admin.v1;
+
+import "google/api/annotations.proto";
+import "google/api/client.proto";
+import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
+import "google/iam/v1/iam_policy.proto";
+import "google/iam/v1/policy.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/iam/admin/v1;admin";
+option java_multiple_files = true;
+option java_outer_classname = "IamProto";
+option java_package = "com.google.iam.admin.v1";
+
+// Creates and manages service account objects.
+//
+// Service account is an account that belongs to your project instead
+// of to an individual end user. It is used to authenticate calls
+// to a Google API.
+//
+// To create a service account, specify the `project_id` and `account_id`
+// for the account.  The `account_id` is unique within the project, and used
+// to generate the service account email address and a stable
+// `unique_id`.
+//
+// All other methods can identify accounts using the format
+// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+// the account. The `ACCOUNT` value can be the `email` address or the
+// `unique_id` of the service account.
+service IAM {
+  option (google.api.default_host) = "iam.googleapis.com";
+  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+
+  // Lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
+  rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*}/serviceAccounts"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/serviceAccounts/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
+  // and returns it.
+  rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*}/serviceAccounts"
+      body: "*"
+    };
+    option (google.api.method_signature) = "name,account_id,service_account";
+  }
+
+  // Updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  //
+  // Currently, only the following fields are updatable:
+  // `display_name` and `description`.
+  rpc UpdateServiceAccount(ServiceAccount) returns (ServiceAccount) {
+    option (google.api.http) = {
+      put: "/v1/{name=projects/*/serviceAccounts/*}"
+      body: "*"
+    };
+  }
+
+  // Deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/serviceAccounts/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
+  rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/serviceAccounts/*}/keys"
+    };
+    option (google.api.method_signature) = "name,key_types";
+  }
+
+  // Gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
+  // by key id.
+  rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
+    };
+    option (google.api.method_signature) = "name,public_key_type";
+  }
+
+  // Creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
+  // and returns it.
+  rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}/keys"
+      body: "*"
+    };
+    option (google.api.method_signature) = "name,private_key_type,key_algorithm";
+  }
+
+  // Deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
+  rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/serviceAccounts/*/keys/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Signs a blob using a service account's system-managed private key.
+  rpc SignBlob(SignBlobRequest) returns (SignBlobResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:signBlob"
+      body: "*"
+    };
+    option (google.api.method_signature) = "name,bytes_to_sign";
+  }
+
+  // Signs a JWT using a service account's system-managed private key.
+  //
+  // If no expiry time (`exp`) is provided in the `SignJwtRequest`, IAM sets an
+  // an expiry time of one hour by default. If you request an expiry time of
+  // more than one hour, the request will fail.
+  rpc SignJwt(SignJwtRequest) returns (SignJwtResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:signJwt"
+      body: "*"
+    };
+    option (google.api.method_signature) = "name,payload";
+  }
+
+  // Returns the Cloud IAM access control policy for a
+  // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  //
+  // Note: Service accounts are both
+  // [resources and
+  // identities](/iam/docs/service-accounts#service_account_permissions). This
+  // method treats the service account as a resource. It returns the Cloud IAM
+  // policy that reflects what members have access to the service account.
+  //
+  // This method does not return what resources the service account has access
+  // to. To see if a service account has access to a resource, call the
+  // `getIamPolicy` method on the target resource. For example, to view grants
+  // for a project, call the
+  // [projects.getIamPolicy](/resource-manager/reference/rest/v1/projects/getIamPolicy)
+  // method.
+  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
+    option (google.api.http) = {
+      post: "/v1/{resource=projects/*/serviceAccounts/*}:getIamPolicy"
+    };
+    option (google.api.method_signature) = "resource";
+  }
+
+  // Sets the Cloud IAM access control policy for a
+  // [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  //
+  // Note: Service accounts are both
+  // [resources and
+  // identities](/iam/docs/service-accounts#service_account_permissions). This
+  // method treats the service account as a resource. Use it to grant members
+  // access to the service account, such as when they need to impersonate it.
+  //
+  // This method does not grant the service account access to other resources,
+  // such as projects. To grant a service account access to resources, include
+  // the service account in the Cloud IAM policy for the desired resource, then
+  // call the appropriate `setIamPolicy` method on the target resource. For
+  // example, to grant a service account access to a project, call the
+  // [projects.setIamPolicy](/resource-manager/reference/rest/v1/projects/setIamPolicy)
+  // method.
+  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
+    option (google.api.http) = {
+      post: "/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy"
+      body: "*"
+    };
+    option (google.api.method_signature) = "resource,policy";
+  }
+
+  // Tests the specified permissions against the IAM access control policy
+  // for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
+    option (google.api.http) = {
+      post: "/v1/{resource=projects/*/serviceAccounts/*}:testIamPermissions"
+      body: "*"
+    };
+    option (google.api.method_signature) = "resource,permissions";
+  }
+
+  // Queries roles that can be granted on a particular resource.
+  // A role is grantable if it can be used as the role in a binding for a policy
+  // for that resource.
+  rpc QueryGrantableRoles(QueryGrantableRolesRequest) returns (QueryGrantableRolesResponse) {
+    option (google.api.http) = {
+      post: "/v1/roles:queryGrantableRoles"
+      body: "*"
+    };
+    option (google.api.method_signature) = "full_resource_name";
+  }
+
+  // Lists the Roles defined on a resource.
+  rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
+    option (google.api.http) = {
+      get: "/v1/roles"
+      additional_bindings {
+        get: "/v1/{parent=organizations/*}/roles"
+      }
+      additional_bindings {
+        get: "/v1/{parent=projects/*}/roles"
+      }
+    };
+  }
+
+  // Gets a Role definition.
+  rpc GetRole(GetRoleRequest) returns (Role) {
+    option (google.api.http) = {
+      get: "/v1/{name=roles/*}"
+      additional_bindings {
+        get: "/v1/{name=organizations/*/roles/*}"
+      }
+      additional_bindings {
+        get: "/v1/{name=projects/*/roles/*}"
+      }
+    };
+  }
+
+  // Creates a new Role.
+  rpc CreateRole(CreateRoleRequest) returns (Role) {
+    option (google.api.http) = {
+      post: "/v1/{parent=organizations/*}/roles"
+      body: "*"
+      additional_bindings {
+        post: "/v1/{parent=projects/*}/roles"
+        body: "*"
+      }
+    };
+  }
+
+  // Updates a Role definition.
+  rpc UpdateRole(UpdateRoleRequest) returns (Role) {
+    option (google.api.http) = {
+      patch: "/v1/{name=organizations/*/roles/*}"
+      body: "role"
+      additional_bindings {
+        patch: "/v1/{name=projects/*/roles/*}"
+        body: "role"
+      }
+    };
+  }
+
+  // Soft deletes a role. The role is suspended and cannot be used to create new
+  // IAM Policy Bindings.
+  // The Role will not be included in `ListRoles()` unless `show_deleted` is set
+  // in the `ListRolesRequest`. The Role contains the deleted boolean set.
+  // Existing Bindings remains, but are inactive. The Role can be undeleted
+  // within 7 days. After 7 days the Role is deleted and all Bindings associated
+  // with the role are removed.
+  rpc DeleteRole(DeleteRoleRequest) returns (Role) {
+    option (google.api.http) = {
+      delete: "/v1/{name=organizations/*/roles/*}"
+      additional_bindings {
+        delete: "/v1/{name=projects/*/roles/*}"
+      }
+    };
+  }
+
+  // Undelete a Role, bringing it back in its previous state.
+  rpc UndeleteRole(UndeleteRoleRequest) returns (Role) {
+    option (google.api.http) = {
+      post: "/v1/{name=organizations/*/roles/*}:undelete"
+      body: "*"
+      additional_bindings {
+        post: "/v1/{name=projects/*/roles/*}:undelete"
+        body: "*"
+      }
+    };
+  }
+
+  // Lists the permissions testable on a resource.
+  // A permission is testable if it can be tested for an identity on a resource.
+  rpc QueryTestablePermissions(QueryTestablePermissionsRequest) returns (QueryTestablePermissionsResponse) {
+    option (google.api.http) = {
+      post: "/v1/permissions:queryTestablePermissions"
+      body: "*"
+    };
+  }
+}
+
+// A service account in the Identity and Access Management API.
+//
+// To create a service account, specify the `project_id` and the `account_id`
+// for the account.  The `account_id` is unique within the project, and is used
+// to generate the service account email address and a stable
+// `unique_id`.
+//
+// If the account already exists, the account's resource name is returned
+// in the format of projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. The caller
+// can use the name in other methods to access the account.
+//
+// All other methods can identify the service account using the format
+// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+// the account. The `ACCOUNT` value can be the `email` address or the
+// `unique_id` of the service account.
+message ServiceAccount {
+  option (google.api.resource) = {
+    type: "iam.googleapis.com/ServiceAccount"
+    pattern: "projects/{project}/serviceAccounts/{service_account}"
+  };
+
+  // The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  //
+  // Requests using `-` as a wildcard for the `PROJECT_ID` will infer the
+  // project from the `account` and the `ACCOUNT` value can be the `email`
+  // address or the `unique_id` of the service account.
+  //
+  // In responses the resource name will always be in the format
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  string name = 1;
+
+  // @OutputOnly The id of the project that owns the service account.
+  string project_id = 2;
+
+  // @OutputOnly The unique and stable id of the service account.
+  string unique_id = 4;
+
+  // @OutputOnly The email address of the service account.
+  string email = 5;
+
+  // Optional. A user-specified name for the service account.
+  // Must be less than or equal to 100 UTF-8 bytes.
+  string display_name = 6;
+
+  // Optional. Note: `etag` is an inoperable legacy field that is only returned
+  // for backwards compatibility.
+  bytes etag = 7;
+
+  // @OutputOnly. The OAuth2 client id for the service account.
+  // This is used in conjunction with the OAuth2 clientconfig API to make
+  // three legged OAuth2 (3LO) flows to access the data of Google users.
+  string oauth2_client_id = 9;
+}
+
+// The service account create request.
+message CreateServiceAccountRequest {
+  // Required. The resource name of the project associated with the service
+  // accounts, such as `projects/my-project-123`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudresourcemanager.googleapis.com/Project"
+    }
+  ];
+
+  // Required. The account id that is used to generate the service account
+  // email address and a stable unique id. It is unique within a project,
+  // must be 6-30 characters long, and match the regular expression
+  // `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
+  string account_id = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // The [ServiceAccount][google.iam.admin.v1.ServiceAccount] resource to
+  // create. Currently, only the following values are user assignable:
+  // `display_name` and `description`.
+  ServiceAccount service_account = 3;
+}
+
+// The service account list request.
+message ListServiceAccountsRequest {
+  // Required. The resource name of the project associated with the service
+  // accounts, such as `projects/my-project-123`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudresourcemanager.googleapis.com/Project"
+    }
+  ];
+
+  // Optional limit on the number of service accounts to include in the
+  // response. Further accounts can subsequently be obtained by including the
+  // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token]
+  // in a subsequent request.
+  int32 page_size = 2;
+
+  // Optional pagination token returned in an earlier
+  // [ListServiceAccountsResponse.next_page_token][google.iam.admin.v1.ListServiceAccountsResponse.next_page_token].
+  string page_token = 3;
+}
+
+// The service account list response.
+message ListServiceAccountsResponse {
+  // The list of matching service accounts.
+  repeated ServiceAccount accounts = 1;
+
+  // To retrieve the next page of results, set
+  // [ListServiceAccountsRequest.page_token][google.iam.admin.v1.ListServiceAccountsRequest.page_token]
+  // to this value.
+  string next_page_token = 2;
+}
+
+// The service account get request.
+message GetServiceAccountRequest {
+  // Required. The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];
+}
+
+// The service account delete request.
+message DeleteServiceAccountRequest {
+  // Required. The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];
+}
+
+// The service account keys list request.
+message ListServiceAccountKeysRequest {
+  // `KeyType` filters to selectively retrieve certain varieties
+  // of keys.
+  enum KeyType {
+    // Unspecified key type. The presence of this in the
+    // message will immediately result in an error.
+    KEY_TYPE_UNSPECIFIED = 0;
+
+    // User-managed keys (managed and rotated by the user).
+    USER_MANAGED = 1;
+
+    // System-managed keys (managed and rotated by Google).
+    SYSTEM_MANAGED = 2;
+  }
+
+  // Required. The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  //
+  // Using `-` as a wildcard for the `PROJECT_ID`, will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];
+
+  // Filters the types of keys the user wants to include in the list
+  // response. Duplicate key types are not allowed. If no key type
+  // is provided, all keys are returned.
+  repeated KeyType key_types = 2;
+}
+
+// The service account keys list response.
+message ListServiceAccountKeysResponse {
+  // The public keys for the service account.
+  repeated ServiceAccountKey keys = 1;
+}
+
+// The service account key get by id request.
+message GetServiceAccountKeyRequest {
+  // Required. The resource name of the service account key in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+  //
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/Key"
+    }
+  ];
+
+  // The output format of the public key requested.
+  // X509_PEM is the default output format.
+  ServiceAccountPublicKeyType public_key_type = 2;
+}
+
+// Represents a service account key.
+//
+// A service account has two sets of key-pairs: user-managed, and
+// system-managed.
+//
+// User-managed key-pairs can be created and deleted by users.  Users are
+// responsible for rotating these keys periodically to ensure security of
+// their service accounts.  Users retain the private key of these key-pairs,
+// and Google retains ONLY the public key.
+//
+// System-managed keys are automatically rotated by Google, and are used for
+// signing for a maximum of two weeks. The rotation process is probabilistic,
+// and usage of the new key will gradually ramp up and down over the key's
+// lifetime. We recommend caching the public key set for a service account for
+// no more than 24 hours to ensure you have access to the latest keys.
+//
+// Public keys for all service accounts are also published at the OAuth2
+// Service Account API.
+message ServiceAccountKey {
+  option (google.api.resource) = {
+    type: "iam.googleapis.com/Key"
+    pattern: "projects/{project}/serviceAccounts/{service_account}/keys/{key}"
+  };
+
+  // The resource name of the service account key in the following format
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+  string name = 1;
+
+  // The output format for the private key.
+  // Only provided in `CreateServiceAccountKey` responses, not
+  // in `GetServiceAccountKey` or `ListServiceAccountKey` responses.
+  //
+  // Google never exposes system-managed private keys, and never retains
+  // user-managed private keys.
+  ServiceAccountPrivateKeyType private_key_type = 2;
+
+  // Specifies the algorithm (and possibly key size) for the key.
+  ServiceAccountKeyAlgorithm key_algorithm = 8;
+
+  // The private key data. Only provided in `CreateServiceAccountKey`
+  // responses. Make sure to keep the private key data secure because it
+  // allows for the assertion of the service account identity.
+  // When base64 decoded, the private key data can be used to authenticate with
+  // Google API client libraries and with
+  // <a href="/sdk/gcloud/reference/auth/activate-service-account">gcloud
+  // auth activate-service-account</a>.
+  bytes private_key_data = 3;
+
+  // The public key data. Only provided in `GetServiceAccountKey` responses.
+  bytes public_key_data = 7;
+
+  // The key can be used after this timestamp.
+  google.protobuf.Timestamp valid_after_time = 4;
+
+  // The key can be used before this timestamp.
+  // For system-managed key pairs, this timestamp is the end time for the
+  // private key signing operation. The public key could still be used
+  // for verification for a few hours after this time.
+  google.protobuf.Timestamp valid_before_time = 5;
+}
+
+// The service account key create request.
+message CreateServiceAccountKeyRequest {
+  // Required. The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];
+
+  // The output format of the private key. The default value is
+  // `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File
+  // format.
+  ServiceAccountPrivateKeyType private_key_type = 2;
+
+  // Which type of key and algorithm to use for the key.
+  // The default is currently a 2K RSA key.  However this may change in the
+  // future.
+  ServiceAccountKeyAlgorithm key_algorithm = 3;
+}
+
+// The service account key delete request.
+message DeleteServiceAccountKeyRequest {
+  // Required. The resource name of the service account key in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/Key"
+    }
+  ];
+}
+
+// The service account sign blob request.
+message SignBlobRequest {
+  // Required. The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];
+
+  // Required. The bytes to sign.
+  bytes bytes_to_sign = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The service account sign blob response.
+message SignBlobResponse {
+  // The id of the key used to sign the blob.
+  string key_id = 1;
+
+  // The signed blob.
+  bytes signature = 2;
+}
+
+// The service account sign JWT request.
+message SignJwtRequest {
+  // Required. The resource name of the service account in the following format:
+  // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
+  // Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
+  // the account. The `ACCOUNT` value can be the `email` address or the
+  // `unique_id` of the service account.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iam.googleapis.com/ServiceAccount"
+    }
+  ];
+
+  // Required. The JWT payload to sign, a JSON JWT Claim set.
+  string payload = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The service account sign JWT response.
+message SignJwtResponse {
+  // The id of the key used to sign the JWT.
+  string key_id = 1;
+
+  // The signed JWT.
+  string signed_jwt = 2;
+}
+
+// A role in the Identity and Access Management API.
+message Role {
+  // A stage representing a role's lifecycle phase.
+  enum RoleLaunchStage {
+    // The user has indicated this role is currently in an Alpha phase. If this
+    // launch stage is selected, the `stage` field will not be included when
+    // requesting the definition for a given role.
+    ALPHA = 0;
+
+    // The user has indicated this role is currently in a Beta phase.
+    BETA = 1;
+
+    // The user has indicated this role is generally available.
+    GA = 2;
+
+    // The user has indicated this role is being deprecated.
+    DEPRECATED = 4;
+
+    // This role is disabled and will not contribute permissions to any members
+    // it is granted to in policies.
+    DISABLED = 5;
+
+    // The user has indicated this role is currently in an EAP phase.
+    EAP = 6;
+  }
+
+  // The name of the role.
+  //
+  // When Role is used in CreateRole, the role name must not be set.
+  //
+  // When Role is used in output and other input such as UpdateRole, the role
+  // name is the complete path, e.g., roles/logging.viewer for predefined roles
+  // and organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.
+  string name = 1;
+
+  // Optional. A human-readable title for the role.  Typically this
+  // is limited to 100 UTF-8 bytes.
+  string title = 2;
+
+  // Optional. A human-readable description for the role.
+  string description = 3;
+
+  // The names of the permissions this role grants when bound in an IAM policy.
+  repeated string included_permissions = 7;
+
+  // The current launch stage of the role. If the `ALPHA` launch stage has been
+  // selected for a role, the `stage` field will not be included in the
+  // returned definition for the role.
+  RoleLaunchStage stage = 8;
+
+  // Used to perform a consistent read-modify-write.
+  bytes etag = 9;
+
+  // The current deleted state of the role. This field is read only.
+  // It will be ignored in calls to CreateRole and UpdateRole.
+  bool deleted = 11;
+}
+
+// The grantable role query request.
+message QueryGrantableRolesRequest {
+  // Required. The full resource name to query from the list of grantable roles.
+  //
+  // The name follows the Google Cloud Platform resource format.
+  // For example, a Cloud Platform project with id `my-project` will be named
+  // `//cloudresourcemanager.googleapis.com/projects/my-project`.
+  string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  RoleView view = 2;
+
+  // Optional limit on the number of roles to include in the response.
+  int32 page_size = 3;
+
+  // Optional pagination token returned in an earlier
+  // QueryGrantableRolesResponse.
+  string page_token = 4;
+}
+
+// The grantable role query response.
+message QueryGrantableRolesResponse {
+  // The list of matching roles.
+  repeated Role roles = 1;
+
+  // To retrieve the next page of results, set
+  // `QueryGrantableRolesRequest.page_token` to this value.
+  string next_page_token = 2;
+}
+
+// The request to get all roles defined under a resource.
+message ListRolesRequest {
+  // The `parent` parameter's value depends on the target resource for the
+  // request, namely
+  // [`roles`](/iam/reference/rest/v1/roles),
+  // [`projects`](/iam/reference/rest/v1/projects.roles), or
+  // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
+  // resource type's `parent` value format is described below:
+  //
+  // * [`roles.list()`](/iam/reference/rest/v1/roles/list): An empty string.
+  //   This method doesn't require a resource; it simply returns all
+  //   [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
+  //   Cloud IAM. Example request URL:
+  //   `https://iam.googleapis.com/v1/roles`
+  //
+  // * [`projects.roles.list()`](/iam/reference/rest/v1/projects.roles/list):
+  //   `projects/{PROJECT_ID}`. This method lists all project-level
+  //   [custom roles](/iam/docs/understanding-custom-roles).
+  //   Example request URL:
+  //   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
+  //
+  // * [`organizations.roles.list()`](/iam/reference/rest/v1/organizations.roles/list):
+  //   `organizations/{ORGANIZATION_ID}`. This method lists all
+  //   organization-level [custom roles](/iam/docs/understanding-custom-roles).
+  //   Example request URL:
+  //   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
+  //
+  // Note: Wildcard (*) values are invalid; you must specify a complete project
+  // ID or organization ID.
+  string parent = 1 [(google.api.resource_reference).type = "*"];
+
+  // Optional limit on the number of roles to include in the response.
+  int32 page_size = 2;
+
+  // Optional pagination token returned in an earlier ListRolesResponse.
+  string page_token = 3;
+
+  // Optional view for the returned Role objects. When `FULL` is specified,
+  // the `includedPermissions` field is returned, which includes a list of all
+  // permissions in the role. The default value is `BASIC`, which does not
+  // return the `includedPermissions` field.
+  RoleView view = 4;
+
+  // Include Roles that have been deleted.
+  bool show_deleted = 6;
+}
+
+// The response containing the roles defined under a resource.
+message ListRolesResponse {
+  // The Roles defined on this resource.
+  repeated Role roles = 1;
+
+  // To retrieve the next page of results, set
+  // `ListRolesRequest.page_token` to this value.
+  string next_page_token = 2;
+}
+
+// The request to get the definition of an existing role.
+message GetRoleRequest {
+  // The `name` parameter's value depends on the target resource for the
+  // request, namely
+  // [`roles`](/iam/reference/rest/v1/roles),
+  // [`projects`](/iam/reference/rest/v1/projects.roles), or
+  // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
+  // resource type's `name` value format is described below:
+  //
+  // * [`roles.get()`](/iam/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`.
+  //   This method returns results from all
+  //   [predefined roles](/iam/docs/understanding-roles#predefined_roles) in
+  //   Cloud IAM. Example request URL:
+  //   `https://iam.googleapis.com/v1/roles/{ROLE_NAME}`
+  //
+  // * [`projects.roles.get()`](/iam/reference/rest/v1/projects.roles/get):
+  //   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only
+  //   [custom roles](/iam/docs/understanding-custom-roles) that have been
+  //   created at the project level. Example request URL:
+  //   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // * [`organizations.roles.get()`](/iam/reference/rest/v1/organizations.roles/get):
+  //   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+  //   returns only [custom roles](/iam/docs/understanding-custom-roles) that
+  //   have been created at the organization level. Example request URL:
+  //   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // Note: Wildcard (*) values are invalid; you must specify a complete project
+  // ID or organization ID.
+  string name = 1 [(google.api.resource_reference).type = "*"];
+}
+
+// The request to create a new role.
+message CreateRoleRequest {
+  // The `parent` parameter's value depends on the target resource for the
+  // request, namely
+  // [`projects`](/iam/reference/rest/v1/projects.roles) or
+  // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
+  // resource type's `parent` value format is described below:
+  //
+  // * [`projects.roles.create()`](/iam/reference/rest/v1/projects.roles/create):
+  //   `projects/{PROJECT_ID}`. This method creates project-level
+  //   [custom roles](/iam/docs/understanding-custom-roles).
+  //   Example request URL:
+  //   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles`
+  //
+  // * [`organizations.roles.create()`](/iam/reference/rest/v1/organizations.roles/create):
+  //   `organizations/{ORGANIZATION_ID}`. This method creates organization-level
+  //   [custom roles](/iam/docs/understanding-custom-roles). Example request
+  //   URL:
+  //   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles`
+  //
+  // Note: Wildcard (*) values are invalid; you must specify a complete project
+  // ID or organization ID.
+  string parent = 1 [(google.api.resource_reference).type = "*"];
+
+  // The role ID to use for this role.
+  string role_id = 2;
+
+  // The Role resource to create.
+  Role role = 3;
+}
+
+// The request to update a role.
+message UpdateRoleRequest {
+  // The `name` parameter's value depends on the target resource for the
+  // request, namely
+  // [`projects`](/iam/reference/rest/v1/projects.roles) or
+  // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
+  // resource type's `name` value format is described below:
+  //
+  // * [`projects.roles.patch()`](/iam/reference/rest/v1/projects.roles/patch):
+  //   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only
+  //   [custom roles](/iam/docs/understanding-custom-roles) that have been
+  //   created at the project level. Example request URL:
+  //   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // * [`organizations.roles.patch()`](/iam/reference/rest/v1/organizations.roles/patch):
+  //   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+  //   updates only [custom roles](/iam/docs/understanding-custom-roles) that
+  //   have been created at the organization level. Example request URL:
+  //   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // Note: Wildcard (*) values are invalid; you must specify a complete project
+  // ID or organization ID.
+  string name = 1 [(google.api.resource_reference).type = "*"];
+
+  // The updated role.
+  Role role = 2;
+
+  // A mask describing which fields in the Role have changed.
+  google.protobuf.FieldMask update_mask = 3;
+}
+
+// The request to delete an existing role.
+message DeleteRoleRequest {
+  // The `name` parameter's value depends on the target resource for the
+  // request, namely
+  // [`projects`](/iam/reference/rest/v1/projects.roles) or
+  // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
+  // resource type's `name` value format is described below:
+  //
+  // * [`projects.roles.delete()`](/iam/reference/rest/v1/projects.roles/delete):
+  //   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only
+  //   [custom roles](/iam/docs/understanding-custom-roles) that have been
+  //   created at the project level. Example request URL:
+  //   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // * [`organizations.roles.delete()`](/iam/reference/rest/v1/organizations.roles/delete):
+  //   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+  //   deletes only [custom roles](/iam/docs/understanding-custom-roles) that
+  //   have been created at the organization level. Example request URL:
+  //   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // Note: Wildcard (*) values are invalid; you must specify a complete project
+  // ID or organization ID.
+  string name = 1 [(google.api.resource_reference).type = "*"];
+
+  // Used to perform a consistent read-modify-write.
+  bytes etag = 2;
+}
+
+// The request to undelete an existing role.
+message UndeleteRoleRequest {
+  // The `name` parameter's value depends on the target resource for the
+  // request, namely
+  // [`projects`](/iam/reference/rest/v1/projects.roles) or
+  // [`organizations`](/iam/reference/rest/v1/organizations.roles). Each
+  // resource type's `name` value format is described below:
+  //
+  // * [`projects.roles.undelete()`](/iam/reference/rest/v1/projects.roles/undelete):
+  //   `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes
+  //   only [custom roles](/iam/docs/understanding-custom-roles) that have been
+  //   created at the project level. Example request URL:
+  //   `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // * [`organizations.roles.undelete()`](/iam/reference/rest/v1/organizations.roles/undelete):
+  //   `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method
+  //   undeletes only [custom roles](/iam/docs/understanding-custom-roles) that
+  //   have been created at the organization level. Example request URL:
+  //   `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`
+  //
+  // Note: Wildcard (*) values are invalid; you must specify a complete project
+  // ID or organization ID.
+  string name = 1 [(google.api.resource_reference).type = "*"];
+
+  // Used to perform a consistent read-modify-write.
+  bytes etag = 2;
+}
+
+// A permission which can be included by a role.
+message Permission {
+  // A stage representing a permission's lifecycle phase.
+  enum PermissionLaunchStage {
+    // The permission is currently in an alpha phase.
+    ALPHA = 0;
+
+    // The permission is currently in a beta phase.
+    BETA = 1;
+
+    // The permission is generally available.
+    GA = 2;
+
+    // The permission is being deprecated.
+    DEPRECATED = 3;
+  }
+
+  // The state of the permission with regards to custom roles.
+  enum CustomRolesSupportLevel {
+    // Permission is fully supported for custom role use.
+    SUPPORTED = 0;
+
+    // Permission is being tested to check custom role compatibility.
+    TESTING = 1;
+
+    // Permission is not supported for custom role use.
+    NOT_SUPPORTED = 2;
+  }
+
+  // The name of this Permission.
+  string name = 1;
+
+  // The title of this Permission.
+  string title = 2;
+
+  // A brief description of what this Permission is used for.
+  // This permission can ONLY be used in predefined roles.
+  string description = 3;
+
+  // This permission can ONLY be used in predefined roles.
+  bool only_in_predefined_roles = 4;
+
+  // The current launch stage of the permission.
+  PermissionLaunchStage stage = 5;
+
+  // The current custom role support level.
+  CustomRolesSupportLevel custom_roles_support_level = 6;
+}
+
+// A request to get permissions which can be tested on a resource.
+message QueryTestablePermissionsRequest {
+  // Required. The full resource name to query from the list of testable
+  // permissions.
+  //
+  // The name follows the Google Cloud Platform resource format.
+  // For example, a Cloud Platform project with id `my-project` will be named
+  // `//cloudresourcemanager.googleapis.com/projects/my-project`.
+  string full_resource_name = 1;
+
+  // Optional limit on the number of permissions to include in the response.
+  int32 page_size = 2;
+
+  // Optional pagination token returned in an earlier
+  // QueryTestablePermissionsRequest.
+  string page_token = 3;
+}
+
+// The response containing permissions which can be tested on a resource.
+message QueryTestablePermissionsResponse {
+  // The Permissions testable on the requested resource.
+  repeated Permission permissions = 1;
+
+  // To retrieve the next page of results, set
+  // `QueryTestableRolesRequest.page_token` to this value.
+  string next_page_token = 2;
+}
+
+// Supported key algorithms.
+enum ServiceAccountKeyAlgorithm {
+  // An unspecified key algorithm.
+  KEY_ALG_UNSPECIFIED = 0;
+
+  // 1k RSA Key.
+  KEY_ALG_RSA_1024 = 1;
+
+  // 2k RSA Key.
+  KEY_ALG_RSA_2048 = 2;
+}
+
+// Supported private key output formats.
+enum ServiceAccountPrivateKeyType {
+  // Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
+  TYPE_UNSPECIFIED = 0;
+
+  // PKCS12 format.
+  // The password for the PKCS12 file is `notasecret`.
+  // For more information, see https://tools.ietf.org/html/rfc7292.
+  TYPE_PKCS12_FILE = 1;
+
+  // Google Credentials File format.
+  TYPE_GOOGLE_CREDENTIALS_FILE = 2;
+}
+
+// Supported public key output formats.
+enum ServiceAccountPublicKeyType {
+  // Unspecified. Returns nothing here.
+  TYPE_NONE = 0;
+
+  // X509 PEM format.
+  TYPE_X509_PEM_FILE = 1;
+
+  // Raw public key.
+  TYPE_RAW_PUBLIC_KEY = 2;
+}
+
+// A view for Role objects.
+enum RoleView {
+  // Omits the `included_permissions` field.
+  // This is the default value.
+  BASIC = 0;
+
+  // Returns all fields.
+  FULL = 1;
+}