Understanding the iam.edgelq.com service APIv1, in proto package ntt.iam.v1.

Service iam.edgelq.com in version v1, proto package ntt.iam.v1

Here is the list of resources supported in IAM service APIv1:

AttestationDomain Resource

AttestationDomain Resource

Name patterns:

  • projects/{project}/attestationDomains/{attestation_domain}

Parent resources:

This section covers the methods and messages to interact with AttestationDomain resource.

AttestationDomain Methods

Here is the list of AttestationDomain resource methods:

GetAttestationDomain Method

GetAttestationDomain

rpc GetAttestationDomain(GetAttestationDomainRequest) returns (AttestationDomain)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.get

The equivalent REST API is:

GET /v1/{name=projects/*/attestationDomains/*}

BatchGetAttestationDomains Method

BatchGetAttestationDomains

rpc BatchGetAttestationDomains(BatchGetAttestationDomainsRequest) returns (BatchGetAttestationDomainsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.batchGet

The equivalent REST API is:

GET /v1/attestationDomains:batchGet

ListAttestationDomains Method

ListAttestationDomains

rpc ListAttestationDomains(ListAttestationDomainsRequest) returns (ListAttestationDomainsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.list

The equivalent REST API is:

GET /v1/{parent=projects/*}/attestationDomains

WatchAttestationDomain Method

WatchAttestationDomain

rpc WatchAttestationDomain(WatchAttestationDomainRequest) returns (WatchAttestationDomainResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.watch

The equivalent REST API is:

POST /v1/{name=projects/*/attestationDomains/*}:watch

WatchAttestationDomains Method

WatchAttestationDomains

rpc WatchAttestationDomains(WatchAttestationDomainsRequest) returns (WatchAttestationDomainsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.watch

The equivalent REST API is:

POST /v1/{parent=projects/*}/attestationDomains:watch

CreateAttestationDomain Method

CreateAttestationDomain

rpc CreateAttestationDomain(CreateAttestationDomainRequest) returns (AttestationDomain)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.create

The equivalent REST API is:

POST /v1/{parent=projects/*}/attestationDomains (BODY: attestation_domain)

UpdateAttestationDomain Method

UpdateAttestationDomain

rpc UpdateAttestationDomain(UpdateAttestationDomainRequest) returns (AttestationDomain)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.update

The equivalent REST API is:

PUT /v1/{attestation_domain.name=projects/*/attestationDomains/*} (BODY: attestation_domain)

DeleteAttestationDomain Method

DeleteAttestationDomain

rpc DeleteAttestationDomain(DeleteAttestationDomainRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.delete

The equivalent REST API is:

DELETE /v1/{name=projects/*/attestationDomains/*}

Verify Method

Verify

rpc Verify(VerifyRequest) returns (VerifyResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.verify

The equivalent REST API is:

POST /v1/{ask_for_challenge.attestation_domain=projects/*/attestationDomains/*}:verify

AttestationDomain Messages

Here is the list of AttestationDomain resource messages:

AttestationDomain Message

Name Type Description
name string (name of AttestationDomain) Name of AttestationDomain When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
display_name string Display name
insecure_skip_manufacturer_ekcert_verification bool If false (default), attestation verifier SHALL check CA certificate chain up to the TPM chip manufacturers CA (defined in manufacturer_ca_issuers). This step is necessary to prove that the attestation request comes from a genuine TPM device, and not a TPM emulator. If true, attestation verifier SHALL skip EKcert verification - !!INSECURE!! Without this check, any keys may come from a simulated TPM on the device. An attacker may therefore forge any key they want. Therefore, this option should only be changed for development purposes.
policies repeated AttestationDomain.Policy Attestees wanting to attest under this attestation domain SHALL fulfill requirements of at least one of attestation policies defined in this list. Policies are checked in the order they appear on this list.
enrollment_list repeated AttestationDomain.EnrolledKey Attestation policy may require atestees pubkey to be present on enrollment_list.

AttestationDomain.Policy Message

Policy defines a singular attestation policy, that should match a homogenous class of device (i.e. hardware and firmware configuration) in the fleet.

Name Type Description
manufacturer_root_ca_certs_pem string List of acceptable manufacturer’s root CAs certs (in PEM format). To obtain such a cert, run something like: tpm2_getekcertificate -o cert.bin openssl x509 -inform der -in cert.bin -noout -text Then manually download certificate specified in Authority Information Access (AIA). Repeat the above openssl command on the newly downloadedfile (change the value of -in argument). Continue this until you reach a certificate which does not have AIA. It’s the root certificate. Convert it to PEM like so: openssl x509 -inform der -in root.crt -out root.pem Still, we need to encode newlines: awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' root.pem Then paste the output here. Note: multiple PEM certificates may be included here by simple means of concatenation.
require_enrollment bool If true, the attestee’s pubkey SHALL be present on this AttestationDomain’s enrollment list, otherwise fail the attestation.
verify_event_log bool If true, the verifier SHALL parse, replay and verify TPM event log provided by the atestee, otherwise fail the attestation. Note that requiring verification of event does not provide additional security. See https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md#event-type-and-verification-footguns
expected_pcrs repeated PCR List of expected PCR values. All PCRs on this list SHALL match exactly the PCRs provided by the atestee, otherwise the attestation SHALL be failed. The verifier SHALL perform sanity checks: PCR index/digest pairs are unique and the size of the list is sane (TODO). They can be read from TPM by running something like tpm2_pcrread.

AttestationDomain.EnrolledKey Message

EnrolledKey defines an enrolled key.

Name Type Description
pubkey_pem string PEM encoded EK pubkey. It can be read from TPM by running something like tpm2_createek -G rsa -u ek.pub -c key.ctx -f pem.
comment string User’s comments for this entry

GetAttestationDomainRequest Message

A request message of the GetAttestationDomain method.

Name Type Description
name string (name of AttestationDomain) Name of ntt.iam.v1.AttestationDomain
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetAttestationDomainsRequest Message

A request message of the BatchGetAttestationDomains method.

Name Type Description
names repeated string (name of AttestationDomain) Names of AttestationDomains
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetAttestationDomainsResponse Message

A response message of the BatchGetAttestationDomains method.

Name Type Description
attestation_domains repeated AttestationDomain found AttestationDomains
missing repeated string (name of AttestationDomain) list of not found AttestationDomains

ListAttestationDomainsRequest Message

A request message of the ListAttestationDomains method.

Name Type Description
parent string (parent name of AttestationDomain) Parent name of ntt.iam.v1.AttestationDomain
page_size int32 Requested page size. Server may return fewer AttestationDomains than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of AttestationDomain) A token identifying a page of results the server should return. Typically, this is the value of ListAttestationDomainsResponse.next_page_token.
order_by string (orderBy of AttestationDomain) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of AttestationDomain) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListAttestationDomainsResponse Message

A response message of the ListAttestationDomains method.

Name Type Description
attestation_domains repeated AttestationDomain The list of AttestationDomains
prev_page_token string (cursor of AttestationDomain) A token to retrieve previous page of results. Pass this value in the ListAttestationDomainsRequest.page_token.
next_page_token string (cursor of AttestationDomain) A token to retrieve next page of results. Pass this value in the ListAttestationDomainsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total AttestationDomains across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchAttestationDomainRequest Message

A request message of the WatchAttestationDomain method.

Name Type Description
name string (name of AttestationDomain) Name of ntt.iam.v1.AttestationDomain
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchAttestationDomainResponse Message

A response message of the WatchAttestationDomain method.

Name Type Description
change AttestationDomainChange

WatchAttestationDomainsRequest Message

A request message of the WatchAttestationDomains method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of AttestationDomain) Parent name of ntt.iam.v1.AttestationDomain
page_size int32 Requested page size. Server may return fewer AttestationDomains than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of AttestationDomain) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of AttestationDomain) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of AttestationDomain) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to AttestationDomain that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to AttestationDomain that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchAttestationDomainsResponse Message

A response message of the WatchAttestationDomains method.

Name Type Description
attestation_domain_changes repeated AttestationDomainChange Changes of AttestationDomains
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All AttestationDomains will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchAttestationDomainsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (AttestationDomains will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchAttestationDomainsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of AttestationDomain) New token to retrieve previous page of results.
next_page_token string (cursor of AttestationDomain) New token to retrieve next page of results.

CreateAttestationDomainRequest Message

A request message of the CreateAttestationDomain method.

Name Type Description
parent string (parent name of AttestationDomain) Parent name of ntt.iam.v1.AttestationDomain
attestation_domain AttestationDomain AttestationDomain resource body
response_mask CreateAttestationDomainRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateAttestationDomainRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateAttestationDomainRequest Message

A request message of the UpdateAttestationDomain method.

Name Type Description
attestation_domain AttestationDomain AttestationDomain resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateAttestationDomainRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateAttestationDomainRequest.ResponseMask reduce message response size.

UpdateAttestationDomainRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state AttestationDomain Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateAttestationDomainRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteAttestationDomainRequest Message

A request message of the DeleteAttestationDomain method.

Name Type Description
name string (name of AttestationDomain) Name of ntt.iam.v1.AttestationDomain

VerifyRequest Message

Request message for method [Verify][ntt.iam.v1.Verify]

Name Type Description
ask_for_challenge VerifyRequest.AskForChallenge
challenge_response VerifyRequest.ChallengeResponse

VerifyRequest.AskForChallenge Message

Name Type Description
subject string This will be used to set “sub” claim for attestation token. This “sub” should be compared to “sub” of JWT access token during validation. “Sub” comparison ties both tokens together and protects against theft/reuse of one of them by another service account.
attestation_domain string (name of AttestationDomain) attestation domain ref
tpm_version TpmVersion
ekpub bytes PKIX encoded EK public
ekcert bytes ASN.1 DER encoded EK certificate.
ekcerturl string For Intel TPMs, Intel hosts certificates at a public URL derived from the Public key. Clients or servers can perform an HTTP GET to this URL, and use ParseEKCertificate on the response body.
akpub bytes https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf TPMT_PUBLIC (TPM 2.0) or TPM_PUBKEY (TPM 1.2)
creation_data bytes TPMS_CREATION_DATA
attest bytes TPMS_ATTEST
signature bytes TPMT_SIGNATURE
challenge_format VerifyRequest.AskForChallenge.ChallengeFormat ChallengeFormat defines the method of generating identity activation challenge by the Verifier (server). It should affect the interpretation ChallengeResponse fields cred_encrypted_by_ekpub and secret_encrypted_by_cred. Attestor (client) is responsible for chosing the right format depending on TPM version and the presence of TrouSerS daemon.

VerifyRequest.ChallengeResponse Message

Name Type Description
ak_activation_decrypted_secret bytes
quotes repeated VerifyRequest.ChallengeResponse.Quote
pcrs repeated PCR
eventlog bytes Binary contents of /sys/kernel/security/tpm0/binary_bios_measurements

VerifyRequest.ChallengeResponse.Quote Message

Name Type Description
quote bytes TPMS_ATTEST (TSS_VALIDATION.Data or TSS_VALIDATION.rgbData) This contains PCR selection information for which the signature was calculated and other required data, like nonce.
signature bytes TSS_VALIDATION.ValidationData or TSS_VALIDATION.rgbValidationData

VerifyResponse Message

Response message for method [Verify][ntt.iam.v1.Verify]

Name Type Description
challenge VerifyResponse.Challenge
attestation_successful VerifyResponse.AttestationSuccessful

VerifyResponse.Challenge Message

Name Type Description
platform_attestation_nonce bytes Platform attestation
cred_encrypted_by_ekpub bytes AK Identity Activation
secret_encrypted_by_cred bytes

VerifyResponse.AttestationSuccessful Message

Name Type Description
attestation_token string

Condition Resource

Condition Resource represents additional that is not built-in into the role. It can be attached to role grant or RoleBinding (applies to all grants then).

Name patterns:

  • conditions/{condition}
  • projects/{project}/conditions/{condition}
  • organizations/{organization}/conditions/{condition}
  • services/{service}/conditions/{condition}

Parent resources:

This section covers the methods and messages to interact with Condition resource.

Condition Methods

Here is the list of Condition resource methods:

GetCondition Method

GetCondition

rpc GetCondition(GetConditionRequest) returns (Condition)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.get

The equivalent REST API is:

GET /v1/{name=conditions/*} 

GET /v1/{name=projects/*/conditions/*} 

GET /v1/{name=organizations/*/conditions/*} 

GET /v1/{name=services/*/conditions/*}

BatchGetConditions Method

BatchGetConditions

rpc BatchGetConditions(BatchGetConditionsRequest) returns (BatchGetConditionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.batchGet

The equivalent REST API is:

GET /v1/conditions:batchGet

ListConditions Method

ListConditions

rpc ListConditions(ListConditionsRequest) returns (ListConditionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.list

The equivalent REST API is:

GET /v1/conditions 

GET /v1/{parent=projects/*}/conditions 

GET /v1/{parent=organizations/*}/conditions 

GET /v1/{parent=services/*}/conditions

WatchCondition Method

WatchCondition

rpc WatchCondition(WatchConditionRequest) returns (WatchConditionResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.watch

The equivalent REST API is:

POST /v1/{name=conditions/*}:watch 

POST /v1/{name=projects/*/conditions/*}:watch 

POST /v1/{name=organizations/*/conditions/*}:watch 

POST /v1/{name=services/*/conditions/*}:watch

WatchConditions Method

WatchConditions

rpc WatchConditions(WatchConditionsRequest) returns (WatchConditionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.watch

The equivalent REST API is:

POST /v1/conditions:watch 

POST /v1/{parent=projects/*}/conditions:watch 

POST /v1/{parent=organizations/*}/conditions:watch 

POST /v1/{parent=services/*}/conditions:watch

CreateCondition Method

CreateCondition

rpc CreateCondition(CreateConditionRequest) returns (Condition)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.create

The equivalent REST API is:

POST /v1/conditions (BODY: condition)

POST /v1/{parent=projects/*}/conditions 

POST /v1/{parent=organizations/*}/conditions 

POST /v1/{parent=services/*}/conditions

UpdateCondition Method

UpdateCondition

rpc UpdateCondition(UpdateConditionRequest) returns (Condition)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.update

The equivalent REST API is:

PUT /v1/{condition.name=conditions/*} (BODY: condition)

PUT /v1/{condition.name=projects/*/conditions/*} 

PUT /v1/{condition.name=organizations/*/conditions/*} 

PUT /v1/{condition.name=services/*/conditions/*}

DeleteCondition Method

DeleteCondition

rpc DeleteCondition(DeleteConditionRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.delete

The equivalent REST API is:

DELETE /v1/{name=conditions/*} 

DELETE /v1/{name=projects/*/conditions/*} 

DELETE /v1/{name=organizations/*/conditions/*} 

DELETE /v1/{name=services/*/conditions/*}

Condition Messages

Here is the list of Condition resource messages:

Condition Message

Name Type Description
name string (name of Condition) Name of Condition When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
display_name string Display Name
description string Description
ip_condition Condition.IpCondition
attestation_condition Condition.AttestationCondition
expression string Condition expression in Google CEL, syntax, e.g. resource.name == "projects/xyz/instances/abc" Accessible parameters:
parameter_declarations repeated Condition.ParameterDeclaration Typed parameters declarations. When binding a Condition passed parameters must correspond to declarations. DEPRECATED: Along with expression, CEL conditions are gone.

Condition.ParameterDeclaration Message

Parameter Declarations used

Name Type Description
key string Parameter Key - must be unique within condition. Defined parameter variables are accessible in condition expression via parameters.\<key\>, e.g.parameters.projectId
type Condition.ParameterType Parameter value type

Condition.IpCondition Message

IpCondition presents list of allowed/disallowed source IP addresses.

Name Type Description
allowed_cidrs repeated string Allowed IP cidrs in v4 or v6 format. If specified, at least one must be satisfied during execution.
disabled_cidrs repeated string Disallowed IP cidrs in v4 or v6 format. If specified, client IP must not be in any specified range.

Condition.AttestationCondition Message

AttestationCondition requires that associated roles/grants are authorized only if caller attaches proper attestation token next to authorization one.

Name Type Description
domain string (reference to AttestationDomain) Domain name that must be present in attestation token.
except_permissions repeated string (reference to Permission) List of permissions excepted from this condition. By default, it contains: * services/iam.edgelq.com/permissions/attestationDomains.get * services/iam.edgelq.com/permissions/attestationDomains.verify * services/iam.edgelq.com/permissions/serviceAccounts.get * services/iam.edgelq.com/permissions/serviceAccountKeys.get * services/devices.edgelq.com/permissions/devices.list * services/devices.edgelq.com/permissions/provisioningPolicies.list * services/devices.edgelq.com/permissions/provisioningPolicies.provisionDeviceViaPolicy * services/devices.edgelq.com/permissions/provisioningPolicies.requestProvisioningApproval Those are necessary to obtain attestation token in the first place.

GetConditionRequest Message

A request message of the GetCondition method.

Name Type Description
name string (name of Condition) Name of ntt.iam.v1.Condition
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetConditionsRequest Message

A request message of the BatchGetConditions method.

Name Type Description
names repeated string (name of Condition) Names of Conditions
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetConditionsResponse Message

A response message of the BatchGetConditions method.

Name Type Description
conditions repeated Condition found Conditions
missing repeated string (name of Condition) list of not found Conditions

ListConditionsRequest Message

A request message of the ListConditions method.

Name Type Description
parent string (parent name of Condition) Parent name of ntt.iam.v1.Condition
page_size int32 Requested page size. Server may return fewer Conditions than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Condition) A token identifying a page of results the server should return. Typically, this is the value of ListConditionsResponse.next_page_token.
order_by string (orderBy of Condition) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Condition) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListConditionsResponse Message

A response message of the ListConditions method.

Name Type Description
conditions repeated Condition The list of Conditions
prev_page_token string (cursor of Condition) A token to retrieve previous page of results. Pass this value in the ListConditionsRequest.page_token.
next_page_token string (cursor of Condition) A token to retrieve next page of results. Pass this value in the ListConditionsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Conditions across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchConditionRequest Message

A request message of the WatchCondition method.

Name Type Description
name string (name of Condition) Name of ntt.iam.v1.Condition
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchConditionResponse Message

A response message of the WatchCondition method.

Name Type Description
change ConditionChange

WatchConditionsRequest Message

A request message of the WatchConditions method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of Condition) Parent name of ntt.iam.v1.Condition
page_size int32 Requested page size. Server may return fewer Conditions than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Condition) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Condition) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Condition) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Condition that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Condition that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchConditionsResponse Message

A response message of the WatchConditions method.

Name Type Description
condition_changes repeated ConditionChange Changes of Conditions
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Conditions will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchConditionsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Conditions will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchConditionsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Condition) New token to retrieve previous page of results.
next_page_token string (cursor of Condition) New token to retrieve next page of results.

CreateConditionRequest Message

A request message of the CreateCondition method.

Name Type Description
parent string (parent name of Condition) Parent name of ntt.iam.v1.Condition
condition Condition Condition resource body
response_mask CreateConditionRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateConditionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateConditionRequest Message

A request message of the UpdateCondition method.

Name Type Description
condition Condition Condition resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateConditionRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateConditionRequest.ResponseMask reduce message response size.

UpdateConditionRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Condition Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateConditionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteConditionRequest Message

A request message of the DeleteCondition method.

Name Type Description
name string (name of Condition) Name of ntt.iam.v1.Condition

Condition Enumerations

Here is the list of Condition resource enumerations:

Condition.ParameterType Enumeration

Parameter Type.

Name Description
TYPE_UNSPECIFIED
STRING
INT64
DOUBLE
BOOL
STRING_ARRAY
INT64_ARRAY
DOUBLE_ARRAY
BOOL_ARRAY
OBJECT

Group Resource

Group Resource

Name patterns:

  • groups/{group}
  • projects/{project}/groups/{group}
  • organizations/{organization}/groups/{group}
  • services/{service}/groups/{group}

Parent resources:

This section covers the methods and messages to interact with Group resource.

Group Methods

Here is the list of Group resource methods:

GetGroup Method

GetGroup

rpc GetGroup(GetGroupRequest) returns (Group)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.get

The equivalent REST API is:

GET /v1/{name=groups/*} 

GET /v1/{name=projects/*/groups/*} 

GET /v1/{name=organizations/*/groups/*} 

GET /v1/{name=services/*/groups/*}

BatchGetGroups Method

BatchGetGroups

rpc BatchGetGroups(BatchGetGroupsRequest) returns (BatchGetGroupsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.batchGet

The equivalent REST API is:

GET /v1/groups:batchGet

ListGroups Method

ListGroups

rpc ListGroups(ListGroupsRequest) returns (ListGroupsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.list

The equivalent REST API is:

GET /v1/groups 

GET /v1/{parent=projects/*}/groups 

GET /v1/{parent=organizations/*}/groups 

GET /v1/{parent=services/*}/groups

WatchGroup Method

WatchGroup

rpc WatchGroup(WatchGroupRequest) returns (WatchGroupResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.watch

The equivalent REST API is:

POST /v1/{name=groups/*}:watch 

POST /v1/{name=projects/*/groups/*}:watch 

POST /v1/{name=organizations/*/groups/*}:watch 

POST /v1/{name=services/*/groups/*}:watch

WatchGroups Method

WatchGroups

rpc WatchGroups(WatchGroupsRequest) returns (WatchGroupsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.watch

The equivalent REST API is:

POST /v1/groups:watch 

POST /v1/{parent=projects/*}/groups:watch 

POST /v1/{parent=organizations/*}/groups:watch 

POST /v1/{parent=services/*}/groups:watch

CreateGroup Method

CreateGroup

rpc CreateGroup(CreateGroupRequest) returns (Group)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.create

The equivalent REST API is:

POST /v1/groups (BODY: group)

POST /v1/{parent=projects/*}/groups 

POST /v1/{parent=organizations/*}/groups 

POST /v1/{parent=services/*}/groups

UpdateGroup Method

UpdateGroup

rpc UpdateGroup(UpdateGroupRequest) returns (Group)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.update

The equivalent REST API is:

PUT /v1/{group.name=groups/*} (BODY: group)

PUT /v1/{group.name=projects/*/groups/*} 

PUT /v1/{group.name=organizations/*/groups/*} 

PUT /v1/{group.name=services/*/groups/*}

DeleteGroup Method

DeleteGroup

rpc DeleteGroup(DeleteGroupRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.delete

The equivalent REST API is:

DELETE /v1/{name=groups/*} 

DELETE /v1/{name=projects/*/groups/*} 

DELETE /v1/{name=organizations/*/groups/*} 

DELETE /v1/{name=services/*/groups/*}

Group Messages

Here is the list of Group resource messages:

Group Message

Name Type Description
name string (name of Group) Name of Group When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
display_name string Display Name
description string Optional. Description of the Group
email string Unique email address for this [Group]. Generated based on its [name][ntt.iam.v1alpha2.Group.name] with following rules: 1. System group: {group_id}@groups.iam.edgelq.com 2. Organization group: {group_id}@{organization_id}.groups.iam.edgelq.com 3. Project group: {group_id}@{project_id}.groups.iam.edgelq.com This email can be used in [RoleBindings][ntt.iam.v1alpha2.RoleBinding.member] field. Note: Currently there is way to assign custom domain for [Organization] or [Project].

GetGroupRequest Message

A request message of the GetGroup method.

Name Type Description
name string (name of Group) Name of ntt.iam.v1.Group
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupsRequest Message

A request message of the BatchGetGroups method.

Name Type Description
names repeated string (name of Group) Names of Groups
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupsResponse Message

A response message of the BatchGetGroups method.

Name Type Description
groups repeated Group found Groups
missing repeated string (name of Group) list of not found Groups

ListGroupsRequest Message

A request message of the ListGroups method.

Name Type Description
parent string (parent name of Group) Parent name of ntt.iam.v1.Group
page_size int32 Requested page size. Server may return fewer Groups than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Group) A token identifying a page of results the server should return. Typically, this is the value of ListGroupsResponse.next_page_token.
order_by string (orderBy of Group) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Group) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListGroupsResponse Message

A response message of the ListGroups method.

Name Type Description
groups repeated Group The list of Groups
prev_page_token string (cursor of Group) A token to retrieve previous page of results. Pass this value in the ListGroupsRequest.page_token.
next_page_token string (cursor of Group) A token to retrieve next page of results. Pass this value in the ListGroupsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Groups across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchGroupRequest Message

A request message of the WatchGroup method.

Name Type Description
name string (name of Group) Name of ntt.iam.v1.Group
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchGroupResponse Message

A response message of the WatchGroup method.

Name Type Description
change GroupChange

WatchGroupsRequest Message

A request message of the WatchGroups method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of Group) Parent name of ntt.iam.v1.Group
page_size int32 Requested page size. Server may return fewer Groups than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Group) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Group) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Group) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Group that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Group that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchGroupsResponse Message

A response message of the WatchGroups method.

Name Type Description
group_changes repeated GroupChange Changes of Groups
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Groups will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchGroupsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Groups will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchGroupsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Group) New token to retrieve previous page of results.
next_page_token string (cursor of Group) New token to retrieve next page of results.

CreateGroupRequest Message

A request message of the CreateGroup method.

Name Type Description
parent string (parent name of Group) Parent name of ntt.iam.v1.Group
group Group Group resource body
response_mask CreateGroupRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateGroupRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateGroupRequest Message

A request message of the UpdateGroup method.

Name Type Description
group Group Group resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateGroupRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateGroupRequest.ResponseMask reduce message response size.

UpdateGroupRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Group Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateGroupRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteGroupRequest Message

A request message of the DeleteGroup method.

Name Type Description
name string (name of Group) Name of ntt.iam.v1.Group

GroupMember Resource

GroupMember Resource

Name patterns:

  • groups/{group}/groupMembers/{group_member}
  • projects/{project}/groups/{group}/groupMembers/{group_member}
  • organizations/{organization}/groups/{group}/groupMembers/{group_member}
  • services/{service}/groups/{group}/groupMembers/{group_member}

Parent resources:

This section covers the methods and messages to interact with GroupMember resource.

GroupMember Methods

Here is the list of GroupMember resource methods:

GetGroupMember Method

GetGroupMember

rpc GetGroupMember(GetGroupMemberRequest) returns (GroupMember)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.get

The equivalent REST API is:

GET /v1/{name=groups/*/groupMembers/*} 

GET /v1/{name=projects/*/groups/*/groupMembers/*} 

GET /v1/{name=organizations/*/groups/*/groupMembers/*} 

GET /v1/{name=services/*/groups/*/groupMembers/*}

BatchGetGroupMembers Method

BatchGetGroupMembers

rpc BatchGetGroupMembers(BatchGetGroupMembersRequest) returns (BatchGetGroupMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.batchGet

The equivalent REST API is:

GET /v1/groupMembers:batchGet

ListGroupMembers Method

ListGroupMembers

rpc ListGroupMembers(ListGroupMembersRequest) returns (ListGroupMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.list

The equivalent REST API is:

GET /v1/{parent=groups/*}/groupMembers 

GET /v1/{parent=projects/*/groups/*}/groupMembers 

GET /v1/{parent=organizations/*/groups/*}/groupMembers 

GET /v1/{parent=services/*/groups/*}/groupMembers

WatchGroupMember Method

WatchGroupMember

rpc WatchGroupMember(WatchGroupMemberRequest) returns (WatchGroupMemberResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.watch

The equivalent REST API is:

POST /v1/{name=groups/*/groupMembers/*}:watch 

POST /v1/{name=projects/*/groups/*/groupMembers/*}:watch 

POST /v1/{name=organizations/*/groups/*/groupMembers/*}:watch 

POST /v1/{name=services/*/groups/*/groupMembers/*}:watch

WatchGroupMembers Method

WatchGroupMembers

rpc WatchGroupMembers(WatchGroupMembersRequest) returns (WatchGroupMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.watch

The equivalent REST API is:

POST /v1/{parent=groups/*}/groupMembers:watch 

POST /v1/{parent=projects/*/groups/*}/groupMembers:watch 

POST /v1/{parent=organizations/*/groups/*}/groupMembers:watch 

POST /v1/{parent=services/*/groups/*}/groupMembers:watch

CreateGroupMember Method

CreateGroupMember

rpc CreateGroupMember(CreateGroupMemberRequest) returns (GroupMember)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.create

The equivalent REST API is:

POST /v1/{parent=groups/*}/groupMembers (BODY: group_member)

POST /v1/{parent=projects/*/groups/*}/groupMembers 

POST /v1/{parent=organizations/*/groups/*}/groupMembers 

POST /v1/{parent=services/*/groups/*}/groupMembers

UpdateGroupMember Method

UpdateGroupMember

rpc UpdateGroupMember(UpdateGroupMemberRequest) returns (GroupMember)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.update

The equivalent REST API is:

PUT /v1/{group_member.name=groups/*/groupMembers/*} (BODY: group_member)

PUT /v1/{group_member.name=projects/*/groups/*/groupMembers/*} 

PUT /v1/{group_member.name=organizations/*/groups/*/groupMembers/*} 

PUT /v1/{group_member.name=services/*/groups/*/groupMembers/*}

DeleteGroupMember Method

DeleteGroupMember

rpc DeleteGroupMember(DeleteGroupMemberRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.delete

The equivalent REST API is:

DELETE /v1/{name=groups/*/groupMembers/*} 

DELETE /v1/{name=projects/*/groups/*/groupMembers/*} 

DELETE /v1/{name=organizations/*/groups/*/groupMembers/*} 

DELETE /v1/{name=services/*/groups/*/groupMembers/*}

ListGroupMembersWithMembers Method

ListGroupMembersWithMembers

rpc ListGroupMembersWithMembers(ListGroupMembersWithMembersRequest) returns (ListGroupMembersWithMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.listGroupMembersWithMembers

The equivalent REST API is:

POST /v1/{parent=groups/*}/groupMembers:listGroupMembersWithMembers 

POST /v1/{parent=projects/*/groups/*}/groupMembers:listGroupMembersWithMembers 

POST /v1/{parent=organizations/*/groups/*}/groupMembers:listGroupMembersWithMembers 

POST /v1/{parent=services/*/groups/*}/groupMembers:listGroupMembersWithMembers

GroupMember Messages

Here is the list of GroupMember resource messages:

GroupMember Message

Name Type Description
name string (name of GroupMember) Name of GroupMember When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
member string Format of the string is one of: - “allUsers” (anyone) - “allAuthenticatedUsers” (anyone logged in) - “user:admin.super@example.com” - “serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com” - “group:nice.group@example.com”
parent_member string Internal field used by the IAM controller to know member ID (email) of a group this member belongs to.
min_ancestry_members repeated string Internal field used the IAM controller to know common ancestors if this group member is actually a copy from another group, which can happen if group is member in another group. List contains member IDs of other groups. Last element is always pointing to the group which made an actual copy and is responsible for deletion when needed. If particular group member is copied multiple times (which also can happen if group is indirect member via multiple memberships) then this field contains list only of common ancestors. This field has purpose of indicating owner (last item in this list) and to break cycles (previous elements). List is always empty if this group member is DIRECT member of this group and controller cannot modify it.

GetGroupMemberRequest Message

A request message of the GetGroupMember method.

Name Type Description
name string (name of GroupMember) Name of ntt.iam.v1.GroupMember
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupMembersRequest Message

A request message of the BatchGetGroupMembers method.

Name Type Description
names repeated string (name of GroupMember) Names of GroupMembers
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupMembersResponse Message

A response message of the BatchGetGroupMembers method.

Name Type Description
group_members repeated GroupMember found GroupMembers
missing repeated string (name of GroupMember) list of not found GroupMembers

ListGroupMembersRequest Message

A request message of the ListGroupMembers method.

Name Type Description
parent string (parent name of GroupMember) Parent name of ntt.iam.v1.GroupMember
page_size int32 Requested page size. Server may return fewer GroupMembers than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of GroupMember) A token identifying a page of results the server should return. Typically, this is the value of ListGroupMembersResponse.next_page_token.
order_by string (orderBy of GroupMember) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of GroupMember) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListGroupMembersResponse Message

A response message of the ListGroupMembers method.

Name Type Description
group_members repeated GroupMember The list of GroupMembers
prev_page_token string (cursor of GroupMember) A token to retrieve previous page of results. Pass this value in the ListGroupMembersRequest.page_token.
next_page_token string (cursor of GroupMember) A token to retrieve next page of results. Pass this value in the ListGroupMembersRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total GroupMembers across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchGroupMemberRequest Message

A request message of the WatchGroupMember method.

Name Type Description
name string (name of GroupMember) Name of ntt.iam.v1.GroupMember
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchGroupMemberResponse Message

A response message of the WatchGroupMember method.

Name Type Description
change GroupMemberChange

WatchGroupMembersRequest Message

A request message of the WatchGroupMembers method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of GroupMember) Parent name of ntt.iam.v1.GroupMember
page_size int32 Requested page size. Server may return fewer GroupMembers than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of GroupMember) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of GroupMember) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of GroupMember) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to GroupMember that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to GroupMember that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchGroupMembersResponse Message

A response message of the WatchGroupMembers method.

Name Type Description
group_member_changes repeated GroupMemberChange Changes of GroupMembers
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All GroupMembers will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchGroupMembersResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (GroupMembers will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchGroupMembersResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of GroupMember) New token to retrieve previous page of results.
next_page_token string (cursor of GroupMember) New token to retrieve next page of results.

CreateGroupMemberRequest Message

A request message of the CreateGroupMember method.

Name Type Description
parent string (parent name of GroupMember) Parent name of ntt.iam.v1.GroupMember
group_member GroupMember GroupMember resource body
response_mask CreateGroupMemberRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateGroupMemberRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateGroupMemberRequest Message

A request message of the UpdateGroupMember method.

Name Type Description
group_member GroupMember GroupMember resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateGroupMemberRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateGroupMemberRequest.ResponseMask reduce message response size.

UpdateGroupMemberRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state GroupMember Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateGroupMemberRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteGroupMemberRequest Message

A request message of the DeleteGroupMember method.

Name Type Description
name string (name of GroupMember) Name of ntt.iam.v1.GroupMember

ListGroupMembersWithMembersRequest Message

A request message of the ListGroupMembersWithMembers method.

Name Type Description
parent string (parent name of GroupMember) Parent name of ntt.iam.v1.GroupMember
page_size int32 Requested page size. Server may return fewer GroupMembers than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of GroupMember) A token identifying a page of results the server should return. Typically, this is the value of ListGroupMembersWithMembersResponse.next_page_token.
order_by string (orderBy of GroupMember) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of GroupMember) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask and user_mask.
members_masks MembersMasks Defines field masks applied to member resources (Users, Service accounts, Groups).
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListGroupMembersWithMembersResponse Message

A response message of the ListGroupMembersWithMembers method.

Name Type Description
group_members repeated GroupMember The list of GroupMembers
matching_members repeated MembersInfo List of matching members per each received group member.
prev_page_token string (cursor of GroupMember) A token to retrieve previous page of results. Pass this value in the ListGroupMembersWithMembersRequest.page_token.
next_page_token string (cursor of GroupMember) A token to retrieve next page of results. Pass this value in the ListGroupMembersWithMembersRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total GroupMembers across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

MemberAssignment Resource

MemberAssignment - it is an internal resource, not for end users. It tracks REGIONAL RoleBindings per combination of scope/member for organization and project RoleBindings.

If multiple RoleBindings point to same project/org and member, they will all share single MemberAssignment.

MemberAssignment are managed by IAM Server, they are created/updated/deleted in TX when RoleBinding is created/updated/deleted. MemberAssignment shares same region as RoleBinding, otherwise tx-level synchronization would not be possible.

For example: We create RoleBinding { project = “X”, member = “M”, role = “r1”}. It will create MemberAssignment { scope = “projects/x”, member = “M” }. If another RoleBinding with same project and member would be created, then no additional MemberAssignment is created. When last RoleBinding per scope/member is deleted, MemberAssignment is deleted.

Not all RoleBindings however have MemberAssignment instances. We track only organization and project RoleBindings! Therefore, system and service RoleBindings don’t get their MemberAssignment. However, there is some caveat about this…

When lets say project enables Service “S”, and we create RoleBinding WHERE: {project = “X”, member = “M”, role = “r1”, metadata.services.allowedServices CONTAINS “S”}, then special MemberAssignment is created with params: { scope = “services/S”, member = “M” }, apart of { scope = “projects/x”, member = “M” } mentioned previously. We create those service MemberAssignment only for 3rd party services (non core EdgeLQ), so we know if User/ServiceAccount is eligible user of some service.

Main task of MemberAssignment is to track participations of all users/service accounts in projects/organizations. We use it for things like ListMyProjects, ListMyOrganizations. We also use those special service MemberAssignment instances to track who is using Service by proxy of Project/Organization! With this we can forbid/allow specific users using particular service.

System RoleBindings are managed only by EdgeLQ admins for internal cases, and we dont need this tracking.

Name patterns:

  • regions/{region}/memberAssignments/{member_assignment}

This section covers the methods and messages to interact with MemberAssignment resource.

MemberAssignment Methods

Here is the list of MemberAssignment resource methods:

GetMemberAssignment Method

GetMemberAssignment

rpc GetMemberAssignment(GetMemberAssignmentRequest) returns (MemberAssignment)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.get

The equivalent REST API is:

GET /v1/{name=regions/*/memberAssignments/*}

BatchGetMemberAssignments Method

BatchGetMemberAssignments

rpc BatchGetMemberAssignments(BatchGetMemberAssignmentsRequest) returns (BatchGetMemberAssignmentsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.batchGet

The equivalent REST API is:

GET /v1/memberAssignments:batchGet

ListMemberAssignments Method

ListMemberAssignments

rpc ListMemberAssignments(ListMemberAssignmentsRequest) returns (ListMemberAssignmentsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.list

The equivalent REST API is:

GET /v1/{parent=regions/*}/memberAssignments

WatchMemberAssignment Method

WatchMemberAssignment

rpc WatchMemberAssignment(WatchMemberAssignmentRequest) returns (WatchMemberAssignmentResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.watch

The equivalent REST API is:

POST /v1/{name=regions/*/memberAssignments/*}:watch

WatchMemberAssignments Method

WatchMemberAssignments

rpc WatchMemberAssignments(WatchMemberAssignmentsRequest) returns (WatchMemberAssignmentsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.watch

The equivalent REST API is:

POST /v1/{parent=regions/*}/memberAssignments:watch

UpdateMemberAssignment Method

UpdateMemberAssignment

rpc UpdateMemberAssignment(UpdateMemberAssignmentRequest) returns (MemberAssignment)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.update

The equivalent REST API is:

PUT /v1/{member_assignment.name=regions/*/memberAssignments/*} (BODY: member_assignment)

DeleteMemberAssignment Method

DeleteMemberAssignment

rpc DeleteMemberAssignment(DeleteMemberAssignmentRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.delete

The equivalent REST API is:

DELETE /v1/{name=regions/*/memberAssignments/*}

SearchMemberAssignments Method

SearchMemberAssignments

rpc SearchMemberAssignments(SearchMemberAssignmentsRequest) returns (SearchMemberAssignmentsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/memberAssignments.search

The equivalent REST API is:

GET /v1/{parent=regions/*}/memberAssignments:search

MemberAssignment Messages

Here is the list of MemberAssignment resource messages:

MemberAssignment Message

Name Type Description
name string (name of MemberAssignment) Name of MemberAssignment First letter is source indicator (p, o, s for project, org, service). Then we have proper scope identifier (projectId etc), then member identifier (like user:$EMAIL).
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
scope string (parent name of RoleBinding) Points to Organization/Project of RoleBindings, OR service for those special MemberAssignments. It is already part of name, but we track in field for filter purpose.
scope_title string Populated for organization/project scopes. Skipped for service ones.
parent_organization string (name of Organization) Populated for organization/project scopes. Skipped for service ones.
scope_metadata Meta It has PARTIAL metadata inherited from scope (labels, annotations, tags). Populated for organization/project scopes. Skipped for service ones.
multi_region_control_region string Populated for organization/project scopes. Skipped for service ones. Contains multi_region_policy.default_control_region
multi_region_enabled_regions repeated string Populated for organization/project scopes. Skipped for service ones. Contains multi_region_policy.enabled_regions
scope_services repeated string (name of Service) Populated for organization/project scopes. Skipped for service ones. Contains allowed or enabled services.
business_tier BusinessTier Populated for organization/project scopes. Skipped for service ones.
member string Member pointed by RoleBinding. Part of name, but we also need for filtering purposes.
member_region string Region ID holding member resource (User, ServiceAccount…)
ctrl_status MemberAssignment.WorkStatus

MemberAssignment.WorkStatus Message

Name Type Description
pending bool if controller has some work on this resource
pending_deletion bool If this resource should be deleted.

GetMemberAssignmentRequest Message

A request message of the GetMemberAssignment method.

Name Type Description
name string (name of MemberAssignment) Name of ntt.iam.v1.MemberAssignment
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetMemberAssignmentsRequest Message

A request message of the BatchGetMemberAssignments method.

Name Type Description
names repeated string (name of MemberAssignment) Names of MemberAssignments
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetMemberAssignmentsResponse Message

A response message of the BatchGetMemberAssignments method.

Name Type Description
member_assignments repeated MemberAssignment found MemberAssignments
missing repeated string (name of MemberAssignment) list of not found MemberAssignments

ListMemberAssignmentsRequest Message

A request message of the ListMemberAssignments method.

Name Type Description
parent string (parent name of MemberAssignment) Parent name of ntt.iam.v1.MemberAssignment
page_size int32 Requested page size. Server may return fewer MemberAssignments than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of MemberAssignment) A token identifying a page of results the server should return. Typically, this is the value of ListMemberAssignmentsResponse.next_page_token.
order_by string (orderBy of MemberAssignment) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of MemberAssignment) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListMemberAssignmentsResponse Message

A response message of the ListMemberAssignments method.

Name Type Description
member_assignments repeated MemberAssignment The list of MemberAssignments
prev_page_token string (cursor of MemberAssignment) A token to retrieve previous page of results. Pass this value in the ListMemberAssignmentsRequest.page_token.
next_page_token string (cursor of MemberAssignment) A token to retrieve next page of results. Pass this value in the ListMemberAssignmentsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total MemberAssignments across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchMemberAssignmentRequest Message

A request message of the WatchMemberAssignment method.

Name Type Description
name string (name of MemberAssignment) Name of ntt.iam.v1.MemberAssignment
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchMemberAssignmentResponse Message

A response message of the WatchMemberAssignment method.

Name Type Description
change MemberAssignmentChange

WatchMemberAssignmentsRequest Message

A request message of the WatchMemberAssignments method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of MemberAssignment) Parent name of ntt.iam.v1.MemberAssignment
page_size int32 Requested page size. Server may return fewer MemberAssignments than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of MemberAssignment) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of MemberAssignment) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of MemberAssignment) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to MemberAssignment that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to MemberAssignment that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchMemberAssignmentsResponse Message

A response message of the WatchMemberAssignments method.

Name Type Description
member_assignment_changes repeated MemberAssignmentChange Changes of MemberAssignments
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All MemberAssignments will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchMemberAssignmentsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (MemberAssignments will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchMemberAssignmentsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of MemberAssignment) New token to retrieve previous page of results.
next_page_token string (cursor of MemberAssignment) New token to retrieve next page of results.

UpdateMemberAssignmentRequest Message

A request message of the UpdateMemberAssignment method.

Name Type Description
member_assignment MemberAssignment MemberAssignment resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateMemberAssignmentRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
response_mask UpdateMemberAssignmentRequest.ResponseMask Optional masking applied to response object to reduce message response size.

UpdateMemberAssignmentRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state MemberAssignment Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateMemberAssignmentRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteMemberAssignmentRequest Message

A request message of the DeleteMemberAssignment method.

Name Type Description
name string (name of MemberAssignment) Name of ntt.iam.v1.MemberAssignment

SearchMemberAssignmentsRequest Message

A request message of the SearchMemberAssignments method.

Name Type Description
parent string (parent name of MemberAssignment) Parent name of ntt.iam.v1.MemberAssignment
page_size int32 Requested page size. Server may return fewer MemberAssignments than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of MemberAssignment) A token identifying a page of results the server should return. Typically, this is the value of SearchMemberAssignmentsResponse.next_page_token.
order_by string (orderBy of MemberAssignment) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of MemberAssignment) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
phrase string Optional search phrase used to further filter results.

SearchMemberAssignmentsResponse Message

A response message of the SearchMemberAssignments method.

Name Type Description
member_assignments repeated MemberAssignment The list of MemberAssignments
prev_page_token string (cursor of MemberAssignment) A token to retrieve previous page of results. Pass this value in the SearchMemberAssignmentsRequest.page_token.
next_page_token string (cursor of MemberAssignment) A token to retrieve next page of results. Pass this value in the SearchMemberAssignmentsRequest.page_token.
current_offset int32 Current offset from the first page (0 if no page tokens were given). Page index can be computed from offset and limit provided in a request
total_results_count int32 Number of total MemberAssignments across all pages.

Organization Resource

Organization Resource

Name patterns:

  • organizations/{organization}

This section covers the methods and messages to interact with Organization resource.

Organization Methods

Here is the list of Organization resource methods:

GetOrganization Method

GetOrganization

rpc GetOrganization(GetOrganizationRequest) returns (Organization)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.get

The equivalent REST API is:

GET /v1/{name=organizations/*}

BatchGetOrganizations Method

BatchGetOrganizations

rpc BatchGetOrganizations(BatchGetOrganizationsRequest) returns (BatchGetOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.batchGet

The equivalent REST API is:

GET /v1/organizations:batchGet

ListOrganizations Method

ListOrganizations

rpc ListOrganizations(ListOrganizationsRequest) returns (ListOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.list

The equivalent REST API is:

GET /v1/organizations

WatchOrganization Method

WatchOrganization

rpc WatchOrganization(WatchOrganizationRequest) returns (WatchOrganizationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.watch

The equivalent REST API is:

POST /v1/{name=organizations/*}:watch

WatchOrganizations Method

WatchOrganizations

rpc WatchOrganizations(WatchOrganizationsRequest) returns (WatchOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.watch

The equivalent REST API is:

POST /v1/organizations:watch

CreateOrganization Method

CreateOrganization

rpc CreateOrganization(CreateOrganizationRequest) returns (Organization)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.create

The equivalent REST API is:

POST /v1/organizations (BODY: organization)

UpdateOrganization Method

UpdateOrganization

rpc UpdateOrganization(UpdateOrganizationRequest) returns (Organization)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.update

The equivalent REST API is:

PUT /v1/{organization.name=organizations/*} (BODY: organization)

DeleteOrganization Method

DeleteOrganization

rpc DeleteOrganization(DeleteOrganizationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.delete

The equivalent REST API is:

DELETE /v1/{name=organizations/*}

SearchOrganizations Method

SearchOrganizations

rpc SearchOrganizations(SearchOrganizationsRequest) returns (SearchOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.search

The equivalent REST API is:

GET /v1/organizations:search

ListMyOrganizations Method

ListMyOrganizations

rpc ListMyOrganizations(ListMyOrganizationsRequest) returns (ListMyOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.listMy

The equivalent REST API is:

POST /v1/organizations:listMy

SearchMyOrganizations Method

SearchMyOrganizations

rpc SearchMyOrganizations(SearchMyOrganizationsRequest) returns (SearchMyOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.searchMy

The equivalent REST API is:

POST /v1/organizations:searchMy

Organization Messages

Here is the list of Organization resource messages:

Organization Message

Name Type Description
name string (name of Organization) Name of Organization When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
title string Official Name of Organization
description string Optional. Description of Organization.
parent_organization string (reference to Organization) Parent organization
multi_region_policy MultiRegionPolicy Multi region policy for child resources
allowed_services repeated string (reference to Service) Allowed services for child organizations and projects. This field is checked only for non-core edgelq services.
business_tier BusinessTier Business tier applicable for all allowed services. This value defines: * Default business tier for child projects (if not defined on creation) * Default business tier to this organization.
service_tiers repeated ServiceBusinessTier Overwrites business_tier for each service - it may also override value for a core EdgeLQ service.
root_organization string (name of Organization) Top parent (internal)
ancestry_path repeated string (name of Organization) Full ancestry path (internal)
service_errors map<string, ServiceErrors> Service errors reported for this organization by category
services_generation int64 Internal field for services meta information synchronization

GetOrganizationRequest Message

A request message of the GetOrganization method.

Name Type Description
name string (name of Organization) Name of ntt.iam.v1.Organization
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationsRequest Message

A request message of the BatchGetOrganizations method.

Name Type Description
names repeated string (name of Organization) Names of Organizations
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationsResponse Message

A response message of the BatchGetOrganizations method.

Name Type Description
organizations repeated Organization found Organizations
missing repeated string (name of Organization) list of not found Organizations

ListOrganizationsRequest Message

A request message of the ListOrganizations method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Typically, this is the value of ListOrganizationsResponse.next_page_token.
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListOrganizationsResponse Message

A response message of the ListOrganizations method.

Name Type Description
organizations repeated Organization The list of Organizations
prev_page_token string (cursor of Organization) A token to retrieve previous page of results. Pass this value in the ListOrganizationsRequest.page_token.
next_page_token string (cursor of Organization) A token to retrieve next page of results. Pass this value in the ListOrganizationsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Organizations across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchOrganizationRequest Message

A request message of the WatchOrganization method.

Name Type Description
name string (name of Organization) Name of ntt.iam.v1.Organization
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchOrganizationResponse Message

A response message of the WatchOrganization method.

Name Type Description
change OrganizationChange

WatchOrganizationsRequest Message

A request message of the WatchOrganizations method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Organization that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Organization that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchOrganizationsResponse Message

A response message of the WatchOrganizations method.

Name Type Description
organization_changes repeated OrganizationChange Changes of Organizations
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Organizations will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchOrganizationsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Organizations will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchOrganizationsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Organization) New token to retrieve previous page of results.
next_page_token string (cursor of Organization) New token to retrieve next page of results.

CreateOrganizationRequest Message

A request message of the CreateOrganization method.

Name Type Description
organization Organization Organization resource body
response_mask CreateOrganizationRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateOrganizationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateOrganizationRequest Message

A request message of the UpdateOrganization method.

Name Type Description
organization Organization Organization resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateOrganizationRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateOrganizationRequest.ResponseMask reduce message response size.

UpdateOrganizationRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Organization Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateOrganizationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteOrganizationRequest Message

A request message of the DeleteOrganization method.

Name Type Description
name string (name of Organization) Name of ntt.iam.v1.Organization

SearchOrganizationsRequest Message

A request message of the SearchOrganizations method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Typically, this is the value of SearchOrganizationsResponse.next_page_token.
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
phrase string Optional search phrase used to further filter results.

SearchOrganizationsResponse Message

A response message of the SearchOrganizations method.

Name Type Description
organizations repeated Organization The list of Organizations
prev_page_token string (cursor of Organization) A token to retrieve previous page of results. Pass this value in the SearchOrganizationsRequest.page_token.
next_page_token string (cursor of Organization) A token to retrieve next page of results. Pass this value in the SearchOrganizationsRequest.page_token.
current_offset int32 Current offset from the first page (0 if no page tokens were given). Page index can be computed from offset and limit provided in a request
total_results_count int32 Number of total Organizations across all pages.

ListMyOrganizationsRequest Message

Request message for method [ListMyOrganizations][ntt.iam.v1.ListMyOrganizations]

Name Type Description
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Typically, this is the value of [ListOrganizationsResponse.next_page_token][ntt.iam.v1alpha2.ListOrganizationsResponse.next_page_token]
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.
include_paging_info bool

ListMyOrganizationsResponse Message

Response message for method [ListMyOrganizations][ntt.iam.v1.ListMyOrganizations]

Name Type Description
organizations repeated Organization The list of Organizations
prev_page_token string (cursor of Organization) A token to retrieve previous page of results. Pass this value in the [ListOrganizationsRequest.page_token][ntt.iam.v1alpha2.ListOrganizationsRequest.page_token]
next_page_token string (cursor of Organization) A token to retrieve next page of results. Pass this value in the [ListOrganizationsRequest.page_token][ntt.iam.v1alpha2.ListOrganizationsRequest.page_token]
total_count int32
cursor_offset int32

SearchMyOrganizationsRequest Message

Request message for method [SearchMyOrganizations][ntt.iam.v1.SearchMyOrganizations]

Name Type Description
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Typically, this is the value of [SearchOrganizationsResponse.next_page_token][ntt.iam.v1alpha2.SearchOrganizationsResponse.next_page_token]
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.
include_paging_info bool
phrase string

SearchMyOrganizationsResponse Message

Response message for method [SearchMyOrganizations][ntt.iam.v1.SearchMyOrganizations]

Name Type Description
organizations repeated Organization The list of Organizations
prev_page_token string (cursor of Organization) A token to retrieve previous page of results. Pass this value in the [SearchOrganizationsRequest.page_token][ntt.iam.v1alpha2.SearchOrganizationsRequest.page_token]
next_page_token string (cursor of Organization) A token to retrieve next page of results. Pass this value in the [SearchOrganizationsRequest.page_token][ntt.iam.v1alpha2.SearchOrganizationsRequest.page_token]
total_count int32
cursor_offset int32

OrganizationInvitation Resource

OrganizationInvitation Resource

Name patterns:

  • organizations/{organization}/organizationInvitations/{organization_invitation}

Parent resources:

This section covers the methods and messages to interact with OrganizationInvitation resource.

OrganizationInvitation Methods

Here is the list of OrganizationInvitation resource methods:

GetOrganizationInvitation Method

GetOrganizationInvitation

rpc GetOrganizationInvitation(GetOrganizationInvitationRequest) returns (OrganizationInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.get

The equivalent REST API is:

GET /v1/{name=organizations/*/organizationInvitations/*}

BatchGetOrganizationInvitations Method

BatchGetOrganizationInvitations

rpc BatchGetOrganizationInvitations(BatchGetOrganizationInvitationsRequest) returns (BatchGetOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.batchGet

The equivalent REST API is:

GET /v1/organizationInvitations:batchGet

ListOrganizationInvitations Method

ListOrganizationInvitations

rpc ListOrganizationInvitations(ListOrganizationInvitationsRequest) returns (ListOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.list

The equivalent REST API is:

GET /v1/{parent=organizations/*}/organizationInvitations

WatchOrganizationInvitation Method

WatchOrganizationInvitation

rpc WatchOrganizationInvitation(WatchOrganizationInvitationRequest) returns (WatchOrganizationInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.watch

The equivalent REST API is:

POST /v1/{name=organizations/*/organizationInvitations/*}:watch

WatchOrganizationInvitations Method

WatchOrganizationInvitations

rpc WatchOrganizationInvitations(WatchOrganizationInvitationsRequest) returns (WatchOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.watch

The equivalent REST API is:

POST /v1/{parent=organizations/*}/organizationInvitations:watch

CreateOrganizationInvitation Method

CreateOrganizationInvitation

rpc CreateOrganizationInvitation(CreateOrganizationInvitationRequest) returns (OrganizationInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.create

The equivalent REST API is:

POST /v1/{parent=organizations/*}/organizationInvitations (BODY: organization_invitation)

UpdateOrganizationInvitation Method

UpdateOrganizationInvitation

rpc UpdateOrganizationInvitation(UpdateOrganizationInvitationRequest) returns (OrganizationInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.update

The equivalent REST API is:

PUT /v1/{organization_invitation.name=organizations/*/organizationInvitations/*} (BODY: organization_invitation)

DeleteOrganizationInvitation Method

DeleteOrganizationInvitation

rpc DeleteOrganizationInvitation(DeleteOrganizationInvitationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.delete

The equivalent REST API is:

DELETE /v1/{name=organizations/*/organizationInvitations/*}

AcceptOrganizationInvitation Method

AcceptOrganizationInvitation

rpc AcceptOrganizationInvitation(AcceptOrganizationInvitationRequest) returns (AcceptOrganizationInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.accept

The equivalent REST API is:

POST /v1/{name=organizations/*/organizationInvitations/*}:accept

DeclineOrganizationInvitation Method

DeclineOrganizationInvitation

rpc DeclineOrganizationInvitation(DeclineOrganizationInvitationRequest) returns (DeclineOrganizationInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.decline

The equivalent REST API is:

POST /v1/{name=organizations/*/organizationInvitations/*}:decline

ListMyOrganizationInvitations Method

ListMyOrganizationInvitations

rpc ListMyOrganizationInvitations(ListMyOrganizationInvitationsRequest) returns (ListMyOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.listMy

The equivalent REST API is:

POST /v1/{parent=organizations/*}/organizationInvitations:listMy

OrganizationInvitation Messages

Here is the list of OrganizationInvitation resource messages:

OrganizationInvitation Message

Name Type Description
name string (name of OrganizationInvitation) Name of OrganizationInvitation When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
invitation Invitation

GetOrganizationInvitationRequest Message

A request message of the GetOrganizationInvitation method.

Name Type Description
name string (name of OrganizationInvitation) Name of ntt.iam.v1.OrganizationInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationInvitationsRequest Message

A request message of the BatchGetOrganizationInvitations method.

Name Type Description
names repeated string (name of OrganizationInvitation) Names of OrganizationInvitations
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationInvitationsResponse Message

A response message of the BatchGetOrganizationInvitations method.

Name Type Description
organization_invitations repeated OrganizationInvitation found OrganizationInvitations
missing repeated string (name of OrganizationInvitation) list of not found OrganizationInvitations

ListOrganizationInvitationsRequest Message

A request message of the ListOrganizationInvitations method.

Name Type Description
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1.OrganizationInvitation
page_size int32 Requested page size. Server may return fewer OrganizationInvitations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of OrganizationInvitation) A token identifying a page of results the server should return. Typically, this is the value of ListOrganizationInvitationsResponse.next_page_token.
order_by string (orderBy of OrganizationInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of OrganizationInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListOrganizationInvitationsResponse Message

A response message of the ListOrganizationInvitations method.

Name Type Description
organization_invitations repeated OrganizationInvitation The list of OrganizationInvitations
prev_page_token string (cursor of OrganizationInvitation) A token to retrieve previous page of results. Pass this value in the ListOrganizationInvitationsRequest.page_token.
next_page_token string (cursor of OrganizationInvitation) A token to retrieve next page of results. Pass this value in the ListOrganizationInvitationsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total OrganizationInvitations across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchOrganizationInvitationRequest Message

A request message of the WatchOrganizationInvitation method.

Name Type Description
name string (name of OrganizationInvitation) Name of ntt.iam.v1.OrganizationInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchOrganizationInvitationResponse Message

A response message of the WatchOrganizationInvitation method.

Name Type Description
change OrganizationInvitationChange

WatchOrganizationInvitationsRequest Message

A request message of the WatchOrganizationInvitations method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1.OrganizationInvitation
page_size int32 Requested page size. Server may return fewer OrganizationInvitations than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of OrganizationInvitation) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of OrganizationInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of OrganizationInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to OrganizationInvitation that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to OrganizationInvitation that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchOrganizationInvitationsResponse Message

A response message of the WatchOrganizationInvitations method.

Name Type Description
organization_invitation_changes repeated OrganizationInvitationChange Changes of OrganizationInvitations
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All OrganizationInvitations will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchOrganizationInvitationsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (OrganizationInvitations will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchOrganizationInvitationsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of OrganizationInvitation) New token to retrieve previous page of results.
next_page_token string (cursor of OrganizationInvitation) New token to retrieve next page of results.

CreateOrganizationInvitationRequest Message

A request message of the CreateOrganizationInvitation method.

Name Type Description
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1.OrganizationInvitation
organization_invitation OrganizationInvitation OrganizationInvitation resource body
response_mask CreateOrganizationInvitationRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateOrganizationInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateOrganizationInvitationRequest Message

A request message of the UpdateOrganizationInvitation method.

Name Type Description
organization_invitation OrganizationInvitation OrganizationInvitation resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateOrganizationInvitationRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateOrganizationInvitationRequest.ResponseMask reduce message response size.

UpdateOrganizationInvitationRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state OrganizationInvitation Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateOrganizationInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteOrganizationInvitationRequest Message

A request message of the DeleteOrganizationInvitation method.

Name Type Description
name string (name of OrganizationInvitation) Name of ntt.iam.v1.OrganizationInvitation

AcceptOrganizationInvitationRequest Message

Request message for method [AcceptOrganizationInvitation][ntt.iam.v1.AcceptOrganizationInvitation]

Name Type Description
name string (name of OrganizationInvitation) name of ntt.iam.v1.OrganizationInvitation

AcceptOrganizationInvitationResponse Message

Response message for method [AcceptOrganizationInvitation][ntt.iam.v1.AcceptOrganizationInvitation]

Name Type Description
none none none

DeclineOrganizationInvitationRequest Message

Request message for method [DeclineOrganizationInvitation][ntt.iam.v1.DeclineOrganizationInvitation]

Name Type Description
name string (name of OrganizationInvitation) name of ntt.iam.v1.OrganizationInvitation
filter string (filter of ProjectInvitation) Additional filter for invitations, e.g. state = “PENDING”

DeclineOrganizationInvitationResponse Message

Response message for method [DeclineOrganizationInvitation][ntt.iam.v1.DeclineOrganizationInvitation]

Name Type Description
none none none

ListMyOrganizationInvitationsRequest Message

Request message for method [ListMyOrganizationInvitations][ntt.iam.v1.ListMyOrganizationInvitations]

Name Type Description
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1.OrganizationInvitation
filter string (filter of OrganizationInvitation) Additional filter for invitations, e.g. state = “PENDING”

ListMyOrganizationInvitationsResponse Message

Response message for method [ListMyOrganizationInvitations][ntt.iam.v1.ListMyOrganizationInvitations]

Name Type Description
organization_invitations repeated OrganizationInvitation The list of OrganizationInvitations

Permission Resource

Permission Resource

Name patterns:

  • services/{service}/permissions/{permission}

Parent resources:

This section covers the methods and messages to interact with Permission resource.

Permission Methods

Here is the list of Permission resource methods:

GetPermission Method

GetPermission

rpc GetPermission(GetPermissionRequest) returns (Permission)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.get

The equivalent REST API is:

GET /v1/{name=services/*/permissions/*}

BatchGetPermissions Method

BatchGetPermissions

rpc BatchGetPermissions(BatchGetPermissionsRequest) returns (BatchGetPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.batchGet

The equivalent REST API is:

GET /v1/permissions:batchGet

ListPermissions Method

ListPermissions

rpc ListPermissions(ListPermissionsRequest) returns (ListPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.list

The equivalent REST API is:

GET /v1/{parent=services/*}/permissions

WatchPermission Method

WatchPermission

rpc WatchPermission(WatchPermissionRequest) returns (WatchPermissionResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.watch

The equivalent REST API is:

POST /v1/{name=services/*/permissions/*}:watch

WatchPermissions Method

WatchPermissions

rpc WatchPermissions(WatchPermissionsRequest) returns (WatchPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.watch

The equivalent REST API is:

POST /v1/{parent=services/*}/permissions:watch

CreatePermission Method

CreatePermission

rpc CreatePermission(CreatePermissionRequest) returns (Permission)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.create

The equivalent REST API is:

POST /v1/{parent=services/*}/permissions (BODY: permission)

UpdatePermission Method

UpdatePermission

rpc UpdatePermission(UpdatePermissionRequest) returns (Permission)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.update

The equivalent REST API is:

PUT /v1/{permission.name=services/*/permissions/*} (BODY: permission)

DeletePermission Method

DeletePermission

rpc DeletePermission(DeletePermissionRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.delete

The equivalent REST API is:

DELETE /v1/{name=services/*/permissions/*}

Permission Messages

Here is the list of Permission resource messages:

Permission Message

Name Type Description
name string (name of Permission) Name of Permission
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
title string Title
description string Description

GetPermissionRequest Message

A request message of the GetPermission method.

Name Type Description
name string (name of Permission) Name of ntt.iam.v1.Permission
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetPermissionsRequest Message

A request message of the BatchGetPermissions method.

Name Type Description
names repeated string (name of Permission) Names of Permissions
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetPermissionsResponse Message

A response message of the BatchGetPermissions method.

Name Type Description
permissions repeated Permission found Permissions
missing repeated string (name of Permission) list of not found Permissions

ListPermissionsRequest Message

A request message of the ListPermissions method.

Name Type Description
parent string (parent name of Permission) Parent name of ntt.iam.v1.Permission
page_size int32 Requested page size. Server may return fewer Permissions than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Permission) A token identifying a page of results the server should return. Typically, this is the value of ListPermissionsResponse.next_page_token.
order_by string (orderBy of Permission) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Permission) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListPermissionsResponse Message

A response message of the ListPermissions method.

Name Type Description
permissions repeated Permission The list of Permissions
prev_page_token string (cursor of Permission) A token to retrieve previous page of results. Pass this value in the ListPermissionsRequest.page_token.
next_page_token string (cursor of Permission) A token to retrieve next page of results. Pass this value in the ListPermissionsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Permissions across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchPermissionRequest Message

A request message of the WatchPermission method.

Name Type Description
name string (name of Permission) Name of ntt.iam.v1.Permission
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchPermissionResponse Message

A response message of the WatchPermission method.

Name Type Description
change PermissionChange

WatchPermissionsRequest Message

A request message of the WatchPermissions method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of Permission) Parent name of ntt.iam.v1.Permission
page_size int32 Requested page size. Server may return fewer Permissions than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Permission) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Permission) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Permission) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Permission that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Permission that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchPermissionsResponse Message

A response message of the WatchPermissions method.

Name Type Description
permission_changes repeated PermissionChange Changes of Permissions
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Permissions will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchPermissionsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Permissions will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchPermissionsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Permission) New token to retrieve previous page of results.
next_page_token string (cursor of Permission) New token to retrieve next page of results.

CreatePermissionRequest Message

A request message of the CreatePermission method.

Name Type Description
parent string (parent name of Permission) Parent name of ntt.iam.v1.Permission
permission Permission Permission resource body
response_mask CreatePermissionRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreatePermissionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdatePermissionRequest Message

A request message of the UpdatePermission method.

Name Type Description
permission Permission Permission resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdatePermissionRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdatePermissionRequest.ResponseMask reduce message response size.

UpdatePermissionRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Permission Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdatePermissionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeletePermissionRequest Message

A request message of the DeletePermission method.

Name Type Description
name string (name of Permission) Name of ntt.iam.v1.Permission

Project Resource

Project Resource

Name patterns:

  • projects/{project}

This section covers the methods and messages to interact with Project resource.

Project Methods

Here is the list of Project resource methods:

GetProject Method

GetProject

rpc GetProject(GetProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.get

The equivalent REST API is:

GET /v1/{name=projects/*}

BatchGetProjects Method

BatchGetProjects

rpc BatchGetProjects(BatchGetProjectsRequest) returns (BatchGetProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.batchGet

The equivalent REST API is:

GET /v1/projects:batchGet

ListProjects Method

ListProjects

rpc ListProjects(ListProjectsRequest) returns (ListProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.list

The equivalent REST API is:

GET /v1/projects

WatchProject Method

WatchProject

rpc WatchProject(WatchProjectRequest) returns (WatchProjectResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.watch

The equivalent REST API is:

POST /v1/{name=projects/*}:watch

WatchProjects Method

WatchProjects

rpc WatchProjects(WatchProjectsRequest) returns (WatchProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.watch

The equivalent REST API is:

POST /v1/projects:watch

CreateProject Method

CreateProject

rpc CreateProject(CreateProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.create

The equivalent REST API is:

POST /v1/projects (BODY: project)

UpdateProject Method

UpdateProject

rpc UpdateProject(UpdateProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.update

The equivalent REST API is:

PUT /v1/{project.name=projects/*} (BODY: project)

DeleteProject Method

DeleteProject

rpc DeleteProject(DeleteProjectRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.delete

The equivalent REST API is:

DELETE /v1/{name=projects/*}

SearchProjects Method

SearchProjects

rpc SearchProjects(SearchProjectsRequest) returns (SearchProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.search

The equivalent REST API is:

GET /v1/projects:search

ListMyProjects Method

ListMyProjects

rpc ListMyProjects(ListMyProjectsRequest) returns (ListMyProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.listMy

The equivalent REST API is:

POST /v1/projects:listMy

SearchMyProjects Method

SearchMyProjects

rpc SearchMyProjects(SearchMyProjectsRequest) returns (SearchMyProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.searchMy

The equivalent REST API is:

POST /v1/projects:searchMy

ListMyServiceProjects Method

ListMyServiceProjects

rpc ListMyServiceProjects(ListMyServiceProjectsRequest) returns (ListMyServiceProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.listMyServiceProjects

The equivalent REST API is:

POST /v1/projects:listMyServiceProjects

SetupServiceProject Method

SetupServiceProject

rpc SetupServiceProject(SetupServiceProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.setupServiceProject

The equivalent REST API is:

POST /v1/projects:setupServiceProject

ReserveServiceName Method

ReserveServiceName

rpc ReserveServiceName(ReserveServiceNameRequest) returns (ReserveServiceNameResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.reserveServiceName

The equivalent REST API is:

POST /v1/{name=projects/*}:reserveServiceName

DeleteServiceReservation Method

DeleteServiceReservation

rpc DeleteServiceReservation(DeleteServiceReservationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.deleteServiceReservation

The equivalent REST API is:

POST /v1/{name=projects/*}:deleteServiceReservation

ListServiceReservations Method

ListServiceReservations

rpc ListServiceReservations(ListServiceReservationsRequest) returns (ListServiceReservationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.listServiceReservations

The equivalent REST API is:

POST /v1/{name=projects/*}:listServiceReservations

ListProjectServices Method

ListProjectServices

rpc ListProjectServices(ListProjectServicesRequest) returns (ListProjectServicesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.listProjectServices

The equivalent REST API is:

POST /v1/{name=projects/*}:listProjectServices

Project Messages

Here is the list of Project resource messages:

Project Message

Name Type Description
name string (name of Project) Name of Project When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
title string Title
description string Description
parent_organization string (reference to Organization) Parent organization
multi_region_policy MultiRegionPolicy Multi region policy
enabled_services repeated string (reference to Service) Enabled services. This field is checked only for non-core edgelq services.
business_tier BusinessTier Default business tier for core EdgeLQ services and all enabled services.
service_tiers repeated ServiceBusinessTier Overwrites business_tier for each service - it may also override value for a core EdgeLQ service.
root_organization string (name of Organization) Top parent
ancestry_path repeated string (name of Organization) Full ancestry path
service_errors map<string, ServiceErrors> Service errors reported for this project
services_generation int64 Internal field for services meta information synchronization

GetProjectRequest Message

A request message of the GetProject method.

Name Type Description
name string (name of Project) Name of ntt.iam.v1.Project
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectsRequest Message

A request message of the BatchGetProjects method.

Name Type Description
names repeated string (name of Project) Names of Projects
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectsResponse Message

A response message of the BatchGetProjects method.

Name Type Description
projects repeated Project found Projects
missing repeated string (name of Project) list of not found Projects

ListProjectsRequest Message

A request message of the ListProjects method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of ListProjectsResponse.next_page_token.
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListProjectsResponse Message

A response message of the ListProjects method.

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the ListProjectsRequest.page_token.
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the ListProjectsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Projects across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchProjectRequest Message

A request message of the WatchProject method.

Name Type Description
name string (name of Project) Name of ntt.iam.v1.Project
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchProjectResponse Message

A response message of the WatchProject method.

Name Type Description
change ProjectChange

WatchProjectsRequest Message

A request message of the WatchProjects method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Project) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Project that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Project that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchProjectsResponse Message

A response message of the WatchProjects method.

Name Type Description
project_changes repeated ProjectChange Changes of Projects
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Projects will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchProjectsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Projects will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchProjectsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Project) New token to retrieve previous page of results.
next_page_token string (cursor of Project) New token to retrieve next page of results.

CreateProjectRequest Message

A request message of the CreateProject method.

Name Type Description
project Project Project resource body
response_mask CreateProjectRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateProjectRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateProjectRequest Message

A request message of the UpdateProject method.

Name Type Description
project Project Project resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateProjectRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateProjectRequest.ResponseMask reduce message response size.

UpdateProjectRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Project Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateProjectRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteProjectRequest Message

A request message of the DeleteProject method.

Name Type Description
name string (name of Project) Name of ntt.iam.v1.Project

SearchProjectsRequest Message

A request message of the SearchProjects method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of SearchProjectsResponse.next_page_token.
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
phrase string Optional search phrase used to further filter results.

SearchProjectsResponse Message

A response message of the SearchProjects method.

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the SearchProjectsRequest.page_token.
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the SearchProjectsRequest.page_token.
current_offset int32 Current offset from the first page (0 if no page tokens were given). Page index can be computed from offset and limit provided in a request
total_results_count int32 Number of total Projects across all pages.

ListMyProjectsRequest Message

Request message for method [ListMyProjects][ntt.iam.v1.ListMyProjects]

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of [ListProjectsResponse.next_page_token][ntt.iam.v1.ListMyProjectsResponse.next_page_token]
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.
include_paging_info bool

ListMyProjectsResponse Message

Response message for method [ListMyProjects][ntt.iam.v1.ListMyProjects]

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the [ListMyProjectsRequest.page_token][ntt.iam.v1.ListMyProjectsRequest.page_token]
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the [ListMyProjectsRequest.page_token][ntt.iam.v1.ListMyProjectsRequest.page_token]
total_count int32
cursor_offset int32

SearchMyProjectsRequest Message

Request message for method [SearchMyProjects][ntt.iam.v1.SearchMyProjects]

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of [SearchProjectsResponse.next_page_token][ntt.iam.v1.SearchMyProjectsResponse.next_page_token]
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.
include_paging_info bool
phrase string

SearchMyProjectsResponse Message

Response message for method [SearchMyProjects][ntt.iam.v1.SearchMyProjects]

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the [SearchMyProjectsRequest.page_token][ntt.iam.v1.SearchMyProjectsRequest.page_token]
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the [SearchMyProjectsRequest.page_token][ntt.iam.v1.SearchMyProjectsRequest.page_token]
total_count int32
cursor_offset int32

ListMyServiceProjectsRequest Message

Request message for method [ListMyServiceProjects][ntt.iam.v1.ListMyServiceProjects]

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of [ListProjectsResponse.next_page_token][ntt.iam.v1.ListMyServiceProjectsResponse.next_page_token]
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.

ListMyServiceProjectsResponse Message

Response message for method [ListMyServiceProjects][ntt.iam.v1.ListMyServiceProjects]

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the [ListMyServiceProjectsRequest.page_token][ntt.iam.v1.ListMyServiceProjectsRequest.page_token]
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the [ListMyServiceProjectsRequest.page_token][ntt.iam.v1.ListMyServiceProjectsRequest.page_token]

SetupServiceProjectRequest Message

Request message for method [SetupServiceProject][ntt.iam.v1.SetupServiceProject]

Name Type Description
name string (name of Project) Project name - unlike in CreateProject, it is mandatory. Must conform to regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
title string Project title
parent_organization string (reference to Organization) Optional parent organization
multi_region_policy MultiRegionPolicy Multi region policy - it will have to match with Service regions later on.
default_business_tier BusinessTier Default business tier to apply to a service project - it determines business tier for core edgelq services, influencing assigned limits. By default XSMALL will be set (UNDEFINED is replaced with XSMALL). If limits are not needed at all for core edgelq services, it is recommended to opt out from them using core_edgelq_service_opt_outs param.
core_edgelq_service_opt_outs repeated string (name of Service) Optional list of core edgelq services which are not needed for this service project. As of now, it has effect on devices/applications. If they are added to this list, then no limits are assigned for resources in those services.
description string Project Description

ReserveServiceNameRequest Message

Request message for method [ReserveServiceName][ntt.iam.v1.ReserveServiceName]

Name Type Description
name string (name of Project) Name of the service project where reservation should be made.
service string (name of Service) Service name to reserve
admin_account string (name of ServiceAccount) Service account name that will be an admin for this Service. If it does not exist, it will be created. If exists this service account will have right to create reserved service.
admin_key ServiceAccountKey Optional admin account key - must be skipped if admin_account already exists and has key already known by user. If provided, then new ServiceAccountKey will be created. If public key was provided in request, then server will use it. Otherwise it will generate private/public pair and provide both in response. If key already exists and admin_key was provided, AlreadyExists will be returned.
admin_account_project_role string (name of Role) Optional Role admin_account will have in the service project. When service is eventually created, admin_account will have full ownership of the Service. However, it wont be able to access Service Project freely - by default minimal role is assigned, that allows to send usage metrics (for example). In some cases it may be necessary for admin_account to have larger access to the service project, for example for devices management.

ReserveServiceNameResponse Message

Response message for method [ReserveServiceName][ntt.iam.v1.ReserveServiceName]

Name Type Description
ntt_admin_credentials ServiceAccount Service account admin credentials are provided if admin_key was populated in the request object. It will have private key data if public key was not provided in the request admin_key. JSON representation of this object must be saved by the caller as ntt-credentials.json file - it will be required during actual application deployment. If user generated private/public pair themselves (and proved public in request object), before saving JSON user will need to populate private key string themselves in the final file. In case of lost credentials, user will need to send DeleteServiceAccountKey and CreateServiceAccountKey requests for admin ServiceAccount - and craft another credentials.

DeleteServiceReservationRequest Message

Response message for method [DeleteServiceReservation][ntt.iam.v1.DeleteServiceReservation]

Name Type Description
name string (name of Project) Name of the service project where reservation exists
service string (name of Service) Service name to remove from reserved

ListServiceReservationsRequest Message

Request message for method [ListServiceReservations][ntt.iam.v1.ListServiceReservations]

Name Type Description
name string (name of Project) Name of the Service Project for which we want to see reservations.

ListServiceReservationsResponse Message

Response message for method [ListServiceReservations][ntt.iam.v1.ListServiceReservations]

Name Type Description
reservations repeated ListServiceReservationsResponse.Reservation List of reserved services with corresponding admin accounts

ListServiceReservationsResponse.Reservation Message

Name Type Description
service string (name of Service) Reserved service name allowed to be created by admin account
admin_account string (name of ServiceAccount) Service account name that will be an admin for this Service.

ListProjectServicesRequest Message

Request message for method [ListProjectServices][ntt.iam.v1.ListProjectServices]

Name Type Description
name string (name of Project) Name of the Service Project for which we want to see services.

ListProjectServicesResponse Message

Response message for method [ListProjectServices][ntt.iam.v1.ListProjectServices]

Name Type Description
services repeated Service List of services

ProjectInvitation Resource

ProjectInvitation Resource

Name patterns:

  • projects/{project}/projectInvitations/{project_invitation}

Parent resources:

This section covers the methods and messages to interact with ProjectInvitation resource.

ProjectInvitation Methods

Here is the list of ProjectInvitation resource methods:

GetProjectInvitation Method

GetProjectInvitation

rpc GetProjectInvitation(GetProjectInvitationRequest) returns (ProjectInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.get

The equivalent REST API is:

GET /v1/{name=projects/*/projectInvitations/*}

BatchGetProjectInvitations Method

BatchGetProjectInvitations

rpc BatchGetProjectInvitations(BatchGetProjectInvitationsRequest) returns (BatchGetProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.batchGet

The equivalent REST API is:

GET /v1/projectInvitations:batchGet

ListProjectInvitations Method

ListProjectInvitations

rpc ListProjectInvitations(ListProjectInvitationsRequest) returns (ListProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.list

The equivalent REST API is:

GET /v1/{parent=projects/*}/projectInvitations

WatchProjectInvitation Method

WatchProjectInvitation

rpc WatchProjectInvitation(WatchProjectInvitationRequest) returns (WatchProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.watch

The equivalent REST API is:

POST /v1/{name=projects/*/projectInvitations/*}:watch

WatchProjectInvitations Method

WatchProjectInvitations

rpc WatchProjectInvitations(WatchProjectInvitationsRequest) returns (WatchProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.watch

The equivalent REST API is:

POST /v1/{parent=projects/*}/projectInvitations:watch

CreateProjectInvitation Method

CreateProjectInvitation

rpc CreateProjectInvitation(CreateProjectInvitationRequest) returns (ProjectInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.create

The equivalent REST API is:

POST /v1/{parent=projects/*}/projectInvitations (BODY: project_invitation)

UpdateProjectInvitation Method

UpdateProjectInvitation

rpc UpdateProjectInvitation(UpdateProjectInvitationRequest) returns (ProjectInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.update

The equivalent REST API is:

PUT /v1/{project_invitation.name=projects/*/projectInvitations/*} (BODY: project_invitation)

DeleteProjectInvitation Method

DeleteProjectInvitation

rpc DeleteProjectInvitation(DeleteProjectInvitationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.delete

The equivalent REST API is:

DELETE /v1/{name=projects/*/projectInvitations/*}

AcceptProjectInvitation Method

AcceptProjectInvitation

rpc AcceptProjectInvitation(AcceptProjectInvitationRequest) returns (AcceptProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.accept

The equivalent REST API is:

POST /v1/{name=projects/*/projectInvitations/*}:accept

DeclineProjectInvitation Method

DeclineProjectInvitation

rpc DeclineProjectInvitation(DeclineProjectInvitationRequest) returns (DeclineProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.decline

The equivalent REST API is:

POST /v1/{name=projects/*/projectInvitations/*}:decline

ListMyProjectInvitations Method

ListMyProjectInvitations

rpc ListMyProjectInvitations(ListMyProjectInvitationsRequest) returns (ListMyProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.listMy

The equivalent REST API is:

POST /v1/{parent=projects/*}/projectInvitations:listMy

ResendProjectInvitation Method

ResendProjectInvitation

rpc ResendProjectInvitation(ResendProjectInvitationRequest) returns (ResendProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.resend

The equivalent REST API is:

POST /v1/{name=projects/*/projectInvitations/*}:resend

ProjectInvitation Messages

Here is the list of ProjectInvitation resource messages:

ProjectInvitation Message

Name Type Description
name string (name of ProjectInvitation) Name of ProjectInvitation When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
project_display_name string project display name (auto-generated). Present here as user doesn’t have yet permission to fetch related project.
invitation Invitation

GetProjectInvitationRequest Message

A request message of the GetProjectInvitation method.

Name Type Description
name string (name of ProjectInvitation) Name of ntt.iam.v1.ProjectInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectInvitationsRequest Message

A request message of the BatchGetProjectInvitations method.

Name Type Description
names repeated string (name of ProjectInvitation) Names of ProjectInvitations
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectInvitationsResponse Message

A response message of the BatchGetProjectInvitations method.

Name Type Description
project_invitations repeated ProjectInvitation found ProjectInvitations
missing repeated string (name of ProjectInvitation) list of not found ProjectInvitations

ListProjectInvitationsRequest Message

A request message of the ListProjectInvitations method.

Name Type Description
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1.ProjectInvitation
page_size int32 Requested page size. Server may return fewer ProjectInvitations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of ProjectInvitation) A token identifying a page of results the server should return. Typically, this is the value of ListProjectInvitationsResponse.next_page_token.
order_by string (orderBy of ProjectInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of ProjectInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListProjectInvitationsResponse Message

A response message of the ListProjectInvitations method.

Name Type Description
project_invitations repeated ProjectInvitation The list of ProjectInvitations
prev_page_token string (cursor of ProjectInvitation) A token to retrieve previous page of results. Pass this value in the ListProjectInvitationsRequest.page_token.
next_page_token string (cursor of ProjectInvitation) A token to retrieve next page of results. Pass this value in the ListProjectInvitationsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total ProjectInvitations across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchProjectInvitationRequest Message

A request message of the WatchProjectInvitation method.

Name Type Description
name string (name of ProjectInvitation) Name of ntt.iam.v1.ProjectInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchProjectInvitationResponse Message

A response message of the WatchProjectInvitation method.

Name Type Description
change ProjectInvitationChange

WatchProjectInvitationsRequest Message

A request message of the WatchProjectInvitations method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1.ProjectInvitation
page_size int32 Requested page size. Server may return fewer ProjectInvitations than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of ProjectInvitation) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of ProjectInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of ProjectInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to ProjectInvitation that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to ProjectInvitation that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchProjectInvitationsResponse Message

A response message of the WatchProjectInvitations method.

Name Type Description
project_invitation_changes repeated ProjectInvitationChange Changes of ProjectInvitations
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All ProjectInvitations will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchProjectInvitationsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (ProjectInvitations will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchProjectInvitationsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of ProjectInvitation) New token to retrieve previous page of results.
next_page_token string (cursor of ProjectInvitation) New token to retrieve next page of results.

CreateProjectInvitationRequest Message

A request message of the CreateProjectInvitation method.

Name Type Description
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1.ProjectInvitation
project_invitation ProjectInvitation ProjectInvitation resource body
response_mask CreateProjectInvitationRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateProjectInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateProjectInvitationRequest Message

A request message of the UpdateProjectInvitation method.

Name Type Description
project_invitation ProjectInvitation ProjectInvitation resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateProjectInvitationRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateProjectInvitationRequest.ResponseMask reduce message response size.

UpdateProjectInvitationRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state ProjectInvitation Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateProjectInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteProjectInvitationRequest Message

A request message of the DeleteProjectInvitation method.

Name Type Description
name string (name of ProjectInvitation) Name of ntt.iam.v1.ProjectInvitation

AcceptProjectInvitationRequest Message

Request message for method [AcceptProjectInvitation][ntt.iam.v1.AcceptProjectInvitation]

Name Type Description
name string (name of ProjectInvitation) name of ntt.iam.v1.ProjectInvitation

AcceptProjectInvitationResponse Message

Response message for method [AcceptProjectInvitation][ntt.iam.v1.AcceptProjectInvitation]

Name Type Description
none none none

DeclineProjectInvitationRequest Message

Request message for method [DeclineProjectInvitation][ntt.iam.v1.DeclineProjectInvitation]

Name Type Description
name string (name of ProjectInvitation) name of ntt.iam.v1.ProjectInvitation

DeclineProjectInvitationResponse Message

Response message for method [DeclineProjectInvitation][ntt.iam.v1.DeclineProjectInvitation]

Name Type Description
none none none

ListMyProjectInvitationsRequest Message

Request message for method [ListMyProjectInvitations][ntt.iam.v1.ListMyProjectInvitations]

Name Type Description
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1.ProjectInvitation
filter string (filter of ProjectInvitation) Additional filter for invitations, e.g. state = “PENDING”

ListMyProjectInvitationsResponse Message

Response message for method [ListMyProjectInvitations][ntt.iam.v1.ListMyProjectInvitations]

Name Type Description
project_invitations repeated ProjectInvitation

ResendProjectInvitationRequest Message

Request message for method [ResendProjectInvitation][ntt.iam.v1.ResendProjectInvitation]

Name Type Description
name string (name of ProjectInvitation) name of ntt.iam.v1.ProjectInvitation

ResendProjectInvitationResponse Message

Response message for method [ResendProjectInvitation][ntt.iam.v1.ResendProjectInvitation]

Name Type Description
project_invitation ProjectInvitation

Role Resource

Role Resource

Name patterns:

  • services/{service}/roles/{role}
  • projects/{project}/roles/{role}
  • organizations/{organization}/roles/{role}

Parent resources:

This section covers the methods and messages to interact with Role resource.

Role Methods

Here is the list of Role resource methods:

GetRole Method

GetRole

rpc GetRole(GetRoleRequest) returns (Role)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.get

The equivalent REST API is:

GET /v1/{name=services/*/roles/*} 

GET /v1/{name=projects/*/roles/*} 

GET /v1/{name=organizations/*/roles/*}

BatchGetRoles Method

BatchGetRoles

rpc BatchGetRoles(BatchGetRolesRequest) returns (BatchGetRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.batchGet

The equivalent REST API is:

GET /v1/roles:batchGet

ListRoles Method

ListRoles

rpc ListRoles(ListRolesRequest) returns (ListRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.list

The equivalent REST API is:

GET /v1/{parent=services/*}/roles 

GET /v1/{parent=projects/*}/roles 

GET /v1/{parent=organizations/*}/roles

WatchRole Method

WatchRole

rpc WatchRole(WatchRoleRequest) returns (WatchRoleResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.watch

The equivalent REST API is:

POST /v1/{name=services/*/roles/*}:watch 

POST /v1/{name=projects/*/roles/*}:watch 

POST /v1/{name=organizations/*/roles/*}:watch

WatchRoles Method

WatchRoles

rpc WatchRoles(WatchRolesRequest) returns (WatchRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.watch

The equivalent REST API is:

POST /v1/{parent=services/*}/roles:watch 

POST /v1/{parent=projects/*}/roles:watch 

POST /v1/{parent=organizations/*}/roles:watch

CreateRole Method

CreateRole

rpc CreateRole(CreateRoleRequest) returns (Role)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.create

The equivalent REST API is:

POST /v1/{parent=services/*}/roles (BODY: role)

POST /v1/{parent=projects/*}/roles 

POST /v1/{parent=organizations/*}/roles

UpdateRole Method

UpdateRole

rpc UpdateRole(UpdateRoleRequest) returns (Role)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.update

The equivalent REST API is:

PUT /v1/{role.name=services/*/roles/*} (BODY: role)

PUT /v1/{role.name=projects/*/roles/*} 

PUT /v1/{role.name=organizations/*/roles/*}

DeleteRole Method

DeleteRole

rpc DeleteRole(DeleteRoleRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.delete

The equivalent REST API is:

DELETE /v1/{name=services/*/roles/*} 

DELETE /v1/{name=projects/*/roles/*} 

DELETE /v1/{name=organizations/*/roles/*}

Role Messages

Here is the list of Role resource messages:

Role Message

Name Type Description
name string (name of Role) Name of Role
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
display_name string Display Name
description string Optional description
category Role.Category Category to which Role belongs to. It cannot be changed.
scope_params repeated Role.ScopeParamType List of scope params, they are used to evaluate object prefixes in grants and values in their field conditions, if any.
grants repeated Role.Grant List of permissions granted per each object prefix.
owned_objects repeated string List of owned objects templates - during binding of a role, each owned object specified in this role is computed against scope params from role binding to evaluate final owned objects. For example, if owned_objects in Role contains value “regions/{region}/devices/{device}, and RoleBinding specifies region=useast and device=d1, then final owned_object will be regions/useast/devices/d1. Ownership also would include any potential child resources of this device. Note that RoleBinding scope (project, organization, service) will still be prepended before each owned object to form fully qualified name of the owned resource. Owned objects may contain wildcards: ‘-’. As a special case, if owned objects contain string with only single character: ‘-’, then it means member of the role binding is considered as full owner of the scope. This field cannot be modified after role creation.
services repeated string (reference to Service) List of services used by this role. It is being detected by the usage of permissions in grants - or if it has owned objects, it contains all services used by parent service.
rb_spec_generation int64 Internal field used by controller to ensure role bindings are in sync with role updates.

Role.ScopeParamType Message

Name Type Description
name string
type Role.ScopeParamType.Type

Role.Grant Message

Name Type Description
sub_scope string Optional prefix that is APPENDED to the scope inherited from RoleBinding (project, organization, service). If not specified, then scope is equal to the one from RoleBinding.
permissions repeated string (reference to Permission) List of applicable permissions for this grant. Not relevant if is_owner is true.
resource_field_conditions repeated Role.Grant.FieldCondition List of resource field conditions. Values for conditions are extracted from assigned RoleBinding (scope params). Resource extraction is following: - If request has resource body, then it is used. - If request has resource name, then resource is extracted from database and its fields are used. - If request has filter object applicable for collection requests (like list, collection watch…), then service uses resource field paths and values extracted from filter conditions.
request_field_conditions repeated Role.Grant.FieldCondition List of request field conditions. Values for conditions are extracted from assigned RoleBinding (scope params).
executable_conditions repeated ExecutableCondition List of executable conditions to be applied in order to validate this grant. Note that executable conditions are also specified in RoleBinding, as often it is not possible to define all params in the Role itself, before binding. Final executable conditions, in RoleBinding context, are computed in the following way: - Executable conditions from RoleBinding and Role are matched by condition reference. - Params are merged FROM condition in Role into condition in RoleBinding. It is expected that Role defined “common” params and RoleBinding defines remaining ones.

Role.Grant.FieldCondition Message

Name Type Description
path string
value string

GetRoleRequest Message

A request message of the GetRole method.

Name Type Description
name string (name of Role) Name of ntt.iam.v1.Role
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRolesRequest Message

A request message of the BatchGetRoles method.

Name Type Description
names repeated string (name of Role) Names of Roles
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRolesResponse Message

A response message of the BatchGetRoles method.

Name Type Description
roles repeated Role found Roles
missing repeated string (name of Role) list of not found Roles

ListRolesRequest Message

A request message of the ListRoles method.

Name Type Description
parent string (parent name of Role) Parent name of ntt.iam.v1.Role
page_size int32 Requested page size. Server may return fewer Roles than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Role) A token identifying a page of results the server should return. Typically, this is the value of ListRolesResponse.next_page_token.
order_by string (orderBy of Role) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Role) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListRolesResponse Message

A response message of the ListRoles method.

Name Type Description
roles repeated Role The list of Roles
prev_page_token string (cursor of Role) A token to retrieve previous page of results. Pass this value in the ListRolesRequest.page_token.
next_page_token string (cursor of Role) A token to retrieve next page of results. Pass this value in the ListRolesRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Roles across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchRoleRequest Message

A request message of the WatchRole method.

Name Type Description
name string (name of Role) Name of ntt.iam.v1.Role
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchRoleResponse Message

A response message of the WatchRole method.

Name Type Description
change RoleChange

WatchRolesRequest Message

A request message of the WatchRoles method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of Role) Parent name of ntt.iam.v1.Role
page_size int32 Requested page size. Server may return fewer Roles than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Role) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Role) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Role) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Role that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Role that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchRolesResponse Message

A response message of the WatchRoles method.

Name Type Description
role_changes repeated RoleChange Changes of Roles
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Roles will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchRolesResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Roles will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchRolesResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Role) New token to retrieve previous page of results.
next_page_token string (cursor of Role) New token to retrieve next page of results.

CreateRoleRequest Message

A request message of the CreateRole method.

Name Type Description
parent string (parent name of Role) Parent name of ntt.iam.v1.Role
role Role Role resource body
response_mask CreateRoleRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateRoleRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateRoleRequest Message

A request message of the UpdateRole method.

Name Type Description
role Role Role resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateRoleRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateRoleRequest.ResponseMask reduce message response size.

UpdateRoleRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Role Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateRoleRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteRoleRequest Message

A request message of the DeleteRole method.

Name Type Description
name string (name of Role) Name of ntt.iam.v1.Role

Role Enumerations

Here is the list of Role resource enumerations:

Role.Category Enumeration

Category points to the intended role use. It may restrict how RoleBindings are created.

Name Description
UNDEFINED Undefined, not allowed.
PUBLIC Role is intended for public access. Restricted members: allUsers, allAuthenticatedUsers. No RoleBinding scope restrictions.
INTERNAL Role is for internal purposes, defined by a parent service. There are no restrictions to scope and members.
OWNER Special owner role - reserved to “scope-admin” role in IAM. It is de facto reserved category for EdgeLQ core services only, but is also kind of USER type.
SERVICE Role relevant for Service Management, check display name and/or description for more information.
AGENT Role for various edge agents. Restricted to project scope and service account member types. Cannot be assigned to groups.
USER Role relevant for users, provides an access to various actions on organization/project level. Typically should be given to users, but ServiceAccount is also possible. Can be assigned to group members.

Role.ScopeParamType.Type Enumeration

Name Description
UNDEFINED
STRING
ARRAY_OF_STRINGS

RoleBinding Resource

RoleBinding Resource

Name patterns:

  • roleBindings/{role_binding}
  • projects/{project}/roleBindings/{role_binding}
  • organizations/{organization}/roleBindings/{role_binding}
  • services/{service}/roleBindings/{role_binding}

Parent resources:

This section covers the methods and messages to interact with RoleBinding resource.

RoleBinding Methods

Here is the list of RoleBinding resource methods:

CheckMyRoleBindings Method

CheckMyRoleBindings

rpc CheckMyRoleBindings(CheckMyRoleBindingsRequest) returns (CheckMyRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.checkMy

The equivalent REST API is:

POST /v1/roleBindings:checkMy (BODY: *)

POST /v1/{parent=projects/*}/roleBindings:checkMy 

POST /v1/{parent=organizations/*}/roleBindings:checkMy 

POST /v1/{parent=services/*}/roleBindings:checkMy

GetRoleBinding Method

GetRoleBinding

rpc GetRoleBinding(GetRoleBindingRequest) returns (RoleBinding)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.get

The equivalent REST API is:

GET /v1/{name=roleBindings/*} 

GET /v1/{name=projects/*/roleBindings/*} 

GET /v1/{name=organizations/*/roleBindings/*} 

GET /v1/{name=services/*/roleBindings/*}

BatchGetRoleBindings Method

BatchGetRoleBindings

rpc BatchGetRoleBindings(BatchGetRoleBindingsRequest) returns (BatchGetRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.batchGet

The equivalent REST API is:

GET /v1/roleBindings:batchGet

ListRoleBindings Method

ListRoleBindings

rpc ListRoleBindings(ListRoleBindingsRequest) returns (ListRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.list

The equivalent REST API is:

GET /v1/roleBindings 

GET /v1/{parent=projects/*}/roleBindings 

GET /v1/{parent=organizations/*}/roleBindings 

GET /v1/{parent=services/*}/roleBindings

WatchRoleBinding Method

WatchRoleBinding

rpc WatchRoleBinding(WatchRoleBindingRequest) returns (WatchRoleBindingResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.watch

The equivalent REST API is:

POST /v1/{name=roleBindings/*}:watch 

POST /v1/{name=projects/*/roleBindings/*}:watch 

POST /v1/{name=organizations/*/roleBindings/*}:watch 

POST /v1/{name=services/*/roleBindings/*}:watch

WatchRoleBindings Method

WatchRoleBindings

rpc WatchRoleBindings(WatchRoleBindingsRequest) returns (WatchRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.watch

The equivalent REST API is:

POST /v1/roleBindings:watch 

POST /v1/{parent=projects/*}/roleBindings:watch 

POST /v1/{parent=organizations/*}/roleBindings:watch 

POST /v1/{parent=services/*}/roleBindings:watch

CreateRoleBinding Method

CreateRoleBinding

rpc CreateRoleBinding(CreateRoleBindingRequest) returns (RoleBinding)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.create

The equivalent REST API is:

POST /v1/roleBindings (BODY: role_binding)

POST /v1/{parent=projects/*}/roleBindings 

POST /v1/{parent=organizations/*}/roleBindings 

POST /v1/{parent=services/*}/roleBindings

UpdateRoleBinding Method

UpdateRoleBinding

rpc UpdateRoleBinding(UpdateRoleBindingRequest) returns (RoleBinding)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.update

The equivalent REST API is:

PUT /v1/{role_binding.name=roleBindings/*} (BODY: role_binding)

PUT /v1/{role_binding.name=projects/*/roleBindings/*} 

PUT /v1/{role_binding.name=organizations/*/roleBindings/*} 

PUT /v1/{role_binding.name=services/*/roleBindings/*}

DeleteRoleBinding Method

DeleteRoleBinding

rpc DeleteRoleBinding(DeleteRoleBindingRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.delete

The equivalent REST API is:

DELETE /v1/{name=roleBindings/*} 

DELETE /v1/{name=projects/*/roleBindings/*} 

DELETE /v1/{name=organizations/*/roleBindings/*} 

DELETE /v1/{name=services/*/roleBindings/*}

ListRoleBindingsWithMembers Method

ListRoleBindingsWithMembers

rpc ListRoleBindingsWithMembers(ListRoleBindingsWithMembersRequest) returns (ListRoleBindingsWithMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.listRoleBindingsWithMembers

The equivalent REST API is:

POST /v1/roleBindings:listRoleBindingsWithMembers 

POST /v1/{parent=projects/*}/roleBindings:listRoleBindingsWithMembers 

POST /v1/{parent=organizations/*}/roleBindings:listRoleBindingsWithMembers 

POST /v1/{parent=services/*}/roleBindings:listRoleBindingsWithMembers

RoleBinding Messages

Here is the list of RoleBinding resource messages:

RoleBinding Message

Name Type Description
name string (name of RoleBinding) Name of RoleBinding
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
role string (reference to Role) Applied role.
member string Binding members Format of the string is one of: - “allUsers” (anyone) - “allAuthenticatedUsers” (anyone logged in from handling service point of view) - “user:admin.super@example.com” - “serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com” - “group:nice.group@example.com” - “domain:example.com” (anyone with exact email domain)
scope_params repeated ScopeParam All scope params defined as required by a role
executable_conditions repeated ExecutableCondition optional executable conditions to be added to the role binding. They are matched with the executable conditions in a role grants by condition reference. If there is condition defined in RoleBinding, but not in any role grant, then executable condition is applied to all role grants.
owned_objects repeated string List of owned objects WITHIN role binding scope - for example if role binding is a child of project and owner_objects contain some device, member has all possible permissions for this device in project, regardless of method. In case ownership is for whole role binding scope, it will contain “-” string. This is computed based on a role with wildcard grants.
member_type string Member type, its prefix from member before ‘:’ rune, fo example “user”. If member has no ‘:’ (like allUsers), then it will contain same value.
category Role.Category Role category, taken from role itself, allows for additional filtering.
ancestry_path repeated RoleBinding.Parent Internal field used by IAM controller to note role binding ancestry path for Group type (RoleBindings inherited from Group)
parent_by_org string (reference to RoleBinding) Internal field used by IAM controller to note parent role binding from Parent Organization type. It is much different compared to “ancestry_path”, we just need direct parent. This is because it is simpler - controller for this inheritance does not need full ancestry path for loop detection. Groups are complicated and it is legal for two groups containing each other as members. But organization ancestry path does not allow loops, so we can afford simple field!
spec_generation int64 Internal field used to synchronize role binding with role. This value increases when we spec in a role changes in a way requiring role binding resynchronization.
has_owned_objects bool Internal field indicating if role binding has owned objects. It is used for filtering, as its not possible to filter by len(owned_objects) > 0
disable_for_child_scopes bool If true, then this RoleBinding DOES NOT apply to child entities. TODO: For now IAM Server decides if this RB is not assignable, consider opening this.

RoleBinding.Parent Message

Provides information about inheritance of this role binding - if it was created from another role binding.

Name Type Description
parent string (reference to RoleBinding) Role bindings which have group as member have child for each service account and user in that group. All those role bindings have one common parent pointing at group role binding
member string Member of the parent role binding

CheckMyRoleBindingsRequest Message

Request message for method [CheckMyRoleBindings][ntt.iam.v1.CheckMyRoleBindings]

Name Type Description
parent string (parent name of RoleBinding) Scope determines where roles should be looked from - its either system, service, project or organization scope. However, if it contains an organization or project, CheckMyRoles will perform check on all ancestry path (parent organizations).
filter string (filter of RoleBinding) Optional additional filter to apply on role bindings returned Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
custom_field_mask .google.protobuf.FieldMask Custom field mask to apply on role bindings. By default, is none is specified, following is used: [ “name”, “role”, “scope_params”, “executable_conditions”, “owned_objects” ].

CheckMyRoleBindingsResponse Message

Response message for method [CheckMyRoles][ntt.iam.v1.CheckMyRoles]

Name Type Description
resolvable_grants repeated CheckMyRoleBindingsResponse.ResolvableGrant List of returned role bindings with corresponding grants.

CheckMyRoleBindingsResponse.ResolvableGrant Message

Name Type Description
role_binding RoleBinding Granted RoleBinding for the scope
grants repeated Role.Grant All grants extracted from the Role

GetRoleBindingRequest Message

A request message of the GetRoleBinding method.

Name Type Description
name string (name of RoleBinding) Name of ntt.iam.v1.RoleBinding
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRoleBindingsRequest Message

A request message of the BatchGetRoleBindings method.

Name Type Description
names repeated string (name of RoleBinding) Names of RoleBindings
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRoleBindingsResponse Message

A response message of the BatchGetRoleBindings method.

Name Type Description
role_bindings repeated RoleBinding found RoleBindings
missing repeated string (name of RoleBinding) list of not found RoleBindings

ListRoleBindingsRequest Message

A request message of the ListRoleBindings method.

Name Type Description
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1.RoleBinding
page_size int32 Requested page size. Server may return fewer RoleBindings than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of RoleBinding) A token identifying a page of results the server should return. Typically, this is the value of ListRoleBindingsResponse.next_page_token.
order_by string (orderBy of RoleBinding) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of RoleBinding) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListRoleBindingsResponse Message

A response message of the ListRoleBindings method.

Name Type Description
role_bindings repeated RoleBinding The list of RoleBindings
prev_page_token string (cursor of RoleBinding) A token to retrieve previous page of results. Pass this value in the ListRoleBindingsRequest.page_token.
next_page_token string (cursor of RoleBinding) A token to retrieve next page of results. Pass this value in the ListRoleBindingsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total RoleBindings across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchRoleBindingRequest Message

A request message of the WatchRoleBinding method.

Name Type Description
name string (name of RoleBinding) Name of ntt.iam.v1.RoleBinding
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchRoleBindingResponse Message

A response message of the WatchRoleBinding method.

Name Type Description
change RoleBindingChange

WatchRoleBindingsRequest Message

A request message of the WatchRoleBindings method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1.RoleBinding
page_size int32 Requested page size. Server may return fewer RoleBindings than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of RoleBinding) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of RoleBinding) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of RoleBinding) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to RoleBinding that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to RoleBinding that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchRoleBindingsResponse Message

A response message of the WatchRoleBindings method.

Name Type Description
role_binding_changes repeated RoleBindingChange Changes of RoleBindings
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All RoleBindings will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchRoleBindingsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (RoleBindings will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchRoleBindingsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of RoleBinding) New token to retrieve previous page of results.
next_page_token string (cursor of RoleBinding) New token to retrieve next page of results.

CreateRoleBindingRequest Message

A request message of the CreateRoleBinding method.

Name Type Description
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1.RoleBinding
role_binding RoleBinding RoleBinding resource body
response_mask CreateRoleBindingRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateRoleBindingRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateRoleBindingRequest Message

A request message of the UpdateRoleBinding method.

Name Type Description
role_binding RoleBinding RoleBinding resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateRoleBindingRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateRoleBindingRequest.ResponseMask reduce message response size.

UpdateRoleBindingRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state RoleBinding Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateRoleBindingRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteRoleBindingRequest Message

A request message of the DeleteRoleBinding method.

Name Type Description
name string (name of RoleBinding) Name of ntt.iam.v1.RoleBinding

ListRoleBindingsWithMembersRequest Message

A request message of the ListRoleBindingsWithMembers method.

Name Type Description
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1.RoleBinding
page_size int32 Requested page size. Server may return fewer RoleBindings than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of RoleBinding) A token identifying a page of results the server should return. Typically, this is the value of ListRoleBindingsWithMembersResponse.next_page_token.
order_by string (orderBy of RoleBinding) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of RoleBinding) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask and user_mask.
members_masks MembersMasks Defines field masks applied to member resources (Users, Service accounts, Groups).
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListRoleBindingsWithMembersResponse Message

A response message of the ListRoleBindingsWithMembers method.

Name Type Description
role_bindings repeated RoleBinding The list of RoleBindings
matching_members repeated MembersInfo List of matching members per each received role binding.
prev_page_token string (cursor of RoleBinding) A token to retrieve previous page of results. Pass this value in the ListRoleBindingsWithMembersRequest.page_token.
next_page_token string (cursor of RoleBinding) A token to retrieve next page of results. Pass this value in the ListRoleBindingsWithMembersRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total RoleBindings across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

ServiceAccount Resource

ServiceAccount Resource

Name patterns:

  • projects/{project}/regions/{region}/serviceAccounts/{service_account}

Parent resources:

This section covers the methods and messages to interact with ServiceAccount resource.

ServiceAccount Methods

Here is the list of ServiceAccount resource methods:

GetServiceAccount Method

GetServiceAccount

rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.get

The equivalent REST API is:

GET /v1/{name=projects/*/regions/*/serviceAccounts/*}

BatchGetServiceAccounts Method

BatchGetServiceAccounts

rpc BatchGetServiceAccounts(BatchGetServiceAccountsRequest) returns (BatchGetServiceAccountsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.batchGet

The equivalent REST API is:

GET /v1/serviceAccounts:batchGet

ListServiceAccounts Method

ListServiceAccounts

rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.list

The equivalent REST API is:

GET /v1/{parent=projects/*/regions/*}/serviceAccounts

WatchServiceAccount Method

WatchServiceAccount

rpc WatchServiceAccount(WatchServiceAccountRequest) returns (WatchServiceAccountResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.watch

The equivalent REST API is:

POST /v1/{name=projects/*/regions/*/serviceAccounts/*}:watch

WatchServiceAccounts Method

WatchServiceAccounts

rpc WatchServiceAccounts(WatchServiceAccountsRequest) returns (WatchServiceAccountsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.watch

The equivalent REST API is:

POST /v1/{parent=projects/*/regions/*}/serviceAccounts:watch

CreateServiceAccount Method

CreateServiceAccount

rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.create

The equivalent REST API is:

POST /v1/{parent=projects/*/regions/*}/serviceAccounts (BODY: service_account)

UpdateServiceAccount Method

UpdateServiceAccount

rpc UpdateServiceAccount(UpdateServiceAccountRequest) returns (ServiceAccount)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.update

The equivalent REST API is:

PUT /v1/{service_account.name=projects/*/regions/*/serviceAccounts/*} (BODY: service_account)

DeleteServiceAccount Method

DeleteServiceAccount

rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.delete

The equivalent REST API is:

DELETE /v1/{name=projects/*/regions/*/serviceAccounts/*}

GetMyAgentShard Method

GetMyAgentShard

rpc GetMyAgentShard(GetMyAgentShardRequest) returns (GetMyAgentShardResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.getMyAgentShard

The equivalent REST API is:

POST /v1/{name=projects/*/regions/*/serviceAccounts/*}:getMyAgentShard

GetShardEndpoints Method

GetShardEndpoints

rpc GetShardEndpoints(GetShardEndpointsRequest) returns (GetShardEndpointsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.getShardEndpoints

The equivalent REST API is:

POST /v1:getShardEndpoints

AddRegionalAdminAccountForServices Method

AddRegionalAdminAccountForServices

rpc AddRegionalAdminAccountForServices(AddRegionalAdminAccountForServicesRequest) returns (AddRegionalAdminAccountForServicesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.addRegionalAdminAccountForServices

The equivalent REST API is:

POST /v1/{parent=projects/*/regions/*}/serviceAccounts:addRegionalAdminAccountForServices

ServiceAccount Messages

Here is the list of ServiceAccount resource messages:

ServiceAccount Message

Name Type Description
name string (name of ServiceAccount) Name of ServiceAccount When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-_]{0,55}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
display_name string Display Name
description string Optional. Description of the account
email string Email
kind ServiceAccount.Kind Agent kind and purpose. Cannot be changed.

GetServiceAccountRequest Message

A request message of the GetServiceAccount method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1.ServiceAccount
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountsRequest Message

A request message of the BatchGetServiceAccounts method.

Name Type Description
names repeated string (name of ServiceAccount) Names of ServiceAccounts
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountsResponse Message

A response message of the BatchGetServiceAccounts method.

Name Type Description
service_accounts repeated ServiceAccount found ServiceAccounts
missing repeated string (name of ServiceAccount) list of not found ServiceAccounts

ListServiceAccountsRequest Message

A request message of the ListServiceAccounts method.

Name Type Description
parent string (parent name of ServiceAccount) Parent name of ntt.iam.v1.ServiceAccount
page_size int32 Requested page size. Server may return fewer ServiceAccounts than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of ServiceAccount) A token identifying a page of results the server should return. Typically, this is the value of ListServiceAccountsResponse.next_page_token.
order_by string (orderBy of ServiceAccount) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of ServiceAccount) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListServiceAccountsResponse Message

A response message of the ListServiceAccounts method.

Name Type Description
service_accounts repeated ServiceAccount The list of ServiceAccounts
prev_page_token string (cursor of ServiceAccount) A token to retrieve previous page of results. Pass this value in the ListServiceAccountsRequest.page_token.
next_page_token string (cursor of ServiceAccount) A token to retrieve next page of results. Pass this value in the ListServiceAccountsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total ServiceAccounts across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchServiceAccountRequest Message

A request message of the WatchServiceAccount method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1.ServiceAccount
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchServiceAccountResponse Message

A response message of the WatchServiceAccount method.

Name Type Description
change ServiceAccountChange

WatchServiceAccountsRequest Message

A request message of the WatchServiceAccounts method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of ServiceAccount) Parent name of ntt.iam.v1.ServiceAccount
page_size int32 Requested page size. Server may return fewer ServiceAccounts than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of ServiceAccount) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of ServiceAccount) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of ServiceAccount) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to ServiceAccount that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to ServiceAccount that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchServiceAccountsResponse Message

A response message of the WatchServiceAccounts method.

Name Type Description
service_account_changes repeated ServiceAccountChange Changes of ServiceAccounts
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All ServiceAccounts will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchServiceAccountsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (ServiceAccounts will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchServiceAccountsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of ServiceAccount) New token to retrieve previous page of results.
next_page_token string (cursor of ServiceAccount) New token to retrieve next page of results.

CreateServiceAccountRequest Message

A request message of the CreateServiceAccount method.

Name Type Description
parent string (parent name of ServiceAccount) Parent name of ntt.iam.v1.ServiceAccount
service_account ServiceAccount ServiceAccount resource body
response_mask CreateServiceAccountRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateServiceAccountRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateServiceAccountRequest Message

A request message of the UpdateServiceAccount method.

Name Type Description
service_account ServiceAccount ServiceAccount resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateServiceAccountRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateServiceAccountRequest.ResponseMask reduce message response size.

UpdateServiceAccountRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state ServiceAccount Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateServiceAccountRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteServiceAccountRequest Message

A request message of the DeleteServiceAccount method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1.ServiceAccount

GetMyAgentShardRequest Message

A request message of the GetMyAgentShard method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1.ServiceAccount of Agent type

GetMyAgentShardResponse Message

A response message of the GetMyAgentShard method.

Name Type Description
shard_num int64

GetShardEndpointsRequest Message

A request message of the GetShardEndpoints method.

Name Type Description
shard_num int64

GetShardEndpointsResponse Message

A response message of the GetShardEndpoints method.

Name Type Description
endpoints repeated string

AddRegionalAdminAccountForServicesRequest Message

Request message for method [AddRegionalAdminAccountForServices][ntt.iam.v1.AddRegionalAdminAccountForServices]

Name Type Description
parent string (parent name of ServiceAccount) Parent of ServiceAccount containing Service project and Region. If region is not enabled in project, it will be for this request.
services repeated string (name of Service) List of services in which admin account must participate. They must all belong to the project indicated in the parent.
admin_account string (name of ServiceAccount) Regional service account name that will be an admin for this Service. If it does not exist, it will be created.
admin_key ServiceAccountKey Optional admin account key - must be skipped if admin_account already exists and has key already known by user. If provided, then new ServiceAccountKey will be created. If public key was provided in request, then server will use it. Otherwise it will generate private/public pair and provide both in response. If admin_key already exists and is still provided in request, AlreadyExists will be returned.
admin_account_project_role string (name of Role) Optional Role admin_account will have in the service project. When service is eventually created, admin_account will have full ownership of the Service. However, it wont be able to access Service Project freely - by default minimal role is assigned, that allows to send usage metrics (for example). In some cases it may be necessary for admin_account to have larger access to the service project, for example for devices management.

AddRegionalAdminAccountForServicesResponse Message

Response message for method [AddRegionalAdminAccountForServices][ntt.iam.v1.AddRegionalAdminAccountForServices]

Name Type Description
ntt_admin_credentials ServiceAccount Service account admin credentials are provided if admin_key was populated in the request object. It will have private key data if public key was not provided in the request admin_key. JSON representation of this object must be saved by the caller as ntt-credentials.json file - it will be required during actual regional application deployment. If user generated private/public pair themselves (and proved public in request object), before saving JSON user will need to populate private key string themselves in the final file. In case of lost credentials, user will need to send DeleteServiceAccountKey and CreateServiceAccountKey requests for admin ServiceAccount - and craft another credentials.

ServiceAccount Enumerations

Here is the list of ServiceAccount resource enumerations:

ServiceAccount.Kind Enumeration

Kind indicates purpose of the service account.

Name Description
UNSPECIFIED Any purpose
AGENT Agent indicates that ServiceAccount is associated with some single specific resource, like devices.edgelq.com/Device. Agent Service Accounts are automatically sharded and should ideally use dedicated server instances holding their shard. Agent type accounts are allowed to have only RoleBindings in their projects. They cannot have domain role bindings. They can still benefit from AllUsers/AllAuthenticatedUsers role bindings though.

ServiceAccountKey Resource

ServiceAccountKey Resource

Name patterns:

  • projects/{project}/regions/{region}/serviceAccounts/{service_account}/serviceAccountKeys/{service_account_key}

Parent resources:

This section covers the methods and messages to interact with ServiceAccountKey resource.

ServiceAccountKey Methods

Here is the list of ServiceAccountKey resource methods:

GetServiceAccountKey Method

GetServiceAccountKey

rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.get

The equivalent REST API is:

GET /v1/{name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*}

BatchGetServiceAccountKeys Method

BatchGetServiceAccountKeys

rpc BatchGetServiceAccountKeys(BatchGetServiceAccountKeysRequest) returns (BatchGetServiceAccountKeysResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.batchGet

The equivalent REST API is:

GET /v1/serviceAccountKeys:batchGet

ListServiceAccountKeys Method

ListServiceAccountKeys

rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.list

The equivalent REST API is:

GET /v1/{parent=projects/*/regions/*/serviceAccounts/*}/serviceAccountKeys

WatchServiceAccountKey Method

WatchServiceAccountKey

rpc WatchServiceAccountKey(WatchServiceAccountKeyRequest) returns (WatchServiceAccountKeyResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.watch

The equivalent REST API is:

POST /v1/{name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*}:watch

WatchServiceAccountKeys Method

WatchServiceAccountKeys

rpc WatchServiceAccountKeys(WatchServiceAccountKeysRequest) returns (WatchServiceAccountKeysResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.watch

The equivalent REST API is:

POST /v1/{parent=projects/*/regions/*/serviceAccounts/*}/serviceAccountKeys:watch

CreateServiceAccountKey Method

CreateServiceAccountKey

rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.create

The equivalent REST API is:

POST /v1/{parent=projects/*/regions/*/serviceAccounts/*}/serviceAccountKeys (BODY: service_account_key)

UpdateServiceAccountKey Method

UpdateServiceAccountKey

rpc UpdateServiceAccountKey(UpdateServiceAccountKeyRequest) returns (ServiceAccountKey)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.update

The equivalent REST API is:

PUT /v1/{service_account_key.name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*} (BODY: service_account_key)

DeleteServiceAccountKey Method

DeleteServiceAccountKey

rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.delete

The equivalent REST API is:

DELETE /v1/{name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*}

ServiceAccountKey Messages

Here is the list of ServiceAccountKey resource messages:

ServiceAccountKey Message

Name Type Description
name string (name of ServiceAccountKey) Name of ServiceAccountKey When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
display_name string Display name
description string Optional. Description of the key
public_key_data string Public key contents
private_key_data string The private key of the pair. This field is only provided in CreateServiceAccountKey responses. Private keys are NOT stored on the server.
api_key string Api key is set if algorithm is equal to API_KEY and provided in CreateServiceAccountKey responses. They are not stored on the server, so caller is obliged to remember its value. If lost, its is necessary to create new key. Api key must be used in authorization header token when making request: - Authorization: “Bearer $API_KEY” Example for curl: $ curl -X GET -H “Authorization: Bearer $API_KEY” -s $URL
algorithm ServiceAccountKey.Algorithm The algorithm used to generate the key.
valid_not_before .google.protobuf.Timestamp The key is not valid before this timestamp.
valid_not_after .google.protobuf.Timestamp The key is not valid after this timestamp.

GetServiceAccountKeyRequest Message

A request message of the GetServiceAccountKey method.

Name Type Description
name string (name of ServiceAccountKey) Name of ntt.iam.v1.ServiceAccountKey
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountKeysRequest Message

A request message of the BatchGetServiceAccountKeys method.

Name Type Description
names repeated string (name of ServiceAccountKey) Names of ServiceAccountKeys
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountKeysResponse Message

A response message of the BatchGetServiceAccountKeys method.

Name Type Description
service_account_keys repeated ServiceAccountKey found ServiceAccountKeys
missing repeated string (name of ServiceAccountKey) list of not found ServiceAccountKeys

ListServiceAccountKeysRequest Message

A request message of the ListServiceAccountKeys method.

Name Type Description
parent string (parent name of ServiceAccountKey) Parent name of ntt.iam.v1.ServiceAccountKey
page_size int32 Requested page size. Server may return fewer ServiceAccountKeys than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of ServiceAccountKey) A token identifying a page of results the server should return. Typically, this is the value of ListServiceAccountKeysResponse.next_page_token.
order_by string (orderBy of ServiceAccountKey) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of ServiceAccountKey) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListServiceAccountKeysResponse Message

A response message of the ListServiceAccountKeys method.

Name Type Description
service_account_keys repeated ServiceAccountKey The list of ServiceAccountKeys
prev_page_token string (cursor of ServiceAccountKey) A token to retrieve previous page of results. Pass this value in the ListServiceAccountKeysRequest.page_token.
next_page_token string (cursor of ServiceAccountKey) A token to retrieve next page of results. Pass this value in the ListServiceAccountKeysRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total ServiceAccountKeys across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchServiceAccountKeyRequest Message

A request message of the WatchServiceAccountKey method.

Name Type Description
name string (name of ServiceAccountKey) Name of ntt.iam.v1.ServiceAccountKey
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchServiceAccountKeyResponse Message

A response message of the WatchServiceAccountKey method.

Name Type Description
change ServiceAccountKeyChange

WatchServiceAccountKeysRequest Message

A request message of the WatchServiceAccountKeys method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of ServiceAccountKey) Parent name of ntt.iam.v1.ServiceAccountKey
page_size int32 Requested page size. Server may return fewer ServiceAccountKeys than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of ServiceAccountKey) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of ServiceAccountKey) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of ServiceAccountKey) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to ServiceAccountKey that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to ServiceAccountKey that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchServiceAccountKeysResponse Message

A response message of the WatchServiceAccountKeys method.

Name Type Description
service_account_key_changes repeated ServiceAccountKeyChange Changes of ServiceAccountKeys
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All ServiceAccountKeys will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchServiceAccountKeysResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (ServiceAccountKeys will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchServiceAccountKeysResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of ServiceAccountKey) New token to retrieve previous page of results.
next_page_token string (cursor of ServiceAccountKey) New token to retrieve next page of results.

CreateServiceAccountKeyRequest Message

A request message of the CreateServiceAccountKey method.

Name Type Description
parent string (parent name of ServiceAccountKey) Parent name of ntt.iam.v1.ServiceAccountKey
service_account_key ServiceAccountKey ServiceAccountKey resource body
response_mask CreateServiceAccountKeyRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateServiceAccountKeyRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateServiceAccountKeyRequest Message

A request message of the UpdateServiceAccountKey method.

Name Type Description
service_account_key ServiceAccountKey ServiceAccountKey resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateServiceAccountKeyRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateServiceAccountKeyRequest.ResponseMask reduce message response size.

UpdateServiceAccountKeyRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state ServiceAccountKey Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateServiceAccountKeyRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteServiceAccountKeyRequest Message

A request message of the DeleteServiceAccountKey method.

Name Type Description
name string (name of ServiceAccountKey) Name of ntt.iam.v1.ServiceAccountKey

ServiceAccountKey Enumerations

Here is the list of ServiceAccountKey resource enumerations:

ServiceAccountKey.Algorithm Enumeration

Name Description
KEY_ALGORITHM_UNSPECIFIED
RSA_1024
RSA_2048
RSA_4096
API_KEY

User Resource

User Resource

Name patterns:

  • users/{user}

This section covers the methods and messages to interact with User resource.

User Methods

Here is the list of User resource methods:

GetUser Method

GetUser

rpc GetUser(GetUserRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.get

The equivalent REST API is:

GET /v1/{name=users/*}

BatchGetUsers Method

BatchGetUsers

rpc BatchGetUsers(BatchGetUsersRequest) returns (BatchGetUsersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.batchGet

The equivalent REST API is:

GET /v1/users:batchGet

ListUsers Method

ListUsers

rpc ListUsers(ListUsersRequest) returns (ListUsersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.list

The equivalent REST API is:

GET /v1/users

WatchUser Method

WatchUser

rpc WatchUser(WatchUserRequest) returns (WatchUserResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.watch

The equivalent REST API is:

POST /v1/{name=users/*}:watch

WatchUsers Method

WatchUsers

rpc WatchUsers(WatchUsersRequest) returns (WatchUsersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.watch

The equivalent REST API is:

POST /v1/users:watch

CreateUser Method

CreateUser

rpc CreateUser(CreateUserRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.create

The equivalent REST API is:

POST /v1/users (BODY: user)

UpdateUser Method

UpdateUser

rpc UpdateUser(UpdateUserRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.update

The equivalent REST API is:

PUT /v1/{user.name=users/*} (BODY: user)

DeleteUser Method

DeleteUser

rpc DeleteUser(DeleteUserRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.delete

The equivalent REST API is:

DELETE /v1/{name=users/*}

GetUserByEmail Method

GetUserByEmail

rpc GetUserByEmail(GetUserByEmailRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.getByEmail

The equivalent REST API is:

POST /v1:getByEmail

BatchGetUsersByEmail Method

BatchGetUsersByEmail

rpc BatchGetUsersByEmail(BatchGetUsersByEmailRequest) returns (BatchGetUsersByEmailResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.batchGetByEmail

The equivalent REST API is:

POST /v1/users:batchGetByEmail

GetMySettings Method

GetMySettings

rpc GetMySettings(GetMySettingsRequest) returns (GetMySettingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.getMySettings

The equivalent REST API is:

POST /v1/users:getMySettings

SetMySettings Method

SetMySettings

rpc SetMySettings(SetMySettingsRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.setMySettings

The equivalent REST API is:

POST /v1/users:setMySettings

RefreshUserFromIdToken Method

RefreshUserFromIdToken

rpc RefreshUserFromIdToken(RefreshUserFromIdTokenRequest) returns (RefreshUserFromIdTokenResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.refreshUserFromIdToken

The equivalent REST API is:

POST /v1/users:refreshUserFromIdToken

ResendVerificationEmail Method

ResendVerificationEmail

rpc ResendVerificationEmail(ResendVerificationEmailRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.resendVerificationEmail

The equivalent REST API is:

POST /v1/users:resendVerificationEmail

IsUserVerified Method

IsUserVerified

rpc IsUserVerified(IsUserVerifiedRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.isUserVerified

The equivalent REST API is:

POST /v1/users:isUserVerified

ResetMFAIfRecoveryKeyUsed Method

ResetMFAIfRecoveryKeyUsed

rpc ResetMFAIfRecoveryKeyUsed(ResetMFAIfRecoveryKeyUsedRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.resetMFAIfRecoveryKeyUsed

The equivalent REST API is:

POST /v1/users:resetMFAIfRecoveryKeyUsed

SetUsersNameInAuth0 Method

SetUsersNameInAuth0

rpc SetUsersNameInAuth0(SetUsersNameInAuth0Request) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.setUsersNameInAuth0

The equivalent REST API is:

POST /v1/users:setUsersNameInAuth0

DeleteUsersByCriteria Method

DeleteUsersByCriteria

rpc DeleteUsersByCriteria(DeleteUsersByCriteriaRequest) returns (DeleteUsersByCriteriaResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.deleteUsersByCriteria

The equivalent REST API is:

POST /v1:deleteUsersByCriteria

User Messages

Here is the list of User resource messages:

User Message

Name Type Description
name string (name of User) Name of User When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9\-]{0,28}[a-z0-9]
metadata Meta Metadata is an object with information like create, update and delete time (for async deleted resources), has user labels/annotations, sharding information, multi-region syncing information and may have non-schema owners (useful for taking ownership of resources belonging to lower level services by higher ones).
full_name string Full Name
email string Email
email_verified bool Is email verified
auth_info User.AuthInfo
settings map<string, string> User settings and preferences
refreshed_time .google.protobuf.Timestamp
ctrl_status User.WorkStatus Internal status used by controller.

User.AuthInfo Message

Name Type Description
provider string auth provider
id string auth provider id

User.WorkStatus Message

Name Type Description
pending bool if controller has some work on this resource

GetUserRequest Message

A request message of the GetUser method.

Name Type Description
name string (name of User) Name of ntt.iam.v1.User
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetUsersRequest Message

A request message of the BatchGetUsers method.

Name Type Description
names repeated string (name of User) Names of Users
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetUsersResponse Message

A response message of the BatchGetUsers method.

Name Type Description
users repeated User found Users
missing repeated string (name of User) list of not found Users

ListUsersRequest Message

A request message of the ListUsers method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Users than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of User) A token identifying a page of results the server should return. Typically, this is the value of ListUsersResponse.next_page_token.
order_by string (orderBy of User) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of User) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListUsersResponse Message

A response message of the ListUsers method.

Name Type Description
users repeated User The list of Users
prev_page_token string (cursor of User) A token to retrieve previous page of results. Pass this value in the ListUsersRequest.page_token.
next_page_token string (cursor of User) A token to retrieve next page of results. Pass this value in the ListUsersRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Users across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchUserRequest Message

A request message of the WatchUser method.

Name Type Description
name string (name of User) Name of ntt.iam.v1.User
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchUserResponse Message

A response message of the WatchUser method.

Name Type Description
change UserChange

WatchUsersRequest Message

A request message of the WatchUsers method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Users than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of User) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of User) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of User) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to User that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to User that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchUsersResponse Message

A response message of the WatchUsers method.

Name Type Description
user_changes repeated UserChange Changes of Users
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Users will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchUsersResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Users will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchUsersResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of User) New token to retrieve previous page of results.
next_page_token string (cursor of User) New token to retrieve next page of results.

CreateUserRequest Message

A request message of the CreateUser method.

Name Type Description
user User User resource body
response_mask CreateUserRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateUserRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateUserRequest Message

A request message of the UpdateUser method.

Name Type Description
user User User resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateUserRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateUserRequest.ResponseMask reduce message response size.

UpdateUserRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state User Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateUserRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteUserRequest Message

A request message of the DeleteUser method.

Name Type Description
name string (name of User) Name of ntt.iam.v1.User

GetUserByEmailRequest Message

Request message for method [GetUserByEmail][ntt.iam.v1.GetUserByEmail]

Name Type Description
email string reference of ntt.iam.v1.User
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
skip_cache bool If true, server will skip checking if query result is present in it’s cache

BatchGetUsersByEmailRequest Message

Request message for method [BatchGetUsersByEmail][ntt.iam.v1.BatchGetUsersByEmail]

Name Type Description
emails repeated string Emails of users
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
skip_cache bool If true, server will skip checking if query result is present in it’s cache

BatchGetUsersByEmailResponse Message

Response message for method [BatchGetUsersByEmail][ntt.iam.v1.BatchGetUsersByEmail]

Name Type Description
users repeated User found Users
missing repeated string list of not found user emails

GetMySettingsRequest Message

Request message for method [GetMySettings][ntt.iam.v1.GetMySettings]

Name Type Description
keys repeated string list of keys to retrieve

GetMySettingsResponse Message

Response message for method [GetMySettings][ntt.iam.v1.GetMySettings]

Name Type Description
settings map<string, string> resulting settings

SetMySettingsRequest Message

Request message for method [SetMySettings][ntt.iam.v1.SetMySettings]

Name Type Description
settings map<string, string> Settings to update. Leave empty value to unset key

RefreshUserFromIdTokenRequest Message

Request message for method [RefreshUserFromIdToken][ntt.iam.v1.RefreshUserFromIdToken]

Name Type Description
id_token string JWT-encoded ID token

RefreshUserFromIdTokenResponse Message

Response message for method [RefreshUserFromIdToken][ntt.iam.v1.RefreshUserFromIdToken]

Name Type Description
none none none

ResendVerificationEmailRequest Message

Request message for method [ResendVerificationEmail][ntt.iam.v1.ResendVerificationEmail]

Name Type Description
client_id string Optional Auth client ID. May be defined per application to customize email template.

IsUserVerifiedRequest Message

Request message for method [IsUserVerified][ntt.iam.v1.IsUserVerified]

Name Type Description
none none none

ResetMFAIfRecoveryKeyUsedRequest Message

Request message for method [ResetMFAIfRecoveryKeyUsed][ntt.iam.v1.ResetMFAIfRecoveryKeyUsed]

Name Type Description
none none none

SetUsersNameInAuth0Request Message

Request message for method [SetUsersNameInAuth0][ntt.iam.v1.SetUsersNameInAuth0]

Name Type Description
none none none

DeleteUsersByCriteriaRequest Message

Request message for method [DeleteUsersByCriteria][ntt.iam.v1.DeleteUsersByCriteria]

Name Type Description
by_email DeleteUsersByCriteriaRequest.UserEmails Delete by email criteria
by_name DeleteUsersByCriteriaRequest.UserNames Delete by name criteria
auth_info_provider string Auth info provider type. Optional. If provided, it must match deleted user instances - field auth_info.provider must exactly match specified value.
auth_info_id_prefix string Auth info ID prefix. Optional. If provided, it must match deleted user instances - field auth_info.id must begin with specified prefix.

DeleteUsersByCriteriaRequest.UserEmails Message

Name Type Description
values repeated string

DeleteUsersByCriteriaRequest.UserNames Message

Name Type Description
values repeated string (name of User)

DeleteUsersByCriteriaResponse Message

Response message for method [DeleteUserByCriteria][ntt.iam.v1.DeleteUserByCriteria]

Name Type Description
deleted_users repeated string (name of User) List of deleted user resources

IAM Service Shared Methods and Messages

IAM Service Shared Methods

Here is the list of IAM service shared methods:

GetPrincipal Method

GetPrincipal

rpc GetPrincipal(GetPrincipalRequest) returns (GetPrincipalResponse)

WatchPrincipalUpdates Method

WatchPrincipalUpdates

rpc WatchPrincipalUpdates(WatchPrincipalUpdatesRequest) returns (WatchPrincipalUpdatesResponse)

IAM Service Shared Messages

Here is the list of IAM service shared messages:

Actor Message

Actor is a party performing an action

Name Type Description
user string (reference to User)
service_account string (reference to ServiceAccount)

AttestationDomainChange Message

AttestationDomainChange is used by Watch notifications Responses to describe change of single AttestationDomain One of Added, Modified, Removed

Name Type Description
added AttestationDomainChange.Added Added is returned when watched document is added, either created or enters Query view
modified AttestationDomainChange.Modified Modified is returned when watched document is modified
current AttestationDomainChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed AttestationDomainChange.Removed Removed is returned when AttestationDomain is deleted or leaves Query view

AttestationDomainChange.Added Message

AttestationDomain has been added to query view

Name Type Description
attestation_domain AttestationDomain
view_index int32 Integer describing index of added AttestationDomain in resulting query view.

AttestationDomainChange.Current Message

AttestationDomain has been added or modified in a query view. Version used for stateless watching

Name Type Description
attestation_domain AttestationDomain

AttestationDomainChange.Modified Message

AttestationDomain changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of AttestationDomain) Name of modified AttestationDomain
attestation_domain AttestationDomain New version of AttestationDomain or masked difference, depending on mask_changes instrumentation of issued [WatchAttestationDomainRequest] or [WatchAttestationDomainsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified AttestationDomain. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying AttestationDomain new index in resulting query view.

AttestationDomainChange.Removed Message

Removed is returned when AttestationDomain is deleted or leaves Query view

Name Type Description
name string (name of AttestationDomain)
view_index int32 Integer specifying removed AttestationDomain index. Not populated in stateless watch type.

ConditionChange Message

ConditionChange is used by Watch notifications Responses to describe change of single Condition One of Added, Modified, Removed

Name Type Description
added ConditionChange.Added Added is returned when watched document is added, either created or enters Query view
modified ConditionChange.Modified Modified is returned when watched document is modified
current ConditionChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ConditionChange.Removed Removed is returned when Condition is deleted or leaves Query view

ConditionChange.Added Message

Condition has been added to query view

Name Type Description
condition Condition
view_index int32 Integer describing index of added Condition in resulting query view.

ConditionChange.Current Message

Condition has been added or modified in a query view. Version used for stateless watching

Name Type Description
condition Condition

ConditionChange.Modified Message

Condition changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Condition) Name of modified Condition
condition Condition New version of Condition or masked difference, depending on mask_changes instrumentation of issued [WatchConditionRequest] or [WatchConditionsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Condition. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Condition new index in resulting query view.

ConditionChange.Removed Message

Removed is returned when Condition is deleted or leaves Query view

Name Type Description
name string (name of Condition)
view_index int32 Integer specifying removed Condition index. Not populated in stateless watch type.

ExecutableCondition Message

ExecutableCondition represents instantiation of condition with params, in other words: Executable condition, that is used in Role bindings.

Name Type Description
condition string (reference to Condition) Reference to Condition which may also be parameterized
params .google.protobuf.Struct Parameters in string form. Parameters must match [declarations][ntt.iam.v1.Condition.parameter_declarations] TODO: Only used by deprecated CEL conditions.

GetPrincipalRequest Message

Request message for method [GetPrincipal][ntt.iam.v1.GetPrincipal]

Name Type Description
requesting_service string (name of Service) Service asking for given principal - IAM verifies if given principal has any role bindings in requesting service.
principal_key_id string Principal ID, different for users or service accounts
auth_token string User authorization token

GetPrincipalResponse Message

Response message for method [GetPrincipal][ntt.iam.v1.GetPrincipal]

Name Type Description
json_key string Public json key
principal_key_type string Key type
user User User data mapping principal
service_account ServiceAccount Service account mapping principal
anonymous bool Anonymous principal

GroupChange Message

GroupChange is used by Watch notifications Responses to describe change of single Group One of Added, Modified, Removed

Name Type Description
added GroupChange.Added Added is returned when watched document is added, either created or enters Query view
modified GroupChange.Modified Modified is returned when watched document is modified
current GroupChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed GroupChange.Removed Removed is returned when Group is deleted or leaves Query view

GroupChange.Added Message

Group has been added to query view

Name Type Description
group Group
view_index int32 Integer describing index of added Group in resulting query view.

GroupChange.Current Message

Group has been added or modified in a query view. Version used for stateless watching

Name Type Description
group Group

GroupChange.Modified Message

Group changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Group) Name of modified Group
group Group New version of Group or masked difference, depending on mask_changes instrumentation of issued [WatchGroupRequest] or [WatchGroupsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Group. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Group new index in resulting query view.

GroupChange.Removed Message

Removed is returned when Group is deleted or leaves Query view

Name Type Description
name string (name of Group)
view_index int32 Integer specifying removed Group index. Not populated in stateless watch type.

GroupMemberChange Message

GroupMemberChange is used by Watch notifications Responses to describe change of single GroupMember One of Added, Modified, Removed

Name Type Description
added GroupMemberChange.Added Added is returned when watched document is added, either created or enters Query view
modified GroupMemberChange.Modified Modified is returned when watched document is modified
current GroupMemberChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed GroupMemberChange.Removed Removed is returned when GroupMember is deleted or leaves Query view

GroupMemberChange.Added Message

GroupMember has been added to query view

Name Type Description
group_member GroupMember
view_index int32 Integer describing index of added GroupMember in resulting query view.

GroupMemberChange.Current Message

GroupMember has been added or modified in a query view. Version used for stateless watching

Name Type Description
group_member GroupMember

GroupMemberChange.Modified Message

GroupMember changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of GroupMember) Name of modified GroupMember
group_member GroupMember New version of GroupMember or masked difference, depending on mask_changes instrumentation of issued [WatchGroupMemberRequest] or [WatchGroupMembersRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified GroupMember. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying GroupMember new index in resulting query view.

GroupMemberChange.Removed Message

Removed is returned when GroupMember is deleted or leaves Query view

Name Type Description
name string (name of GroupMember)
view_index int32 Integer specifying removed GroupMember index. Not populated in stateless watch type.

Invitation Message

Common invitation body. It’s used in Project/Organization Invitations

Name Type Description
invitee_email string Invitee Email address
inviter_actor Actor Inviter User
inviter_full_name string Denormalized data - TODO: remove it
inviter_email string Inviter Email
language_code string Invitation ISO language code. Defaults to “en-us” (American English).
binding_roles repeated Invitation.BindingRole List of role bindings for this invitation. They are used for creation of proper RoleBinding resources.
groups repeated string (reference to Group) List of groups where invitee should join after accepting invitation
expiration_date .google.protobuf.Timestamp Expiration date
extras map<string, string> Extra custom fields to further customize invitation experience. Fields should be agreed between sender (usually UI) and documented in the template of email service provider.
state Invitation.State Status of Invitation

Invitation.BindingRole Message

BindingRole is used to create RoleBinding when invitation is accepted.

Name Type Description
role string (reference to Role) Role to be granted
executable_conditions repeated ExecutableCondition List of all applicable condition bindings to be applied when creating RoleBinding.
scope_params repeated ScopeParam List of applicable scope params to be applied when creating RoleBinding.

MemberAssignmentChange Message

MemberAssignmentChange is used by Watch notifications Responses to describe change of single MemberAssignment One of Added, Modified, Removed

Name Type Description
added MemberAssignmentChange.Added Added is returned when watched document is added, either created or enters Query view
modified MemberAssignmentChange.Modified Modified is returned when watched document is modified
current MemberAssignmentChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed MemberAssignmentChange.Removed Removed is returned when MemberAssignment is deleted or leaves Query view

MemberAssignmentChange.Added Message

MemberAssignment has been added to query view

Name Type Description
member_assignment MemberAssignment
view_index int32 Integer describing index of added MemberAssignment in resulting query view.

MemberAssignmentChange.Current Message

MemberAssignment has been added or modified in a query view. Version used for stateless watching

Name Type Description
member_assignment MemberAssignment

MemberAssignmentChange.Modified Message

MemberAssignment changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of MemberAssignment) Name of modified MemberAssignment
member_assignment MemberAssignment New version of MemberAssignment or masked difference, depending on mask_changes instrumentation of issued [WatchMemberAssignmentRequest] or [WatchMemberAssignmentsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified MemberAssignment. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying MemberAssignment new index in resulting query view.

MemberAssignmentChange.Removed Message

Removed is returned when MemberAssignment is deleted or leaves Query view

Name Type Description
name string (name of MemberAssignment)
view_index int32 Integer specifying removed MemberAssignment index. Not populated in stateless watch type.

MembersInfo Message

MembersInfo maps Users, ServiceAccounts or Groups to specific member data.

Name Type Description
member string Member identifier - as in format used in RoleBindings/GroupMembers.
users repeated User List of users. May contain more than 1 item, if there are multiple users sharing same email. Array may be empty if member is for service account or group type, or if no user exists with specified email.
service_accounts repeated ServiceAccount List of service accounts. It will be empty if member matches user or group type, or if no matching ServiceAccount was found. Length of this array is from 0 to 1.
groups repeated Group List of groups. It will be empty if member matches user or service account type, or if no matching Group was found. Length of this array is from 0 to 1.

MembersMasks Message

MembersMasks determines what fields should be obtained for matching members to GroupMembers.

Name Type Description
view View View defines list of standard response fields present in member items. Additional fields can be amended by specific field masks.
user_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each member User on top of fields defined by request field view
service_account_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each member ServiceAccount on top of fields defined by request field view
group_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each member Group on top of fields defined by request field view

OrganizationChange Message

OrganizationChange is used by Watch notifications Responses to describe change of single Organization One of Added, Modified, Removed

Name Type Description
added OrganizationChange.Added Added is returned when watched document is added, either created or enters Query view
modified OrganizationChange.Modified Modified is returned when watched document is modified
current OrganizationChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed OrganizationChange.Removed Removed is returned when Organization is deleted or leaves Query view

OrganizationChange.Added Message

Organization has been added to query view

Name Type Description
organization Organization
view_index int32 Integer describing index of added Organization in resulting query view.

OrganizationChange.Current Message

Organization has been added or modified in a query view. Version used for stateless watching

Name Type Description
organization Organization

OrganizationChange.Modified Message

Organization changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Organization) Name of modified Organization
organization Organization New version of Organization or masked difference, depending on mask_changes instrumentation of issued [WatchOrganizationRequest] or [WatchOrganizationsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Organization. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Organization new index in resulting query view.

OrganizationChange.Removed Message

Removed is returned when Organization is deleted or leaves Query view

Name Type Description
name string (name of Organization)
view_index int32 Integer specifying removed Organization index. Not populated in stateless watch type.

OrganizationInvitationChange Message

OrganizationInvitationChange is used by Watch notifications Responses to describe change of single OrganizationInvitation One of Added, Modified, Removed

Name Type Description
added OrganizationInvitationChange.Added Added is returned when watched document is added, either created or enters Query view
modified OrganizationInvitationChange.Modified Modified is returned when watched document is modified
current OrganizationInvitationChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed OrganizationInvitationChange.Removed Removed is returned when OrganizationInvitation is deleted or leaves Query view

OrganizationInvitationChange.Added Message

OrganizationInvitation has been added to query view

Name Type Description
organization_invitation OrganizationInvitation
view_index int32 Integer describing index of added OrganizationInvitation in resulting query view.

OrganizationInvitationChange.Current Message

OrganizationInvitation has been added or modified in a query view. Version used for stateless watching

Name Type Description
organization_invitation OrganizationInvitation

OrganizationInvitationChange.Modified Message

OrganizationInvitation changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of OrganizationInvitation) Name of modified OrganizationInvitation
organization_invitation OrganizationInvitation New version of OrganizationInvitation or masked difference, depending on mask_changes instrumentation of issued [WatchOrganizationInvitationRequest] or [WatchOrganizationInvitationsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified OrganizationInvitation. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying OrganizationInvitation new index in resulting query view.

OrganizationInvitationChange.Removed Message

Removed is returned when OrganizationInvitation is deleted or leaves Query view

Name Type Description
name string (name of OrganizationInvitation)
view_index int32 Integer specifying removed OrganizationInvitation index. Not populated in stateless watch type.

PCR Message

Name Type Description
index uint32s
digest_hex string Hex-encoded digest string (without 0x prefix, e.g. “DEADBEEF”)
digest_alg DigestAlg
comment string User’s comments for this entry

PermissionChange Message

PermissionChange is used by Watch notifications Responses to describe change of single Permission One of Added, Modified, Removed

Name Type Description
added PermissionChange.Added Added is returned when watched document is added, either created or enters Query view
modified PermissionChange.Modified Modified is returned when watched document is modified
current PermissionChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed PermissionChange.Removed Removed is returned when Permission is deleted or leaves Query view

PermissionChange.Added Message

Permission has been added to query view

Name Type Description
permission Permission
view_index int32 Integer describing index of added Permission in resulting query view.

PermissionChange.Current Message

Permission has been added or modified in a query view. Version used for stateless watching

Name Type Description
permission Permission

PermissionChange.Modified Message

Permission changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Permission) Name of modified Permission
permission Permission New version of Permission or masked difference, depending on mask_changes instrumentation of issued [WatchPermissionRequest] or [WatchPermissionsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Permission. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Permission new index in resulting query view.

PermissionChange.Removed Message

Removed is returned when Permission is deleted or leaves Query view

Name Type Description
name string (name of Permission)
view_index int32 Integer specifying removed Permission index. Not populated in stateless watch type.

ProjectChange Message

ProjectChange is used by Watch notifications Responses to describe change of single Project One of Added, Modified, Removed

Name Type Description
added ProjectChange.Added Added is returned when watched document is added, either created or enters Query view
modified ProjectChange.Modified Modified is returned when watched document is modified
current ProjectChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ProjectChange.Removed Removed is returned when Project is deleted or leaves Query view

ProjectChange.Added Message

Project has been added to query view

Name Type Description
project Project
view_index int32 Integer describing index of added Project in resulting query view.

ProjectChange.Current Message

Project has been added or modified in a query view. Version used for stateless watching

Name Type Description
project Project

ProjectChange.Modified Message

Project changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Project) Name of modified Project
project Project New version of Project or masked difference, depending on mask_changes instrumentation of issued [WatchProjectRequest] or [WatchProjectsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Project. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Project new index in resulting query view.

ProjectChange.Removed Message

Removed is returned when Project is deleted or leaves Query view

Name Type Description
name string (name of Project)
view_index int32 Integer specifying removed Project index. Not populated in stateless watch type.

ProjectInvitationChange Message

ProjectInvitationChange is used by Watch notifications Responses to describe change of single ProjectInvitation One of Added, Modified, Removed

Name Type Description
added ProjectInvitationChange.Added Added is returned when watched document is added, either created or enters Query view
modified ProjectInvitationChange.Modified Modified is returned when watched document is modified
current ProjectInvitationChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ProjectInvitationChange.Removed Removed is returned when ProjectInvitation is deleted or leaves Query view

ProjectInvitationChange.Added Message

ProjectInvitation has been added to query view

Name Type Description
project_invitation ProjectInvitation
view_index int32 Integer describing index of added ProjectInvitation in resulting query view.

ProjectInvitationChange.Current Message

ProjectInvitation has been added or modified in a query view. Version used for stateless watching

Name Type Description
project_invitation ProjectInvitation

ProjectInvitationChange.Modified Message

ProjectInvitation changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of ProjectInvitation) Name of modified ProjectInvitation
project_invitation ProjectInvitation New version of ProjectInvitation or masked difference, depending on mask_changes instrumentation of issued [WatchProjectInvitationRequest] or [WatchProjectInvitationsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified ProjectInvitation. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying ProjectInvitation new index in resulting query view.

ProjectInvitationChange.Removed Message

Removed is returned when ProjectInvitation is deleted or leaves Query view

Name Type Description
name string (name of ProjectInvitation)
view_index int32 Integer specifying removed ProjectInvitation index. Not populated in stateless watch type.

RoleBindingChange Message

RoleBindingChange is used by Watch notifications Responses to describe change of single RoleBinding One of Added, Modified, Removed

Name Type Description
added RoleBindingChange.Added Added is returned when watched document is added, either created or enters Query view
modified RoleBindingChange.Modified Modified is returned when watched document is modified
current RoleBindingChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed RoleBindingChange.Removed Removed is returned when RoleBinding is deleted or leaves Query view

RoleBindingChange.Added Message

RoleBinding has been added to query view

Name Type Description
role_binding RoleBinding
view_index int32 Integer describing index of added RoleBinding in resulting query view.

RoleBindingChange.Current Message

RoleBinding has been added or modified in a query view. Version used for stateless watching

Name Type Description
role_binding RoleBinding

RoleBindingChange.Modified Message

RoleBinding changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of RoleBinding) Name of modified RoleBinding
role_binding RoleBinding New version of RoleBinding or masked difference, depending on mask_changes instrumentation of issued [WatchRoleBindingRequest] or [WatchRoleBindingsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified RoleBinding. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying RoleBinding new index in resulting query view.

RoleBindingChange.Removed Message

Removed is returned when RoleBinding is deleted or leaves Query view

Name Type Description
name string (name of RoleBinding)
view_index int32 Integer specifying removed RoleBinding index. Not populated in stateless watch type.

RoleChange Message

RoleChange is used by Watch notifications Responses to describe change of single Role One of Added, Modified, Removed

Name Type Description
added RoleChange.Added Added is returned when watched document is added, either created or enters Query view
modified RoleChange.Modified Modified is returned when watched document is modified
current RoleChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed RoleChange.Removed Removed is returned when Role is deleted or leaves Query view

RoleChange.Added Message

Role has been added to query view

Name Type Description
role Role
view_index int32 Integer describing index of added Role in resulting query view.

RoleChange.Current Message

Role has been added or modified in a query view. Version used for stateless watching

Name Type Description
role Role

RoleChange.Modified Message

Role changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Role) Name of modified Role
role Role New version of Role or masked difference, depending on mask_changes instrumentation of issued [WatchRoleRequest] or [WatchRolesRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Role. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Role new index in resulting query view.

RoleChange.Removed Message

Removed is returned when Role is deleted or leaves Query view

Name Type Description
name string (name of Role)
view_index int32 Integer specifying removed Role index. Not populated in stateless watch type.

ScopeParam Message

Name Type Description
name string Name of the variable to be used in conditions/scope values.
string ScopeParam.StringValue Value is a single string
strings ScopeParam.ArrayOfStringsValue List of alternative values.
value_from ScopeParam.FromValue Value is extracted dynamically from pointed object type.

ScopeParam.ArrayOfStringsValue Message

ArrayOfStringsValue represents array of strings value

Name Type Description
values repeated string

ScopeParam.FromValue Message

FromValue represents a value(s) from specific dynamic object.

Name Type Description
source ScopeParam.FromValue.Source Source indicates type of dynamic object from where we take value(s).
path string Path within specified object from which exactly we get value(s).

ScopeParam.StringValue Message

StringValue represents single value

Name Type Description
value string

ServiceAccountChange Message

ServiceAccountChange is used by Watch notifications Responses to describe change of single ServiceAccount One of Added, Modified, Removed

Name Type Description
added ServiceAccountChange.Added Added is returned when watched document is added, either created or enters Query view
modified ServiceAccountChange.Modified Modified is returned when watched document is modified
current ServiceAccountChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ServiceAccountChange.Removed Removed is returned when ServiceAccount is deleted or leaves Query view

ServiceAccountChange.Added Message

ServiceAccount has been added to query view

Name Type Description
service_account ServiceAccount
view_index int32 Integer describing index of added ServiceAccount in resulting query view.

ServiceAccountChange.Current Message

ServiceAccount has been added or modified in a query view. Version used for stateless watching

Name Type Description
service_account ServiceAccount

ServiceAccountChange.Modified Message

ServiceAccount changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of ServiceAccount) Name of modified ServiceAccount
service_account ServiceAccount New version of ServiceAccount or masked difference, depending on mask_changes instrumentation of issued [WatchServiceAccountRequest] or [WatchServiceAccountsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified ServiceAccount. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying ServiceAccount new index in resulting query view.

ServiceAccountChange.Removed Message

Removed is returned when ServiceAccount is deleted or leaves Query view

Name Type Description
name string (name of ServiceAccount)
view_index int32 Integer specifying removed ServiceAccount index. Not populated in stateless watch type.

ServiceAccountKeyChange Message

ServiceAccountKeyChange is used by Watch notifications Responses to describe change of single ServiceAccountKey One of Added, Modified, Removed

Name Type Description
added ServiceAccountKeyChange.Added Added is returned when watched document is added, either created or enters Query view
modified ServiceAccountKeyChange.Modified Modified is returned when watched document is modified
current ServiceAccountKeyChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ServiceAccountKeyChange.Removed Removed is returned when ServiceAccountKey is deleted or leaves Query view

ServiceAccountKeyChange.Added Message

ServiceAccountKey has been added to query view

Name Type Description
service_account_key ServiceAccountKey
view_index int32 Integer describing index of added ServiceAccountKey in resulting query view.

ServiceAccountKeyChange.Current Message

ServiceAccountKey has been added or modified in a query view. Version used for stateless watching

Name Type Description
service_account_key ServiceAccountKey

ServiceAccountKeyChange.Modified Message

ServiceAccountKey changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of ServiceAccountKey) Name of modified ServiceAccountKey
service_account_key ServiceAccountKey New version of ServiceAccountKey or masked difference, depending on mask_changes instrumentation of issued [WatchServiceAccountKeyRequest] or [WatchServiceAccountKeysRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified ServiceAccountKey. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying ServiceAccountKey new index in resulting query view.

ServiceAccountKeyChange.Removed Message

Removed is returned when ServiceAccountKey is deleted or leaves Query view

Name Type Description
name string (name of ServiceAccountKey)
view_index int32 Integer specifying removed ServiceAccountKey index. Not populated in stateless watch type.

ServiceBusinessTier Message

ServiceBusinessTier binds specific service with specific business tier. It may be useful if two services use different tier in one organizational entity (project or organization).

Name Type Description
service string (name of Service) Service
business_tier BusinessTier Entity tier value for given service. It may be also set to UNDEFINED, if this service is not supposed to be used at all for given entity. This way we can opt out from core edgelq services if needed.

ServiceErrors Message

ServiceErrors is generic container wrapping errors with services.

Name Type Description
errors repeated ServiceErrors.Error Errors

ServiceErrors.Error Message

Name Type Description
service string (name of Service) Service for which there are error reports. May be skipped if error is cross-service or is about core EdgeLQ components.
message string Error message

UserChange Message

UserChange is used by Watch notifications Responses to describe change of single User One of Added, Modified, Removed

Name Type Description
added UserChange.Added Added is returned when watched document is added, either created or enters Query view
modified UserChange.Modified Modified is returned when watched document is modified
current UserChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed UserChange.Removed Removed is returned when User is deleted or leaves Query view

UserChange.Added Message

User has been added to query view

Name Type Description
user User
view_index int32 Integer describing index of added User in resulting query view.

UserChange.Current Message

User has been added or modified in a query view. Version used for stateless watching

Name Type Description
user User

UserChange.Modified Message

User changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of User) Name of modified User
user User New version of User or masked difference, depending on mask_changes instrumentation of issued [WatchUserRequest] or [WatchUsersRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified User. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying User new index in resulting query view.

UserChange.Removed Message

Removed is returned when User is deleted or leaves Query view

Name Type Description
name string (name of User)
view_index int32 Integer specifying removed User index. Not populated in stateless watch type.

WatchPrincipalUpdatesRequest Message

Request message for method [WatchPrincipalUpdates][ntt.iam.v1.WatchPrincipalUpdates]

Name Type Description
requesting_service string (name of Service)
resume_token string Resume token in case of disconnection

WatchPrincipalUpdatesResponse Message

Response message for method [WatchPrincipalUpdates][ntt.iam.v1.WatchPrincipalUpdates]

Name Type Description
current_principals repeated WatchPrincipalUpdatesResponse.CurrentPrincipal All added or removed principals
removed_principals repeated WatchPrincipalUpdatesResponse.RemovedPrincipal All removed principals
is_current bool Whether list of shadows received by client is in sync
is_reset bool Whether current, pending changes should be reset.
resume_token string Token to resume from.

WatchPrincipalUpdatesResponse.CurrentPrincipal Message

Name Type Description
principal_key_id string
json_key string
principal_key_type string
user User
service_account ServiceAccount

WatchPrincipalUpdatesResponse.RemovedPrincipal Message

Name Type Description
principal_key_id string

IAM Service Shared Enumerations

Here is the list of IAM service shared enumerations:

BusinessTier Enumeration

BusinessTier indicates size of organizational entity (project or organization). Size-type sizes are used in core edgelq services, SKU-types can be used optionally by 3rd party services.

Name Description
UNDEFINED
LARGE
MEDIUM
SMALL
XSMALL
SKU0
SKU1
SKU2
SKU3
SKU4
SKU5
SKU6
SKU7
SKU8
SKU9
SKU10
SKU11
SKU12

DigestAlg Enumeration

Name Description
SHA1
SHA256

Invitation.State Enumeration

Invitation FSM States

Name Description
STATE_UNSPECIFIED
PENDING
ACCEPTED
DECLINED
EXPIRED

ScopeParam.FromValue.Source Enumeration

Source indicates which dynamic object is used to extract value from.

Name Description
UNDEFINED
PRINCIPAL_METADATA Object from which value is taken is metadata. Valid for Service Accounts and user types.
PRINCIPAL_USER Object from which value is taken is User principal. If principal executing an Action is not a User, then value will be empty.
PRINCIPAL_SVCACC Object from which value is taken is ServiceAccount principal. If principal executing an Action is not a ServiceAccount, then value will be empty.

TpmVersion Enumeration

Name Description
TPMVAGNOSTIC
TPMV12
TPMV20

VerifyRequest.AskForChallenge.ChallengeFormat Enumeration

Name Description
TPM20_CREDENTIAL Credential Protection as defined in section 24 of the TPM specification revision 2 part 1 See: https://trustedcomputinggroup.org/resource/tpm-library-specification/ Returned primitives are of type TPM2B_ID_OBJECT and TPM2B_ENCRYPTED_SECRET. NOTE: ECC is not supported. Reference implementation: github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM20, which uses github.com/google/go-tmp@v0.3.2/tmp2/credactivation/credential_activation.go:Generate
TPM12_EKBLOB Challenge as defined in section 15.1 of the TPM 1.2 commands spec See: https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf Returned primitives are of type TPM12_EKBLOB (with TPM_EK_BLOB_ACTIVATE) and bytes. Reference implementation: github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, which uses github.com/google/go-attestation@v0.3.2/attest/challenge.go:generateChallenge12
TSPI_EKBLOB TSPI_EKBLOB is a TPM1.2 challenge format accepted by TrouSerS daemon’s Tspi_TPM_ActivateIdentity function. As far as I can tell, it’s not documented except in the code. Returned primitives are of type TPM12_EKBLOB (with TPM_EK_BLOB_ACTIVATE) and bytes. Reference implementation: github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, which uses github.com/google/go-tspi@v0.3.0/verification/verification.go:GenerateChallengeEx