iam library
IAM service accounts + Workload Identity Federation pools. Per-resource
IAM members live alongside their owning service barrel (e.g.
pubsub.dart exports GooglePubsubTopicIamMember).
Classes
- GoogleIamWorkloadIdentityPool
-
Factory wrapper for
google_iam_workload_identity_pool(providerhashicorp/google ~> 7.0). - GoogleIamWorkloadIdentityPoolProvider
-
Factory wrapper for
google_iam_workload_identity_pool_provider. - GoogleProjectIamCustomRole
-
Factory wrapper for
google_project_iam_custom_role. - GoogleProjectIamMember
-
Factory wrapper for
google_project_iam_member. - GoogleServiceAccount
-
Factory wrapper for
google_service_account(providerhashicorp/google ~> 7.0). - GoogleServiceAccountIamMember
-
Factory wrapper for
google_service_account_iam_member. - GoogleServiceAccountKey
-
Factory wrapper for
google_service_account_key. - IamWorkloadIdentityPoolProviderAwsTrust
- AWS trust configuration.
- IamWorkloadIdentityPoolProviderOidcTrust
- OIDC trust configuration (generic OIDC / GitHub Actions).
- IamWorkloadIdentityPoolProviderSamlTrust
- SAML 2.0 trust configuration.
- IamWorkloadIdentityPoolProviderTrustSource
-
Trust binding for GoogleIamWorkloadIdentityPoolProvider. Sealed so the
provider's
exactly_one_ofacrossoidc/aws/saml/x509is exhaustive at the type level. - IamWorkloadIdentityPoolProviderX509PemCertificate
- PEM certificate entry for X.509 federation trust stores.
- IamWorkloadIdentityPoolProviderX509Trust
- X.509 certificate trust configuration.
- IamWorkloadIdentityPoolProviderX509TrustStore
- Trust store for IamWorkloadIdentityPoolProviderX509Trust.
Enums
- CustomRoleStage
-
Lifecycle stage for
GoogleProjectIamCustomRole.stage. Mirrors thestagefield exposed by the IAM API —alpha/beta/gaare grantable;deprecated/disabledkeep the role visible but reject new bindings. - KeyAlgorithm
-
Signing algorithm for
GoogleServiceAccountKey.keyAlgorithm. GCP supports RSA-1024 (legacy) and RSA-2048 (default);unspecifiedlets the API pick. - PrivateKeyType
-
Output format for the emitted private key
(
GoogleServiceAccountKey.privateKeyType).googleCredentialsFile(the default) returns a JSON credentials file matching whatgcloud iam service-accounts keys createemits;pkcs12Filereturns a PKCS#12 keystore for systems that consume that format. - PublicKeyType
-
Output format for the public key half
(
GoogleServiceAccountKey.publicKeyType).x509PemFileis the most portable choice;rawPublicKeyreturns just the key material. - WorkloadIdentityPoolMode
- Operating mode for a workload identity pool.