IAMClient class

Creates and manages Identity and Access Management (IAM) resources.

You can use this service to work with all of the following resources:

Service accounts, which identify an application or a virtual machine (VM) instance rather than a person
Service account keys, which service accounts use to authenticate with Google APIs
IAM policies for service accounts, which specify the roles that a principal has for the service account
IAM custom roles, which help you limit the number of permissions that you grant to principals

In addition, you can use this service to complete the following tasks, among others:

Test whether a service account can use specific permissions
Check which roles you can grant for a specific resource
Lint, or validate, condition expressions in an IAM policy

When you read data from the IAM API, each read is eventually consistent. In other words, if you write data with the IAM API, then immediately read that data, the read operation might return an older version of the data. To deal with this behavior, your application can retry the request with truncated exponential backoff.

In contrast, writing data to the IAM API is sequentially consistent. In other words, write operations are always processed in the order in which they were received.

Annotations

@GrpcServiceName.new('google.iam.admin.v1.IAM')

Constructors

IAMClient(ClientChannel channel, {CallOptions? options, Iterable<ClientInterceptor>? interceptors})

Properties

hashCode → int: The hash code for this object.
no setterinherited
runtimeType → Type: A representation of the runtime type of the object.
no setterinherited

Methods

$createCall<Q, R>(ClientMethod<Q, R> method, Stream<Q> requests, {CallOptions? options}) → ClientCall<Q, R>: inherited
$createStreamingCall<Q, R>(ClientMethod<Q, R> method, Stream<Q> requests, {CallOptions? options}) → ResponseStream<R>: inherited
$createUnaryCall<Q, R>(ClientMethod<Q, R> method, Q request, {CallOptions? options}) → ResponseFuture<R>: inherited
createRole(CreateRoleRequest request, {CallOptions? options}) → ResponseFuture<Role>: Creates a new custom google.iam.admin.v1.Role.
createServiceAccount(CreateServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<ServiceAccount>: Creates a google.iam.admin.v1.ServiceAccount.
createServiceAccountKey(CreateServiceAccountKeyRequest request, {CallOptions? options}) → ResponseFuture<ServiceAccountKey>: Creates a google.iam.admin.v1.ServiceAccountKey.
deleteRole(DeleteRoleRequest request, {CallOptions? options}) → ResponseFuture<Role>: Deletes a custom google.iam.admin.v1.Role.
deleteServiceAccount(DeleteServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<Empty>: Deletes a google.iam.admin.v1.ServiceAccount.
deleteServiceAccountKey(DeleteServiceAccountKeyRequest request, {CallOptions? options}) → ResponseFuture<Empty>: Deletes a google.iam.admin.v1.ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.
disableServiceAccount(DisableServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<Empty>: Disables a google.iam.admin.v1.ServiceAccount immediately.
disableServiceAccountKey(DisableServiceAccountKeyRequest request, {CallOptions? options}) → ResponseFuture<Empty>: Disable a google.iam.admin.v1.ServiceAccountKey. A disabled service account key can be re-enabled with google.iam.admin.v1.IAM.EnableServiceAccountKey.
enableServiceAccount(EnableServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<Empty>: Enables a google.iam.admin.v1.ServiceAccount that was disabled by google.iam.admin.v1.IAM.DisableServiceAccount.
enableServiceAccountKey(EnableServiceAccountKeyRequest request, {CallOptions? options}) → ResponseFuture<Empty>: Enable a google.iam.admin.v1.ServiceAccountKey.
getIamPolicy(GetIamPolicyRequest request, {CallOptions? options}) → ResponseFuture<Policy>: Gets the IAM policy that is attached to a google.iam.admin.v1.ServiceAccount. This IAM policy specifies which principals have access to the service account.
getRole(GetRoleRequest request, {CallOptions? options}) → ResponseFuture<Role>: Gets the definition of a google.iam.admin.v1.Role.
getServiceAccount(GetServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<ServiceAccount>: Gets a google.iam.admin.v1.ServiceAccount.
getServiceAccountKey(GetServiceAccountKeyRequest request, {CallOptions? options}) → ResponseFuture<ServiceAccountKey>: Gets a google.iam.admin.v1.ServiceAccountKey.
lintPolicy(LintPolicyRequest request, {CallOptions? options}) → ResponseFuture<LintPolicyResponse>: Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding.
listRoles(ListRolesRequest request, {CallOptions? options}) → ResponseFuture<ListRolesResponse>: Lists every predefined google.iam.admin.v1.Role that IAM supports, or every custom role that is defined for an organization or project.
listServiceAccountKeys(ListServiceAccountKeysRequest request, {CallOptions? options}) → ResponseFuture<ListServiceAccountKeysResponse>: Lists every google.iam.admin.v1.ServiceAccountKey for a service account.
listServiceAccounts(ListServiceAccountsRequest request, {CallOptions? options}) → ResponseFuture<ListServiceAccountsResponse>: Lists every google.iam.admin.v1.ServiceAccount that belongs to a specific project.
noSuchMethod(Invocation invocation) → dynamic: Invoked when a nonexistent method or property is accessed.
inherited
patchServiceAccount(PatchServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<ServiceAccount>: Patches a google.iam.admin.v1.ServiceAccount.
queryAuditableServices(QueryAuditableServicesRequest request, {CallOptions? options}) → ResponseFuture<QueryAuditableServicesResponse>: Returns a list of services that allow you to opt into audit logs that are not generated by default.
queryGrantableRoles(QueryGrantableRolesRequest request, {CallOptions? options}) → ResponseFuture<QueryGrantableRolesResponse>: Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.
queryTestablePermissions(QueryTestablePermissionsRequest request, {CallOptions? options}) → ResponseFuture<QueryTestablePermissionsResponse>: Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.
setIamPolicy(SetIamPolicyRequest request, {CallOptions? options}) → ResponseFuture<Policy>: Sets the IAM policy that is attached to a google.iam.admin.v1.ServiceAccount.
signBlob(SignBlobRequest request, {CallOptions? options}) → ResponseFuture<SignBlobResponse>: Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.
signJwt(SignJwtRequest request, {CallOptions? options}) → ResponseFuture<SignJwtResponse>: Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.
testIamPermissions(TestIamPermissionsRequest request, {CallOptions? options}) → ResponseFuture<TestIamPermissionsResponse>: Tests whether the caller has the specified permissions on a google.iam.admin.v1.ServiceAccount.
toString() → String: A string representation of this object.
inherited
undeleteRole(UndeleteRoleRequest request, {CallOptions? options}) → ResponseFuture<Role>: Undeletes a custom google.iam.admin.v1.Role.
undeleteServiceAccount(UndeleteServiceAccountRequest request, {CallOptions? options}) → ResponseFuture<UndeleteServiceAccountResponse>: Restores a deleted google.iam.admin.v1.ServiceAccount.
updateRole(UpdateRoleRequest request, {CallOptions? options}) → ResponseFuture<Role>: Updates the definition of a custom google.iam.admin.v1.Role.
updateServiceAccount(ServiceAccount request, {CallOptions? options}) → ResponseFuture<ServiceAccount>: Note: We are in the process of deprecating this method. Use google.iam.admin.v1.IAM.PatchServiceAccount instead.
uploadServiceAccountKey(UploadServiceAccountKeyRequest request, {CallOptions? options}) → ResponseFuture<ServiceAccountKey>: Uploads the public key portion of a key pair that you manage, and associates the public key with a google.iam.admin.v1.ServiceAccount.

Operators

operator ==(Object other) → bool: The equality operator.
inherited

Constants

defaultHost → const String: The hostname for this service.
oauthScopes → const List<String>: OAuth scopes needed for the client.