Understanding the iam.edgelq.com service APIv1alpha2, in proto package ntt.iam.v1alpha2.

Service iam.edgelq.com in version v1alpha2, proto package ntt.iam.v1alpha2

Here is the list of resources supported in IAM service APIv1alpha2:

AttestationDomain Resource

AttestationDomain represents attestation parameters for a heterogenous fleet of devices.

Name patterns:

  • projects/{project}/attestationDomains/{attestation_domain}

Parent resources:

This section covers the methods and messages to interact with AttestationDomain resource.

AttestationDomain Methods

Here is the list of AttestationDomain resource methods:

GetAttestationDomain Method

GetAttestationDomain

rpc GetAttestationDomain(GetAttestationDomainRequest) returns (AttestationDomain)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.get

The equivalent REST API is:

GET /v1alpha2/{name=projects/*/attestationDomains/*}

BatchGetAttestationDomains Method

BatchGetAttestationDomains

rpc BatchGetAttestationDomains(BatchGetAttestationDomainsRequest) returns (BatchGetAttestationDomainsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.batchGet

The equivalent REST API is:

GET /v1alpha2/attestationDomains:batchGet

ListAttestationDomains Method

ListAttestationDomains

rpc ListAttestationDomains(ListAttestationDomainsRequest) returns (ListAttestationDomainsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.list

The equivalent REST API is:

GET /v1alpha2/{parent=projects/*}/attestationDomains

WatchAttestationDomain Method

WatchAttestationDomain

rpc WatchAttestationDomain(WatchAttestationDomainRequest) returns (WatchAttestationDomainResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.watch

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/attestationDomains/*}:watch

WatchAttestationDomains Method

WatchAttestationDomains

rpc WatchAttestationDomains(WatchAttestationDomainsRequest) returns (WatchAttestationDomainsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.watch

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*}/attestationDomains:watch

CreateAttestationDomain Method

CreateAttestationDomain

rpc CreateAttestationDomain(CreateAttestationDomainRequest) returns (AttestationDomain)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.create

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*}/attestationDomains (BODY: attestation_domain)

UpdateAttestationDomain Method

UpdateAttestationDomain

rpc UpdateAttestationDomain(UpdateAttestationDomainRequest) returns (AttestationDomain)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.update

The equivalent REST API is:

PUT /v1alpha2/{attestation_domain.name=projects/*/attestationDomains/*} (BODY: attestation_domain)

DeleteAttestationDomain Method

DeleteAttestationDomain

rpc DeleteAttestationDomain(DeleteAttestationDomainRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=projects/*/attestationDomains/*}

Verify Method

Verify

rpc Verify(VerifyRequest) returns (VerifyResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/attestationDomains.verify

The equivalent REST API is:

POST /v1alpha2/{ask_for_challenge.attestation_domain=projects/*/attestationDomains/*}:verify

AttestationDomain Messages

Here is the list of AttestationDomain resource messages:

AttestationDomain Message

Name Type Description
metadata Meta Meta
name string (name of AttestationDomain) Name of AttestationDomain When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
display_name string Display name
insecure_skip_manufacturer_ekcert_verification bool If false (default), attestation verifier SHALL check CA certificate chain up to the TPM chip manufacturers CA (defined in manufacturer_ca_issuers). This step is necessary to prove that the attestation request comes from a genuine TPM device, and not a TPM emulator. If true, attestation verifier SHALL skip EKcert verification - !!INSECURE!! Without this check, any keys may come from a simulated TPM on the device. An attacker may therefore forge any key they want. Therefore, this option should only be changed for development purposes.
policies repeated AttestationDomain.Policy Attestees wanting to attest under this attestation domain SHALL fulfill requirements of at least one of attestation policies defined in this list. Policies are checked in the order they appear on this list.
enrollment_list repeated AttestationDomain.EnrolledKey Attestation policy may require atestees pubkey to be present on enrollment_list.

AttestationDomain.Policy Message

Policy defines a singular attestation policy, that should match a homogenous class of device (i.e. hardware and firmware configuration) in the fleet.

Name Type Description
manufacturer_root_ca_certs_pem string List of acceptable manufacturer’s root CAs certs (in PEM format). To obtain such a cert, run something like: tpm2_getekcertificate -o cert.bin openssl x509 -inform der -in cert.bin -noout -text Then manually download certificate specified in Authority Information Access (AIA). Repeat the above openssl command on the newly downloadedfile (change the value of -in argument). Continue this until you reach a certificate which does not have AIA. It’s the root certificate. Convert it to PEM like so: openssl x509 -inform der -in root.crt -out root.pem Still, we need to encode newlines: awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' root.pem Then paste the output here. Note: multiple PEM certificates may be included here by simple means of concatenation.
require_enrollment bool If true, the attestee’s pubkey SHALL be present on this AttestationDomain’s enrollment list, otherwise fail the attestation.
verify_event_log bool If true, the verifier SHALL parse, replay and verify TPM event log provided by the atestee, otherwise fail the attestation. Note that requiring verification of event does not provide additional security. See https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md#event-type-and-verification-footguns
expected_pcrs repeated PCR List of expected PCR values. All PCRs on this list SHALL match exactly the PCRs provided by the atestee, otherwise the attestation SHALL be failed. The verifier SHALL perform sanity checks: PCR index/digest pairs are unique and the size of the list is sane (TODO). They can be read from TPM by running something like tpm2_pcrread.

AttestationDomain.EnrolledKey Message

EnrolledKey defines an enrolled key.

Name Type Description
pubkey_pem string PEM encoded EK pubkey. It can be read from TPM by running something like tpm2_createek -G rsa -u ek.pub -c key.ctx -f pem.
comment string User’s comments for this entry

GetAttestationDomainRequest Message

A request message of the GetAttestationDomain method.

Name Type Description
name string (name of AttestationDomain) Name of ntt.iam.v1alpha2.AttestationDomain
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetAttestationDomainsRequest Message

A request message of the BatchGetAttestationDomains method.

Name Type Description
names repeated string (name of AttestationDomain) Names of AttestationDomains
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetAttestationDomainsResponse Message

A response message of the BatchGetAttestationDomains method.

Name Type Description
attestation_domains repeated AttestationDomain found AttestationDomains
missing repeated string (name of AttestationDomain) list of not found AttestationDomains

ListAttestationDomainsRequest Message

A request message of the ListAttestationDomains method.

Name Type Description
parent string (parent name of AttestationDomain) Parent name of ntt.iam.v1alpha2.AttestationDomain
page_size int32 Requested page size. Server may return fewer AttestationDomains than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of AttestationDomain) A token identifying a page of results the server should return. Typically, this is the value of ListAttestationDomainsResponse.next_page_token.
order_by string (orderBy of AttestationDomain) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of AttestationDomain) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListAttestationDomainsResponse Message

A response message of the ListAttestationDomains method.

Name Type Description
attestation_domains repeated AttestationDomain The list of AttestationDomains
prev_page_token string (cursor of AttestationDomain) A token to retrieve previous page of results. Pass this value in the ListAttestationDomainsRequest.page_token.
next_page_token string (cursor of AttestationDomain) A token to retrieve next page of results. Pass this value in the ListAttestationDomainsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total AttestationDomains across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchAttestationDomainRequest Message

A request message of the WatchAttestationDomain method.

Name Type Description
name string (name of AttestationDomain) Name of ntt.iam.v1alpha2.AttestationDomain
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchAttestationDomainResponse Message

A response message of the WatchAttestationDomain method.

Name Type Description
change AttestationDomainChange

WatchAttestationDomainsRequest Message

A request message of the WatchAttestationDomains method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of AttestationDomain) Parent name of ntt.iam.v1alpha2.AttestationDomain
page_size int32 Requested page size. Server may return fewer AttestationDomains than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of AttestationDomain) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of AttestationDomain) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of AttestationDomain) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to AttestationDomain that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to AttestationDomain that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchAttestationDomainsResponse Message

A response message of the WatchAttestationDomains method.

Name Type Description
attestation_domain_changes repeated AttestationDomainChange Changes of AttestationDomains
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All AttestationDomains will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchAttestationDomainsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (AttestationDomains will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchAttestationDomainsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of AttestationDomain) New token to retrieve previous page of results.
next_page_token string (cursor of AttestationDomain) New token to retrieve next page of results.

CreateAttestationDomainRequest Message

A request message of the CreateAttestationDomain method.

Name Type Description
parent string (parent name of AttestationDomain) Parent name of ntt.iam.v1alpha2.AttestationDomain
attestation_domain AttestationDomain AttestationDomain resource body
response_mask CreateAttestationDomainRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateAttestationDomainRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateAttestationDomainRequest Message

A request message of the UpdateAttestationDomain method.

Name Type Description
attestation_domain AttestationDomain AttestationDomain resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateAttestationDomainRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateAttestationDomainRequest.ResponseMask reduce message response size.

UpdateAttestationDomainRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state AttestationDomain Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateAttestationDomainRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteAttestationDomainRequest Message

A request message of the DeleteAttestationDomain method.

Name Type Description
name string (name of AttestationDomain) Name of ntt.iam.v1alpha2.AttestationDomain

VerifyRequest Message

Request message for method [Verify][ntt.iam.v1alpha2.Verify]

Name Type Description
ask_for_challenge VerifyRequest.AskForChallenge
challenge_response VerifyRequest.ChallengeResponse

VerifyRequest.AskForChallenge Message

Name Type Description
subject string This will be used to set “sub” claim for attestation token. This “sub” should be compared to “sub” of JWT access token during validation. “Sub” comparison ties both tokens together and protects against theft/reuse of one of them by another service account.
attestation_domain string (name of AttestationDomain) attestation domain ref
tpm_version TpmVersion
ekpub bytes PKIX encoded EK public
ekcert bytes ASN.1 DER encoded EK certificate.
ekcerturl string For Intel TPMs, Intel hosts certificates at a public URL derived from the Public key. Clients or servers can perform an HTTP GET to this URL, and use ParseEKCertificate on the response body.
akpub bytes https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf TPMT_PUBLIC (TPM 2.0) or TPM_PUBKEY (TPM 1.2)
creation_data bytes TPMS_CREATION_DATA
attest bytes TPMS_ATTEST
signature bytes TPMT_SIGNATURE
challenge_format VerifyRequest.AskForChallenge.ChallengeFormat ChallengeFormat defines the method of generating identity activation challenge by the Verifier (server). It should affect the interpretation ChallengeResponse fields cred_encrypted_by_ekpub and secret_encrypted_by_cred. Attestor (client) is responsible for chosing the right format depending on TPM version and the presence of TrouSerS daemon.

VerifyRequest.ChallengeResponse Message

Name Type Description
ak_activation_decrypted_secret bytes
quotes repeated VerifyRequest.ChallengeResponse.Quote
pcrs repeated PCR
eventlog bytes Binary contents of /sys/kernel/security/tpm0/binary_bios_measurements

VerifyRequest.ChallengeResponse.Quote Message

Name Type Description
quote bytes TPMS_ATTEST (TSS_VALIDATION.Data or TSS_VALIDATION.rgbData) This contains PCR selection information for which the signature was calculated and other required data, like nonce.
signature bytes TSS_VALIDATION.ValidationData or TSS_VALIDATION.rgbValidationData

VerifyResponse Message

Response message for method [Verify][ntt.iam.v1alpha2.Verify]

Name Type Description
challenge VerifyResponse.Challenge
attestation_successful VerifyResponse.AttestationSuccessful

VerifyResponse.Challenge Message

Name Type Description
platform_attestation_nonce bytes Platform attestation
cred_encrypted_by_ekpub bytes AK Identity Activation
secret_encrypted_by_cred bytes

VerifyResponse.AttestationSuccessful Message

Name Type Description
attestation_token string

Condition Resource

Condition Resource provides an extension to primary RBAC model, which allows customizable (scriptable) access. Conditions can only be used to further limit (or narrow) access compared to standard (or unconditional) RBAC.

Usage:

  1. Condition is created with expression and parameter declarations. Consider this a definition, which will be later “bound”.
  2. When creating a [RoleBinding] pass [ConditionBinding] with reference to [Condition] and bound parameters.

When checking for principal access (anonymous, user, service account), for RoleBinding to grant permissions included in bound [Role], both RBAC and Condition expression evaluation must grant access.

Name patterns:

  • conditions/{condition}
  • projects/{project}/conditions/{condition}
  • organizations/{organization}/conditions/{condition}

Parent resources:

This section covers the methods and messages to interact with Condition resource.

Condition Methods

Here is the list of Condition resource methods:

GetCondition Method

GetCondition

rpc GetCondition(GetConditionRequest) returns (Condition)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.get

The equivalent REST API is:

GET /v1alpha2/{name=conditions/*} 

GET /v1alpha2/{name=projects/*/conditions/*} 

GET /v1alpha2/{name=organizations/*/conditions/*}

BatchGetConditions Method

BatchGetConditions

rpc BatchGetConditions(BatchGetConditionsRequest) returns (BatchGetConditionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.batchGet

The equivalent REST API is:

GET /v1alpha2/conditions:batchGet

ListConditions Method

ListConditions

rpc ListConditions(ListConditionsRequest) returns (ListConditionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.list

The equivalent REST API is:

GET /v1alpha2/conditions 

GET /v1alpha2/{parent=projects/*}/conditions 

GET /v1alpha2/{parent=organizations/*}/conditions

WatchCondition Method

WatchCondition

rpc WatchCondition(WatchConditionRequest) returns (WatchConditionResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.watch

The equivalent REST API is:

POST /v1alpha2/{name=conditions/*}:watch 

POST /v1alpha2/{name=projects/*/conditions/*}:watch 

POST /v1alpha2/{name=organizations/*/conditions/*}:watch

WatchConditions Method

WatchConditions

rpc WatchConditions(WatchConditionsRequest) returns (WatchConditionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.watch

The equivalent REST API is:

POST /v1alpha2/conditions:watch 

POST /v1alpha2/{parent=projects/*}/conditions:watch 

POST /v1alpha2/{parent=organizations/*}/conditions:watch

CreateCondition Method

CreateCondition

rpc CreateCondition(CreateConditionRequest) returns (Condition)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.create

The equivalent REST API is:

POST /v1alpha2/conditions (BODY: condition)

POST /v1alpha2/{parent=projects/*}/conditions 

POST /v1alpha2/{parent=organizations/*}/conditions

UpdateCondition Method

UpdateCondition

rpc UpdateCondition(UpdateConditionRequest) returns (Condition)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.update

The equivalent REST API is:

PUT /v1alpha2/{condition.name=conditions/*} (BODY: condition)

PUT /v1alpha2/{condition.name=projects/*/conditions/*} 

PUT /v1alpha2/{condition.name=organizations/*/conditions/*}

DeleteCondition Method

DeleteCondition

rpc DeleteCondition(DeleteConditionRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/conditions.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=conditions/*} 

DELETE /v1alpha2/{name=projects/*/conditions/*} 

DELETE /v1alpha2/{name=organizations/*/conditions/*}

Condition Messages

Here is the list of Condition resource messages:

Condition Message

Name Type Description
name string (name of Condition) Name of Condition When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-zA-Z0-9_.-]{1,128}
display_name string Display Name
description string Description
expression string Condition expression in Google CEL, syntax, e.g. resource.name == "projects/xyz/instances/abc" Accessible parameters:
parameter_declarations repeated Condition.ParameterDeclaration Typed parameters declarations. When binding a Condition passed parameters must correspond to declarations.
metadata Meta Metadata

Condition.ParameterDeclaration Message

Parameter Declarations used

Name Type Description
key string Parameter Key - must be unique within condition. Defined parameter variables are accessible in condition expression via parameters.\<key\>, e.g.parameters.projectId
type Condition.ParameterType Parameter value type

GetConditionRequest Message

A request message of the GetCondition method.

Name Type Description
name string (name of Condition) Name of ntt.iam.v1alpha2.Condition
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetConditionsRequest Message

A request message of the BatchGetConditions method.

Name Type Description
names repeated string (name of Condition) Names of Conditions
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetConditionsResponse Message

A response message of the BatchGetConditions method.

Name Type Description
conditions repeated Condition found Conditions
missing repeated string (name of Condition) list of not found Conditions

ListConditionsRequest Message

A request message of the ListConditions method.

Name Type Description
parent string (parent name of Condition) Parent name of ntt.iam.v1alpha2.Condition
page_size int32 Requested page size. Server may return fewer Conditions than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Condition) A token identifying a page of results the server should return. Typically, this is the value of ListConditionsResponse.next_page_token.
order_by string (orderBy of Condition) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Condition) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListConditionsResponse Message

A response message of the ListConditions method.

Name Type Description
conditions repeated Condition The list of Conditions
prev_page_token string (cursor of Condition) A token to retrieve previous page of results. Pass this value in the ListConditionsRequest.page_token.
next_page_token string (cursor of Condition) A token to retrieve next page of results. Pass this value in the ListConditionsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Conditions across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchConditionRequest Message

A request message of the WatchCondition method.

Name Type Description
name string (name of Condition) Name of ntt.iam.v1alpha2.Condition
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchConditionResponse Message

A response message of the WatchCondition method.

Name Type Description
change ConditionChange

WatchConditionsRequest Message

A request message of the WatchConditions method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of Condition) Parent name of ntt.iam.v1alpha2.Condition
page_size int32 Requested page size. Server may return fewer Conditions than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Condition) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Condition) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Condition) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Condition that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Condition that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchConditionsResponse Message

A response message of the WatchConditions method.

Name Type Description
condition_changes repeated ConditionChange Changes of Conditions
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Conditions will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchConditionsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Conditions will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchConditionsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Condition) New token to retrieve previous page of results.
next_page_token string (cursor of Condition) New token to retrieve next page of results.

CreateConditionRequest Message

A request message of the CreateCondition method.

Name Type Description
parent string (parent name of Condition) Parent name of ntt.iam.v1alpha2.Condition
condition Condition Condition resource body
response_mask CreateConditionRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateConditionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateConditionRequest Message

A request message of the UpdateCondition method.

Name Type Description
condition Condition Condition resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateConditionRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateConditionRequest.ResponseMask reduce message response size.

UpdateConditionRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Condition Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateConditionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteConditionRequest Message

A request message of the DeleteCondition method.

Name Type Description
name string (name of Condition) Name of ntt.iam.v1alpha2.Condition

Condition Enumerations

Here is the list of Condition resource enumerations:

Condition.ParameterType Enumeration

Parameter Type.

Name Description
TYPE_UNSPECIFIED
STRING
INT64
DOUBLE
BOOL
STRING_ARRAY
INT64_ARRAY
DOUBLE_ARRAY
BOOL_ARRAY
OBJECT

Group Resource

Group Resource

Allows grouping members like: [ServiceAccounts][ntt.iam.v1alpha2.ServiceAccount], [Users][ntt.iam.v1alpha2.User], or other [Groups][ntt.iam.v1alpha2.Group] by managing [memberships][ntt.iam.v1alpha2.GroupMember].

Groups can then be used to simplify access management by referring to them through via [email][ntt.iam.v1alpha2.Group.email] in [RoleBindings][ntt.iam.v1alpha2.RoleBinding.member].

Name patterns:

  • groups/{group}
  • projects/{project}/groups/{group}
  • organizations/{organization}/groups/{group}

Parent resources:

This section covers the methods and messages to interact with Group resource.

Group Methods

Here is the list of Group resource methods:

GetGroup Method

GetGroup

rpc GetGroup(GetGroupRequest) returns (Group)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.get

The equivalent REST API is:

GET /v1alpha2/{name=groups/*} 

GET /v1alpha2/{name=projects/*/groups/*} 

GET /v1alpha2/{name=organizations/*/groups/*}

BatchGetGroups Method

BatchGetGroups

rpc BatchGetGroups(BatchGetGroupsRequest) returns (BatchGetGroupsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.batchGet

The equivalent REST API is:

GET /v1alpha2/groups:batchGet

ListGroups Method

ListGroups

rpc ListGroups(ListGroupsRequest) returns (ListGroupsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.list

The equivalent REST API is:

GET /v1alpha2/groups 

GET /v1alpha2/{parent=projects/*}/groups 

GET /v1alpha2/{parent=organizations/*}/groups

WatchGroup Method

WatchGroup

rpc WatchGroup(WatchGroupRequest) returns (WatchGroupResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.watch

The equivalent REST API is:

POST /v1alpha2/{name=groups/*}:watch 

POST /v1alpha2/{name=projects/*/groups/*}:watch 

POST /v1alpha2/{name=organizations/*/groups/*}:watch

WatchGroups Method

WatchGroups

rpc WatchGroups(WatchGroupsRequest) returns (WatchGroupsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.watch

The equivalent REST API is:

POST /v1alpha2/groups:watch 

POST /v1alpha2/{parent=projects/*}/groups:watch 

POST /v1alpha2/{parent=organizations/*}/groups:watch

CreateGroup Method

CreateGroup

rpc CreateGroup(CreateGroupRequest) returns (Group)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.create

The equivalent REST API is:

POST /v1alpha2/groups (BODY: group)

POST /v1alpha2/{parent=projects/*}/groups 

POST /v1alpha2/{parent=organizations/*}/groups

UpdateGroup Method

UpdateGroup

rpc UpdateGroup(UpdateGroupRequest) returns (Group)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.update

The equivalent REST API is:

PUT /v1alpha2/{group.name=groups/*} (BODY: group)

PUT /v1alpha2/{group.name=projects/*/groups/*} 

PUT /v1alpha2/{group.name=organizations/*/groups/*}

DeleteGroup Method

DeleteGroup

rpc DeleteGroup(DeleteGroupRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groups.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=groups/*} 

DELETE /v1alpha2/{name=projects/*/groups/*} 

DELETE /v1alpha2/{name=organizations/*/groups/*}

Group Messages

Here is the list of Group resource messages:

Group Message

Name Type Description
name string (name of Group) Name of Group When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
display_name string Display Name
email string Unique email address for this [Group]. Generated based on its [name][ntt.iam.v1alpha2.Group.name] with following rules: 1. System group: {group_id}@groups.iam.edgelq.com 2. Organization group: {group_id}@{organization_id}.groups.iam.edgelq.com 3. Project group: {group_id}@{project_id}.groups.iam.edgelq.com This email can be used in [RoleBindings][ntt.iam.v1alpha2.RoleBinding.member] field. Note: Currently there is way to assign custom domain for [Organization] or [Project].
metadata Meta Metadata

GetGroupRequest Message

A request message of the GetGroup method.

Name Type Description
name string (name of Group) Name of ntt.iam.v1alpha2.Group
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupsRequest Message

A request message of the BatchGetGroups method.

Name Type Description
names repeated string (name of Group) Names of Groups
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupsResponse Message

A response message of the BatchGetGroups method.

Name Type Description
groups repeated Group found Groups
missing repeated string (name of Group) list of not found Groups

ListGroupsRequest Message

A request message of the ListGroups method.

Name Type Description
parent string (parent name of Group) Parent name of ntt.iam.v1alpha2.Group
page_size int32 Requested page size. Server may return fewer Groups than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Group) A token identifying a page of results the server should return. Typically, this is the value of ListGroupsResponse.next_page_token.
order_by string (orderBy of Group) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Group) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListGroupsResponse Message

A response message of the ListGroups method.

Name Type Description
groups repeated Group The list of Groups
prev_page_token string (cursor of Group) A token to retrieve previous page of results. Pass this value in the ListGroupsRequest.page_token.
next_page_token string (cursor of Group) A token to retrieve next page of results. Pass this value in the ListGroupsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Groups across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchGroupRequest Message

A request message of the WatchGroup method.

Name Type Description
name string (name of Group) Name of ntt.iam.v1alpha2.Group
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchGroupResponse Message

A response message of the WatchGroup method.

Name Type Description
change GroupChange

WatchGroupsRequest Message

A request message of the WatchGroups method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of Group) Parent name of ntt.iam.v1alpha2.Group
page_size int32 Requested page size. Server may return fewer Groups than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Group) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Group) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Group) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Group that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Group that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchGroupsResponse Message

A response message of the WatchGroups method.

Name Type Description
group_changes repeated GroupChange Changes of Groups
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Groups will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchGroupsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Groups will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchGroupsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Group) New token to retrieve previous page of results.
next_page_token string (cursor of Group) New token to retrieve next page of results.

CreateGroupRequest Message

A request message of the CreateGroup method.

Name Type Description
parent string (parent name of Group) Parent name of ntt.iam.v1alpha2.Group
group Group Group resource body
response_mask CreateGroupRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateGroupRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateGroupRequest Message

A request message of the UpdateGroup method.

Name Type Description
group Group Group resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateGroupRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateGroupRequest.ResponseMask reduce message response size.

UpdateGroupRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Group Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateGroupRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteGroupRequest Message

A request message of the DeleteGroup method.

Name Type Description
name string (name of Group) Name of ntt.iam.v1alpha2.Group

GroupMember Resource

GroupMember Resource

Name patterns:

  • groups/{group}/groupMembers/{group_member}
  • projects/{project}/groups/{group}/groupMembers/{group_member}
  • organizations/{organization}/groups/{group}/groupMembers/{group_member}

Parent resources:

This section covers the methods and messages to interact with GroupMember resource.

GroupMember Methods

Here is the list of GroupMember resource methods:

GetGroupMember Method

GetGroupMember

rpc GetGroupMember(GetGroupMemberRequest) returns (GroupMember)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.get

The equivalent REST API is:

GET /v1alpha2/{name=groups/*/groupMembers/*} 

GET /v1alpha2/{name=projects/*/groups/*/groupMembers/*} 

GET /v1alpha2/{name=organizations/*/groups/*/groupMembers/*}

BatchGetGroupMembers Method

BatchGetGroupMembers

rpc BatchGetGroupMembers(BatchGetGroupMembersRequest) returns (BatchGetGroupMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.batchGet

The equivalent REST API is:

GET /v1alpha2/groupMembers:batchGet

ListGroupMembers Method

ListGroupMembers

rpc ListGroupMembers(ListGroupMembersRequest) returns (ListGroupMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.list

The equivalent REST API is:

GET /v1alpha2/{parent=groups/*}/groupMembers 

GET /v1alpha2/{parent=projects/*/groups/*}/groupMembers 

GET /v1alpha2/{parent=organizations/*/groups/*}/groupMembers

WatchGroupMember Method

WatchGroupMember

rpc WatchGroupMember(WatchGroupMemberRequest) returns (WatchGroupMemberResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.watch

The equivalent REST API is:

POST /v1alpha2/{name=groups/*/groupMembers/*}:watch 

POST /v1alpha2/{name=projects/*/groups/*/groupMembers/*}:watch 

POST /v1alpha2/{name=organizations/*/groups/*/groupMembers/*}:watch

WatchGroupMembers Method

WatchGroupMembers

rpc WatchGroupMembers(WatchGroupMembersRequest) returns (WatchGroupMembersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.watch

The equivalent REST API is:

POST /v1alpha2/{parent=groups/*}/groupMembers:watch 

POST /v1alpha2/{parent=projects/*/groups/*}/groupMembers:watch 

POST /v1alpha2/{parent=organizations/*/groups/*}/groupMembers:watch

CreateGroupMember Method

CreateGroupMember

rpc CreateGroupMember(CreateGroupMemberRequest) returns (GroupMember)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.create

The equivalent REST API is:

POST /v1alpha2/{parent=groups/*}/groupMembers (BODY: group_member)

POST /v1alpha2/{parent=projects/*/groups/*}/groupMembers 

POST /v1alpha2/{parent=organizations/*/groups/*}/groupMembers

UpdateGroupMember Method

UpdateGroupMember

rpc UpdateGroupMember(UpdateGroupMemberRequest) returns (GroupMember)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.update

The equivalent REST API is:

PUT /v1alpha2/{group_member.name=groups/*/groupMembers/*} (BODY: group_member)

PUT /v1alpha2/{group_member.name=projects/*/groups/*/groupMembers/*} 

PUT /v1alpha2/{group_member.name=organizations/*/groups/*/groupMembers/*}

DeleteGroupMember Method

DeleteGroupMember

rpc DeleteGroupMember(DeleteGroupMemberRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/groupMembers.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=groups/*/groupMembers/*} 

DELETE /v1alpha2/{name=projects/*/groups/*/groupMembers/*} 

DELETE /v1alpha2/{name=organizations/*/groups/*/groupMembers/*}

GroupMember Messages

Here is the list of GroupMember resource messages:

GroupMember Message

Name Type Description
name string (name of GroupMember) Name of GroupMember When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
member string Format of the string is one of: - “allUsers” (anyone) - “allAuthenticatedUsers” (anyone logged in) - “user:admin.super@example.com” - “serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com” - “group:nice.group@example.com”
parent_member string Internal field used by the IAM controller to know member ID (email) of a group this member belongs to.
min_ancestry_members repeated string Internal field used the IAM controller to know common ancestors if this group member is actually a copy from another group, which can happen if group is member in another group. List contains member IDs of other groups. Last element is always pointing to the group which made an actual copy and is responsible for deletion when needed. If particular group member is copied multiple times (which also can happen if group is indirect member via multiple memberships) then this field contains list only of common ancestors. This field has purpose of indicating owner (last item in this list) and to break cycles (previous elements). List is always empty if this group member is DIRECT member of this group and controller cannot modify it.
metadata Meta Metadata

GetGroupMemberRequest Message

A request message of the GetGroupMember method.

Name Type Description
name string (name of GroupMember) Name of ntt.iam.v1alpha2.GroupMember
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupMembersRequest Message

A request message of the BatchGetGroupMembers method.

Name Type Description
names repeated string (name of GroupMember) Names of GroupMembers
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetGroupMembersResponse Message

A response message of the BatchGetGroupMembers method.

Name Type Description
group_members repeated GroupMember found GroupMembers
missing repeated string (name of GroupMember) list of not found GroupMembers

ListGroupMembersRequest Message

A request message of the ListGroupMembers method.

Name Type Description
parent string (parent name of GroupMember) Parent name of ntt.iam.v1alpha2.GroupMember
page_size int32 Requested page size. Server may return fewer GroupMembers than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of GroupMember) A token identifying a page of results the server should return. Typically, this is the value of ListGroupMembersResponse.next_page_token.
order_by string (orderBy of GroupMember) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of GroupMember) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListGroupMembersResponse Message

A response message of the ListGroupMembers method.

Name Type Description
group_members repeated GroupMember The list of GroupMembers
prev_page_token string (cursor of GroupMember) A token to retrieve previous page of results. Pass this value in the ListGroupMembersRequest.page_token.
next_page_token string (cursor of GroupMember) A token to retrieve next page of results. Pass this value in the ListGroupMembersRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total GroupMembers across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchGroupMemberRequest Message

A request message of the WatchGroupMember method.

Name Type Description
name string (name of GroupMember) Name of ntt.iam.v1alpha2.GroupMember
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchGroupMemberResponse Message

A response message of the WatchGroupMember method.

Name Type Description
change GroupMemberChange

WatchGroupMembersRequest Message

A request message of the WatchGroupMembers method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of GroupMember) Parent name of ntt.iam.v1alpha2.GroupMember
page_size int32 Requested page size. Server may return fewer GroupMembers than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of GroupMember) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of GroupMember) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of GroupMember) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to GroupMember that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to GroupMember that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchGroupMembersResponse Message

A response message of the WatchGroupMembers method.

Name Type Description
group_member_changes repeated GroupMemberChange Changes of GroupMembers
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All GroupMembers will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchGroupMembersResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (GroupMembers will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchGroupMembersResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of GroupMember) New token to retrieve previous page of results.
next_page_token string (cursor of GroupMember) New token to retrieve next page of results.

CreateGroupMemberRequest Message

A request message of the CreateGroupMember method.

Name Type Description
parent string (parent name of GroupMember) Parent name of ntt.iam.v1alpha2.GroupMember
group_member GroupMember GroupMember resource body
response_mask CreateGroupMemberRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateGroupMemberRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateGroupMemberRequest Message

A request message of the UpdateGroupMember method.

Name Type Description
group_member GroupMember GroupMember resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateGroupMemberRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateGroupMemberRequest.ResponseMask reduce message response size.

UpdateGroupMemberRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state GroupMember Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateGroupMemberRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteGroupMemberRequest Message

A request message of the DeleteGroupMember method.

Name Type Description
name string (name of GroupMember) Name of ntt.iam.v1alpha2.GroupMember

Organization Resource

Organization represents higher-level organizational unit, like Company, University or Division

Organizations supports managing hierarchies with [Organization.parent_organization] field. All [Permission] grants through [RoleBinding]s are propagated from organization ancestors to their descendants.

Name patterns:

  • organizations/{organization}

This section covers the methods and messages to interact with Organization resource.

Organization Methods

Here is the list of Organization resource methods:

GetOrganization Method

GetOrganization

rpc GetOrganization(GetOrganizationRequest) returns (Organization)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.get

The equivalent REST API is:

GET /v1alpha2/{name=organizations/*}

BatchGetOrganizations Method

BatchGetOrganizations

rpc BatchGetOrganizations(BatchGetOrganizationsRequest) returns (BatchGetOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.batchGet

The equivalent REST API is:

GET /v1alpha2/organizations:batchGet

ListOrganizations Method

ListOrganizations

rpc ListOrganizations(ListOrganizationsRequest) returns (ListOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.list

The equivalent REST API is:

GET /v1alpha2/organizations

WatchOrganization Method

WatchOrganization

rpc WatchOrganization(WatchOrganizationRequest) returns (WatchOrganizationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.watch

The equivalent REST API is:

POST /v1alpha2/{name=organizations/*}:watch

WatchOrganizations Method

WatchOrganizations

rpc WatchOrganizations(WatchOrganizationsRequest) returns (WatchOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.watch

The equivalent REST API is:

POST /v1alpha2/organizations:watch

CreateOrganization Method

CreateOrganization

rpc CreateOrganization(CreateOrganizationRequest) returns (Organization)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.create

The equivalent REST API is:

POST /v1alpha2/organizations (BODY: organization)

UpdateOrganization Method

UpdateOrganization

rpc UpdateOrganization(UpdateOrganizationRequest) returns (Organization)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.update

The equivalent REST API is:

PUT /v1alpha2/{organization.name=organizations/*} (BODY: organization)

DeleteOrganization Method

DeleteOrganization

rpc DeleteOrganization(DeleteOrganizationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=organizations/*}

ListMyOrganizations Method

ListMyOrganizations

rpc ListMyOrganizations(ListMyOrganizationsRequest) returns (ListMyOrganizationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizations.listMy

The equivalent REST API is:

POST /v1alpha2/organizations:listMy

Organization Messages

Here is the list of Organization resource messages:

Organization Message

Name Type Description
name string (name of Organization) Name of Organization When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
title string Official Name of Organization
parent_organization string (reference to Organization) Parent organization
root_organization string (reference to Organization) Top parent (internal)
ancestry_path repeated string (reference to Organization) Full ancestry path (internal)
metadata Meta Metadata
multi_region_policy MultiRegionPolicy Multi region policy for child resources
allowed_services repeated string (reference to Service) Allowed services for child organizations and projects. This field is checked only for non-core edgelq services.
business_tier BusinessTier Business tier applicable for all allowed services. This value defines: * Default business tier for child projects (if not defined on creation) * Default business tier to this organization.
service_tiers repeated ServiceBusinessTier Overwrites business_tier for each service.
service_errors map<string, ServiceErrors> Service errors reported for this organization by category

GetOrganizationRequest Message

A request message of the GetOrganization method.

Name Type Description
name string (name of Organization) Name of ntt.iam.v1alpha2.Organization
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationsRequest Message

A request message of the BatchGetOrganizations method.

Name Type Description
names repeated string (name of Organization) Names of Organizations
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationsResponse Message

A response message of the BatchGetOrganizations method.

Name Type Description
organizations repeated Organization found Organizations
missing repeated string (name of Organization) list of not found Organizations

ListOrganizationsRequest Message

A request message of the ListOrganizations method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Typically, this is the value of ListOrganizationsResponse.next_page_token.
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListOrganizationsResponse Message

A response message of the ListOrganizations method.

Name Type Description
organizations repeated Organization The list of Organizations
prev_page_token string (cursor of Organization) A token to retrieve previous page of results. Pass this value in the ListOrganizationsRequest.page_token.
next_page_token string (cursor of Organization) A token to retrieve next page of results. Pass this value in the ListOrganizationsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Organizations across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchOrganizationRequest Message

A request message of the WatchOrganization method.

Name Type Description
name string (name of Organization) Name of ntt.iam.v1alpha2.Organization
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchOrganizationResponse Message

A response message of the WatchOrganization method.

Name Type Description
change OrganizationChange

WatchOrganizationsRequest Message

A request message of the WatchOrganizations method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Organization that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Organization that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchOrganizationsResponse Message

A response message of the WatchOrganizations method.

Name Type Description
organization_changes repeated OrganizationChange Changes of Organizations
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Organizations will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchOrganizationsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Organizations will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchOrganizationsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Organization) New token to retrieve previous page of results.
next_page_token string (cursor of Organization) New token to retrieve next page of results.

CreateOrganizationRequest Message

A request message of the CreateOrganization method.

Name Type Description
organization Organization Organization resource body
response_mask CreateOrganizationRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateOrganizationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateOrganizationRequest Message

A request message of the UpdateOrganization method.

Name Type Description
organization Organization Organization resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateOrganizationRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateOrganizationRequest.ResponseMask reduce message response size.

UpdateOrganizationRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Organization Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateOrganizationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteOrganizationRequest Message

A request message of the DeleteOrganization method.

Name Type Description
name string (name of Organization) Name of ntt.iam.v1alpha2.Organization

ListMyOrganizationsRequest Message

Request message for method [ListMyOrganizations][ntt.iam.v1alpha2.ListMyOrganizations]

Name Type Description
page_size int32 Requested page size. Server may return fewer Organizations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Organization) A token identifying a page of results the server should return. Typically, this is the value of [ListOrganizationsResponse.next_page_token][ntt.iam.v1alpha2.ListOrganizationsResponse.next_page_token]
order_by string (orderBy of Organization) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Organization) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.

ListMyOrganizationsResponse Message

Response message for method [ListMyOrganizations][ntt.iam.v1alpha2.ListMyOrganizations]

Name Type Description
organizations repeated Organization The list of Organizations
prev_page_token string (cursor of Organization) A token to retrieve previous page of results. Pass this value in the [ListOrganizationsRequest.page_token][ntt.iam.v1alpha2.ListOrganizationsRequest.page_token]
next_page_token string (cursor of Organization) A token to retrieve next page of results. Pass this value in the [ListOrganizationsRequest.page_token][ntt.iam.v1alpha2.ListOrganizationsRequest.page_token]

OrganizationInvitation Resource

OrganizationInvitation Resource

Name patterns:

  • organizations/{organization}/organizationInvitations/{organization_invitation}

Parent resources:

This section covers the methods and messages to interact with OrganizationInvitation resource.

OrganizationInvitation Methods

Here is the list of OrganizationInvitation resource methods:

GetOrganizationInvitation Method

GetOrganizationInvitation

rpc GetOrganizationInvitation(GetOrganizationInvitationRequest) returns (OrganizationInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.get

The equivalent REST API is:

GET /v1alpha2/{name=organizations/*/organizationInvitations/*}

BatchGetOrganizationInvitations Method

BatchGetOrganizationInvitations

rpc BatchGetOrganizationInvitations(BatchGetOrganizationInvitationsRequest) returns (BatchGetOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.batchGet

The equivalent REST API is:

GET /v1alpha2/organizationInvitations:batchGet

ListOrganizationInvitations Method

ListOrganizationInvitations

rpc ListOrganizationInvitations(ListOrganizationInvitationsRequest) returns (ListOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.list

The equivalent REST API is:

GET /v1alpha2/{parent=organizations/*}/organizationInvitations

WatchOrganizationInvitation Method

WatchOrganizationInvitation

rpc WatchOrganizationInvitation(WatchOrganizationInvitationRequest) returns (WatchOrganizationInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.watch

The equivalent REST API is:

POST /v1alpha2/{name=organizations/*/organizationInvitations/*}:watch

WatchOrganizationInvitations Method

WatchOrganizationInvitations

rpc WatchOrganizationInvitations(WatchOrganizationInvitationsRequest) returns (WatchOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.watch

The equivalent REST API is:

POST /v1alpha2/{parent=organizations/*}/organizationInvitations:watch

CreateOrganizationInvitation Method

CreateOrganizationInvitation

rpc CreateOrganizationInvitation(CreateOrganizationInvitationRequest) returns (OrganizationInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.create

The equivalent REST API is:

POST /v1alpha2/{parent=organizations/*}/organizationInvitations (BODY: organization_invitation)

UpdateOrganizationInvitation Method

UpdateOrganizationInvitation

rpc UpdateOrganizationInvitation(UpdateOrganizationInvitationRequest) returns (OrganizationInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.update

The equivalent REST API is:

PUT /v1alpha2/{organization_invitation.name=organizations/*/organizationInvitations/*} (BODY: organization_invitation)

DeleteOrganizationInvitation Method

DeleteOrganizationInvitation

rpc DeleteOrganizationInvitation(DeleteOrganizationInvitationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=organizations/*/organizationInvitations/*}

AcceptOrganizationInvitation Method

AcceptOrganizationInvitation

rpc AcceptOrganizationInvitation(AcceptOrganizationInvitationRequest) returns (AcceptOrganizationInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.accept

The equivalent REST API is:

POST /v1alpha2/{name=organizations/*/organizationInvitations/*}:accept

DeclineOrganizationInvitation Method

DeclineOrganizationInvitation

rpc DeclineOrganizationInvitation(DeclineOrganizationInvitationRequest) returns (DeclineOrganizationInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.decline

The equivalent REST API is:

POST /v1alpha2/{name=organizations/*/organizationInvitations/*}:decline

ListMyOrganizationInvitations Method

ListMyOrganizationInvitations

rpc ListMyOrganizationInvitations(ListMyOrganizationInvitationsRequest) returns (ListMyOrganizationInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/organizationInvitations.listMy

The equivalent REST API is:

POST /v1alpha2/{parent=organizations/*}/organizationInvitations:listMy

OrganizationInvitation Messages

Here is the list of OrganizationInvitation resource messages:

OrganizationInvitation Message

Name Type Description
name string (name of OrganizationInvitation) Name of OrganizationInvitation When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
invitation Invitation
metadata Meta Metadata

GetOrganizationInvitationRequest Message

A request message of the GetOrganizationInvitation method.

Name Type Description
name string (name of OrganizationInvitation) Name of ntt.iam.v1alpha2.OrganizationInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationInvitationsRequest Message

A request message of the BatchGetOrganizationInvitations method.

Name Type Description
names repeated string (name of OrganizationInvitation) Names of OrganizationInvitations
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetOrganizationInvitationsResponse Message

A response message of the BatchGetOrganizationInvitations method.

Name Type Description
organization_invitations repeated OrganizationInvitation found OrganizationInvitations
missing repeated string (name of OrganizationInvitation) list of not found OrganizationInvitations

ListOrganizationInvitationsRequest Message

A request message of the ListOrganizationInvitations method.

Name Type Description
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1alpha2.OrganizationInvitation
page_size int32 Requested page size. Server may return fewer OrganizationInvitations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of OrganizationInvitation) A token identifying a page of results the server should return. Typically, this is the value of ListOrganizationInvitationsResponse.next_page_token.
order_by string (orderBy of OrganizationInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of OrganizationInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListOrganizationInvitationsResponse Message

A response message of the ListOrganizationInvitations method.

Name Type Description
organization_invitations repeated OrganizationInvitation The list of OrganizationInvitations
prev_page_token string (cursor of OrganizationInvitation) A token to retrieve previous page of results. Pass this value in the ListOrganizationInvitationsRequest.page_token.
next_page_token string (cursor of OrganizationInvitation) A token to retrieve next page of results. Pass this value in the ListOrganizationInvitationsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total OrganizationInvitations across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchOrganizationInvitationRequest Message

A request message of the WatchOrganizationInvitation method.

Name Type Description
name string (name of OrganizationInvitation) Name of ntt.iam.v1alpha2.OrganizationInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchOrganizationInvitationResponse Message

A response message of the WatchOrganizationInvitation method.

Name Type Description
change OrganizationInvitationChange

WatchOrganizationInvitationsRequest Message

A request message of the WatchOrganizationInvitations method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1alpha2.OrganizationInvitation
page_size int32 Requested page size. Server may return fewer OrganizationInvitations than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of OrganizationInvitation) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of OrganizationInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of OrganizationInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to OrganizationInvitation that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to OrganizationInvitation that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchOrganizationInvitationsResponse Message

A response message of the WatchOrganizationInvitations method.

Name Type Description
organization_invitation_changes repeated OrganizationInvitationChange Changes of OrganizationInvitations
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All OrganizationInvitations will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchOrganizationInvitationsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (OrganizationInvitations will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchOrganizationInvitationsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of OrganizationInvitation) New token to retrieve previous page of results.
next_page_token string (cursor of OrganizationInvitation) New token to retrieve next page of results.

CreateOrganizationInvitationRequest Message

A request message of the CreateOrganizationInvitation method.

Name Type Description
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1alpha2.OrganizationInvitation
organization_invitation OrganizationInvitation OrganizationInvitation resource body
response_mask CreateOrganizationInvitationRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateOrganizationInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateOrganizationInvitationRequest Message

A request message of the UpdateOrganizationInvitation method.

Name Type Description
organization_invitation OrganizationInvitation OrganizationInvitation resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateOrganizationInvitationRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateOrganizationInvitationRequest.ResponseMask reduce message response size.

UpdateOrganizationInvitationRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state OrganizationInvitation Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateOrganizationInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteOrganizationInvitationRequest Message

A request message of the DeleteOrganizationInvitation method.

Name Type Description
name string (name of OrganizationInvitation) Name of ntt.iam.v1alpha2.OrganizationInvitation

AcceptOrganizationInvitationRequest Message

Request message for method [AcceptOrganizationInvitation][ntt.iam.v1alpha2.AcceptOrganizationInvitation]

Name Type Description
name string (name of OrganizationInvitation) name of ntt.iam.v1alpha2.OrganizationInvitation

AcceptOrganizationInvitationResponse Message

Response message for method [AcceptOrganizationInvitation][ntt.iam.v1alpha2.AcceptOrganizationInvitation]

Name Type Description
none none none

DeclineOrganizationInvitationRequest Message

Request message for method [DeclineOrganizationInvitation][ntt.iam.v1alpha2.DeclineOrganizationInvitation]

Name Type Description
name string (name of OrganizationInvitation) name of ntt.iam.v1alpha2.OrganizationInvitation
filter string (filter of ProjectInvitation) Additional filter for invitations, e.g. state = “PENDING”

DeclineOrganizationInvitationResponse Message

Response message for method [DeclineOrganizationInvitation][ntt.iam.v1alpha2.DeclineOrganizationInvitation]

Name Type Description
none none none

ListMyOrganizationInvitationsRequest Message

Request message for method [ListMyOrganizationInvitations][ntt.iam.v1alpha2.ListMyOrganizationInvitations]

Name Type Description
parent string (parent name of OrganizationInvitation) Parent name of ntt.iam.v1alpha2.OrganizationInvitation
filter string (filter of OrganizationInvitation) Additional filter for invitations, e.g. state = “PENDING”

ListMyOrganizationInvitationsResponse Message

Response message for method [ListMyOrganizationInvitations][ntt.iam.v1alpha2.ListMyOrganizationInvitations]

Name Type Description
organization_invitations repeated OrganizationInvitation The list of OrganizationInvitations

Permission Resource

Permission Resource

Name patterns:

  • permissions/{permission}

This section covers the methods and messages to interact with Permission resource.

Permission Methods

Here is the list of Permission resource methods:

CheckPermissions Method

CheckPermissions

rpc CheckPermissions(CheckPermissionsRequest) returns (CheckPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.check

The equivalent REST API is:

POST /v1alpha2/permissions:check (BODY: *)

CheckMyPermissions Method

CheckMyPermissions

rpc CheckMyPermissions(CheckMyPermissionsRequest) returns (CheckMyPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.checkMy

The equivalent REST API is:

POST /v1alpha2/permissions:checkMy (BODY: *)

GetPermission Method

GetPermission

rpc GetPermission(GetPermissionRequest) returns (Permission)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.get

The equivalent REST API is:

GET /v1alpha2/{name=permissions/*}

BatchGetPermissions Method

BatchGetPermissions

rpc BatchGetPermissions(BatchGetPermissionsRequest) returns (BatchGetPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.batchGet

The equivalent REST API is:

GET /v1alpha2/permissions:batchGet

ListPermissions Method

ListPermissions

rpc ListPermissions(ListPermissionsRequest) returns (ListPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.list

The equivalent REST API is:

GET /v1alpha2/permissions

WatchPermission Method

WatchPermission

rpc WatchPermission(WatchPermissionRequest) returns (WatchPermissionResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.watch

The equivalent REST API is:

POST /v1alpha2/{name=permissions/*}:watch

WatchPermissions Method

WatchPermissions

rpc WatchPermissions(WatchPermissionsRequest) returns (WatchPermissionsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.watch

The equivalent REST API is:

POST /v1alpha2/permissions:watch

CreatePermission Method

CreatePermission

rpc CreatePermission(CreatePermissionRequest) returns (Permission)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.create

The equivalent REST API is:

POST /v1alpha2/permissions (BODY: permission)

UpdatePermission Method

UpdatePermission

rpc UpdatePermission(UpdatePermissionRequest) returns (Permission)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.update

The equivalent REST API is:

PUT /v1alpha2/{permission.name=permissions/*} (BODY: permission)

DeletePermission Method

DeletePermission

rpc DeletePermission(DeletePermissionRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/permissions.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=permissions/*}

Permission Messages

Here is the list of Permission resource messages:

Permission Message

Name Type Description
name string (name of Permission) Name of Permission Example: library.site.create
title string Title
description string Description
metadata Meta Metadata

CheckPermissionsRequest Message

Request message for method [CheckPermissions][ntt.iam.v1alpha2.CheckPermissions]

Name Type Description
member string Acting principal, e.g. user or service account Format of the string is one of: - “allUsers” (anyone) - “allAuthenticatedUsers” (anyone logged in) - “user:admin.super@example.com” - “serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com” - “group:nice.group@example.com” - “domain:example.com” (anyone with exact email domain)
checks repeated Check Checks
skip_cache bool If true, server will skip checking permissions in cache

CheckPermissionsResponse Message

Response message for method [CheckPermissions][ntt.iam.v1alpha2.CheckPermissions]

Name Type Description
check_results repeated CheckResult

CheckMyPermissionsRequest Message

Request message for method [CheckMyPermissions][ntt.iam.v1alpha2.CheckMyPermissions]

Name Type Description
checks repeated Check Checks
skip_cache bool If true, server will skip checking permissions in cache

CheckMyPermissionsResponse Message

Response message for method [CheckMyPermissions][ntt.iam.v1alpha2.CheckMyPermissions]

Name Type Description
check_results repeated CheckResult

GetPermissionRequest Message

A request message of the GetPermission method.

Name Type Description
name string (name of Permission) Name of ntt.iam.v1alpha2.Permission
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetPermissionsRequest Message

A request message of the BatchGetPermissions method.

Name Type Description
names repeated string (name of Permission) Names of Permissions
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetPermissionsResponse Message

A response message of the BatchGetPermissions method.

Name Type Description
permissions repeated Permission found Permissions
missing repeated string (name of Permission) list of not found Permissions

ListPermissionsRequest Message

A request message of the ListPermissions method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Permissions than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Permission) A token identifying a page of results the server should return. Typically, this is the value of ListPermissionsResponse.next_page_token.
order_by string (orderBy of Permission) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Permission) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListPermissionsResponse Message

A response message of the ListPermissions method.

Name Type Description
permissions repeated Permission The list of Permissions
prev_page_token string (cursor of Permission) A token to retrieve previous page of results. Pass this value in the ListPermissionsRequest.page_token.
next_page_token string (cursor of Permission) A token to retrieve next page of results. Pass this value in the ListPermissionsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Permissions across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchPermissionRequest Message

A request message of the WatchPermission method.

Name Type Description
name string (name of Permission) Name of ntt.iam.v1alpha2.Permission
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchPermissionResponse Message

A response message of the WatchPermission method.

Name Type Description
change PermissionChange

WatchPermissionsRequest Message

A request message of the WatchPermissions method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Permissions than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Permission) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Permission) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Permission) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Permission that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Permission that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchPermissionsResponse Message

A response message of the WatchPermissions method.

Name Type Description
permission_changes repeated PermissionChange Changes of Permissions
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Permissions will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchPermissionsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Permissions will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchPermissionsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Permission) New token to retrieve previous page of results.
next_page_token string (cursor of Permission) New token to retrieve next page of results.

CreatePermissionRequest Message

A request message of the CreatePermission method.

Name Type Description
permission Permission Permission resource body
response_mask CreatePermissionRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreatePermissionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdatePermissionRequest Message

A request message of the UpdatePermission method.

Name Type Description
permission Permission Permission resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdatePermissionRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdatePermissionRequest.ResponseMask reduce message response size.

UpdatePermissionRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Permission Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdatePermissionRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeletePermissionRequest Message

A request message of the DeletePermission method.

Name Type Description
name string (name of Permission) Name of ntt.iam.v1alpha2.Permission

Project Resource

Project Resource

Name patterns:

  • projects/{project}

This section covers the methods and messages to interact with Project resource.

Project Methods

Here is the list of Project resource methods:

GetProject Method

GetProject

rpc GetProject(GetProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.get

The equivalent REST API is:

GET /v1alpha2/{name=projects/*}

BatchGetProjects Method

BatchGetProjects

rpc BatchGetProjects(BatchGetProjectsRequest) returns (BatchGetProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.batchGet

The equivalent REST API is:

GET /v1alpha2/projects:batchGet

ListProjects Method

ListProjects

rpc ListProjects(ListProjectsRequest) returns (ListProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.list

The equivalent REST API is:

GET /v1alpha2/projects

WatchProject Method

WatchProject

rpc WatchProject(WatchProjectRequest) returns (WatchProjectResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.watch

The equivalent REST API is:

POST /v1alpha2/{name=projects/*}:watch

WatchProjects Method

WatchProjects

rpc WatchProjects(WatchProjectsRequest) returns (WatchProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.watch

The equivalent REST API is:

POST /v1alpha2/projects:watch

CreateProject Method

CreateProject

rpc CreateProject(CreateProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.create

The equivalent REST API is:

POST /v1alpha2/projects (BODY: project)

UpdateProject Method

UpdateProject

rpc UpdateProject(UpdateProjectRequest) returns (Project)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.update

The equivalent REST API is:

PUT /v1alpha2/{project.name=projects/*} (BODY: project)

DeleteProject Method

DeleteProject

rpc DeleteProject(DeleteProjectRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=projects/*}

ListMyProjects Method

ListMyProjects

rpc ListMyProjects(ListMyProjectsRequest) returns (ListMyProjectsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projects.listMy

The equivalent REST API is:

POST /v1alpha2/projects:listMy

Project Messages

Here is the list of Project resource messages:

Project Message

Name Type Description
name string (name of Project) Name of Project When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
title string Title
parent_organization string (reference to Organization) Parent organization
root_organization string (reference to Organization) Top parent
ancestry_path repeated string (reference to Organization) Full ancestry path
metadata Meta Metadata
multi_region_policy MultiRegionPolicy Multi region policy
enabled_services repeated string (reference to Service) Enabled services. This field is checked only for non-core edgelq services.
business_tier BusinessTier Default business tier for core EdgeLQ services and all enabled services.
service_tiers repeated ServiceBusinessTier Overwrites business_tier for each service.
service_errors map<string, ServiceErrors> Service errors reported for this project

GetProjectRequest Message

A request message of the GetProject method.

Name Type Description
name string (name of Project) Name of ntt.iam.v1alpha2.Project
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectsRequest Message

A request message of the BatchGetProjects method.

Name Type Description
names repeated string (name of Project) Names of Projects
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectsResponse Message

A response message of the BatchGetProjects method.

Name Type Description
projects repeated Project found Projects
missing repeated string (name of Project) list of not found Projects

ListProjectsRequest Message

A request message of the ListProjects method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of ListProjectsResponse.next_page_token.
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListProjectsResponse Message

A response message of the ListProjects method.

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the ListProjectsRequest.page_token.
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the ListProjectsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Projects across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchProjectRequest Message

A request message of the WatchProject method.

Name Type Description
name string (name of Project) Name of ntt.iam.v1alpha2.Project
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchProjectResponse Message

A response message of the WatchProject method.

Name Type Description
change ProjectChange

WatchProjectsRequest Message

A request message of the WatchProjects method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Project) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Project that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Project that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchProjectsResponse Message

A response message of the WatchProjects method.

Name Type Description
project_changes repeated ProjectChange Changes of Projects
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Projects will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchProjectsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Projects will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchProjectsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Project) New token to retrieve previous page of results.
next_page_token string (cursor of Project) New token to retrieve next page of results.

CreateProjectRequest Message

A request message of the CreateProject method.

Name Type Description
project Project Project resource body
response_mask CreateProjectRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateProjectRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateProjectRequest Message

A request message of the UpdateProject method.

Name Type Description
project Project Project resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateProjectRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateProjectRequest.ResponseMask reduce message response size.

UpdateProjectRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Project Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateProjectRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteProjectRequest Message

A request message of the DeleteProject method.

Name Type Description
name string (name of Project) Name of ntt.iam.v1alpha2.Project

ListMyProjectsRequest Message

Request message for method [ListMyProjects][ntt.iam.v1alpha2.ListMyProjects]

Name Type Description
page_size int32 Requested page size. Server may return fewer Projects than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Project) A token identifying a page of results the server should return. Typically, this is the value of [ListProjectsResponse.next_page_token][ntt.iam.v1alpha2.ListProjectsResponse.next_page_token]
order_by string (orderBy of Project) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Project) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A FieldMask used to filter response fields. When present, only requested fields will be present in each response item. Omitting field_mask results will cause response items to contain all present fields.

ListMyProjectsResponse Message

Response message for method [ListMyProjects][ntt.iam.v1alpha2.ListMyProjects]

Name Type Description
projects repeated Project The list of Projects
prev_page_token string (cursor of Project) A token to retrieve previous page of results. Pass this value in the [ListProjectsRequest.page_token][ntt.iam.v1alpha2.ListProjectsRequest.page_token]
next_page_token string (cursor of Project) A token to retrieve next page of results. Pass this value in the [ListProjectsRequest.page_token][ntt.iam.v1alpha2.ListProjectsRequest.page_token]

ProjectInvitation Resource

ProjectInvitation Resource

Name patterns:

  • projects/{project}/projectInvitations/{project_invitation}

Parent resources:

This section covers the methods and messages to interact with ProjectInvitation resource.

ProjectInvitation Methods

Here is the list of ProjectInvitation resource methods:

GetProjectInvitation Method

GetProjectInvitation

rpc GetProjectInvitation(GetProjectInvitationRequest) returns (ProjectInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.get

The equivalent REST API is:

GET /v1alpha2/{name=projects/*/projectInvitations/*}

BatchGetProjectInvitations Method

BatchGetProjectInvitations

rpc BatchGetProjectInvitations(BatchGetProjectInvitationsRequest) returns (BatchGetProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.batchGet

The equivalent REST API is:

GET /v1alpha2/projectInvitations:batchGet

ListProjectInvitations Method

ListProjectInvitations

rpc ListProjectInvitations(ListProjectInvitationsRequest) returns (ListProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.list

The equivalent REST API is:

GET /v1alpha2/{parent=projects/*}/projectInvitations

WatchProjectInvitation Method

WatchProjectInvitation

rpc WatchProjectInvitation(WatchProjectInvitationRequest) returns (WatchProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.watch

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/projectInvitations/*}:watch

WatchProjectInvitations Method

WatchProjectInvitations

rpc WatchProjectInvitations(WatchProjectInvitationsRequest) returns (WatchProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.watch

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*}/projectInvitations:watch

CreateProjectInvitation Method

CreateProjectInvitation

rpc CreateProjectInvitation(CreateProjectInvitationRequest) returns (ProjectInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.create

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*}/projectInvitations (BODY: project_invitation)

UpdateProjectInvitation Method

UpdateProjectInvitation

rpc UpdateProjectInvitation(UpdateProjectInvitationRequest) returns (ProjectInvitation)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.update

The equivalent REST API is:

PUT /v1alpha2/{project_invitation.name=projects/*/projectInvitations/*} (BODY: project_invitation)

DeleteProjectInvitation Method

DeleteProjectInvitation

rpc DeleteProjectInvitation(DeleteProjectInvitationRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=projects/*/projectInvitations/*}

AcceptProjectInvitation Method

AcceptProjectInvitation

rpc AcceptProjectInvitation(AcceptProjectInvitationRequest) returns (AcceptProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.accept

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/projectInvitations/*}:accept

DeclineProjectInvitation Method

DeclineProjectInvitation

rpc DeclineProjectInvitation(DeclineProjectInvitationRequest) returns (DeclineProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.decline

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/projectInvitations/*}:decline

ListMyProjectInvitations Method

ListMyProjectInvitations

rpc ListMyProjectInvitations(ListMyProjectInvitationsRequest) returns (ListMyProjectInvitationsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.listMy

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*}/projectInvitations:listMy

ResendProjectInvitation Method

ResendProjectInvitation

rpc ResendProjectInvitation(ResendProjectInvitationRequest) returns (ResendProjectInvitationResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/projectInvitations.resend

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/projectInvitations/*}:resend

ProjectInvitation Messages

Here is the list of ProjectInvitation resource messages:

ProjectInvitation Message

Name Type Description
name string (name of ProjectInvitation) Name of ProjectInvitation When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
project_display_name string project display name (auto-generated). Present here as user doesn’t have yet permission to fetch related project.
invitation Invitation
metadata Meta Metadata

GetProjectInvitationRequest Message

A request message of the GetProjectInvitation method.

Name Type Description
name string (name of ProjectInvitation) Name of ntt.iam.v1alpha2.ProjectInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectInvitationsRequest Message

A request message of the BatchGetProjectInvitations method.

Name Type Description
names repeated string (name of ProjectInvitation) Names of ProjectInvitations
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetProjectInvitationsResponse Message

A response message of the BatchGetProjectInvitations method.

Name Type Description
project_invitations repeated ProjectInvitation found ProjectInvitations
missing repeated string (name of ProjectInvitation) list of not found ProjectInvitations

ListProjectInvitationsRequest Message

A request message of the ListProjectInvitations method.

Name Type Description
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1alpha2.ProjectInvitation
page_size int32 Requested page size. Server may return fewer ProjectInvitations than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of ProjectInvitation) A token identifying a page of results the server should return. Typically, this is the value of ListProjectInvitationsResponse.next_page_token.
order_by string (orderBy of ProjectInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of ProjectInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListProjectInvitationsResponse Message

A response message of the ListProjectInvitations method.

Name Type Description
project_invitations repeated ProjectInvitation The list of ProjectInvitations
prev_page_token string (cursor of ProjectInvitation) A token to retrieve previous page of results. Pass this value in the ListProjectInvitationsRequest.page_token.
next_page_token string (cursor of ProjectInvitation) A token to retrieve next page of results. Pass this value in the ListProjectInvitationsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total ProjectInvitations across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchProjectInvitationRequest Message

A request message of the WatchProjectInvitation method.

Name Type Description
name string (name of ProjectInvitation) Name of ntt.iam.v1alpha2.ProjectInvitation
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchProjectInvitationResponse Message

A response message of the WatchProjectInvitation method.

Name Type Description
change ProjectInvitationChange

WatchProjectInvitationsRequest Message

A request message of the WatchProjectInvitations method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1alpha2.ProjectInvitation
page_size int32 Requested page size. Server may return fewer ProjectInvitations than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of ProjectInvitation) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of ProjectInvitation) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of ProjectInvitation) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to ProjectInvitation that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to ProjectInvitation that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchProjectInvitationsResponse Message

A response message of the WatchProjectInvitations method.

Name Type Description
project_invitation_changes repeated ProjectInvitationChange Changes of ProjectInvitations
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All ProjectInvitations will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchProjectInvitationsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (ProjectInvitations will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchProjectInvitationsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of ProjectInvitation) New token to retrieve previous page of results.
next_page_token string (cursor of ProjectInvitation) New token to retrieve next page of results.

CreateProjectInvitationRequest Message

A request message of the CreateProjectInvitation method.

Name Type Description
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1alpha2.ProjectInvitation
project_invitation ProjectInvitation ProjectInvitation resource body
response_mask CreateProjectInvitationRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateProjectInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateProjectInvitationRequest Message

A request message of the UpdateProjectInvitation method.

Name Type Description
project_invitation ProjectInvitation ProjectInvitation resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateProjectInvitationRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateProjectInvitationRequest.ResponseMask reduce message response size.

UpdateProjectInvitationRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state ProjectInvitation Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateProjectInvitationRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteProjectInvitationRequest Message

A request message of the DeleteProjectInvitation method.

Name Type Description
name string (name of ProjectInvitation) Name of ntt.iam.v1alpha2.ProjectInvitation

AcceptProjectInvitationRequest Message

Request message for method [AcceptProjectInvitation][ntt.iam.v1alpha2.AcceptProjectInvitation]

Name Type Description
name string (name of ProjectInvitation) name of ntt.iam.v1alpha2.ProjectInvitation

AcceptProjectInvitationResponse Message

Response message for method [AcceptProjectInvitation][ntt.iam.v1alpha2.AcceptProjectInvitation]

Name Type Description
none none none

DeclineProjectInvitationRequest Message

Request message for method [DeclineProjectInvitation][ntt.iam.v1alpha2.DeclineProjectInvitation]

Name Type Description
name string (name of ProjectInvitation) name of ntt.iam.v1alpha2.ProjectInvitation

DeclineProjectInvitationResponse Message

Response message for method [DeclineProjectInvitation][ntt.iam.v1alpha2.DeclineProjectInvitation]

Name Type Description
none none none

ListMyProjectInvitationsRequest Message

Request message for method [ListMyProjectInvitations][ntt.iam.v1alpha2.ListMyProjectInvitations]

Name Type Description
parent string (parent name of ProjectInvitation) Parent name of ntt.iam.v1alpha2.ProjectInvitation
filter string (filter of ProjectInvitation) Additional filter for invitations, e.g. state = “PENDING”

ListMyProjectInvitationsResponse Message

Response message for method [ListMyProjectInvitations][ntt.iam.v1alpha2.ListMyProjectInvitations]

Name Type Description
project_invitations repeated ProjectInvitation The list of ProjectInvitations

ResendProjectInvitationRequest Message

ResendInvitationRequest

Name Type Description
name string (name of ProjectInvitation) name of ntt.iam.v1alpha2.ProjectInvitation

ResendProjectInvitationResponse Message

ResendInvitationResponse

Name Type Description
project_invitation ProjectInvitation

Role Resource

Role Resource

Name patterns:

  • roles/{role}

This section covers the methods and messages to interact with Role resource.

Role Methods

Here is the list of Role resource methods:

CheckMyRoles Method

CheckMyRoles

rpc CheckMyRoles(CheckMyRolesRequest) returns (CheckMyRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.checkMy

The equivalent REST API is:

POST /v1alpha2/roles:checkMy (BODY: *)

GetRole Method

GetRole

rpc GetRole(GetRoleRequest) returns (Role)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.get

The equivalent REST API is:

GET /v1alpha2/{name=roles/*}

BatchGetRoles Method

BatchGetRoles

rpc BatchGetRoles(BatchGetRolesRequest) returns (BatchGetRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.batchGet

The equivalent REST API is:

GET /v1alpha2/roles:batchGet

ListRoles Method

ListRoles

rpc ListRoles(ListRolesRequest) returns (ListRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.list

The equivalent REST API is:

GET /v1alpha2/roles

WatchRole Method

WatchRole

rpc WatchRole(WatchRoleRequest) returns (WatchRoleResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.watch

The equivalent REST API is:

POST /v1alpha2/{name=roles/*}:watch

WatchRoles Method

WatchRoles

rpc WatchRoles(WatchRolesRequest) returns (WatchRolesResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.watch

The equivalent REST API is:

POST /v1alpha2/roles:watch

CreateRole Method

CreateRole

rpc CreateRole(CreateRoleRequest) returns (Role)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.create

The equivalent REST API is:

POST /v1alpha2/roles (BODY: role)

UpdateRole Method

UpdateRole

rpc UpdateRole(UpdateRoleRequest) returns (Role)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.update

The equivalent REST API is:

PUT /v1alpha2/{role.name=roles/*} (BODY: role)

DeleteRole Method

DeleteRole

rpc DeleteRole(DeleteRoleRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roles.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=roles/*}

Role Messages

Here is the list of Role resource messages:

Role Message

Name Type Description
name string (name of Role) Name of Role
display_name string Display Name
included_permissions repeated string (reference to Permission) Included Permissions in this Role. Binding this role grants all following Permissions.
default_condition_binding ConditionBinding Default conditionBinding (optional), cannot be used with required TODO: Deprecated…
included_condition_bindings repeated ConditionBinding Condition bindings that will be copied into created role bindings TODO: Works only if only one element is specified
required_conditions repeated string (reference to Condition) List of conditions that must be used for this role. Parameters must be defined by client. TODO: Works only if only one element is specified
metadata Meta Metadata

CheckMyRolesRequest Message

Request message for method [CheckMyRoles][ntt.iam.v1alpha2.CheckMyRoles]

Name Type Description
object string Object name forming scope of the check, for example projects/<project_id>

CheckMyRolesResponse Message

Response message for method [CheckMyRoles][ntt.iam.v1alpha2.CheckMyRoles]

Name Type Description
object string Object with scope
granted_roles repeated string (name of Role) All unconditionally granted roles
conditionally_granted_roles repeated CheckMyRolesResponse.ConditionalGrant All conditionally granted roles. Each grant should be checked separately

CheckMyRolesResponse.ConditionalGrant Message

Name Type Description
role string (name of Role) Role name
condition_bindings repeated ConditionBinding All conditions that must be accepted for role to be granted

GetRoleRequest Message

A request message of the GetRole method.

Name Type Description
name string (name of Role) Name of ntt.iam.v1alpha2.Role
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRolesRequest Message

A request message of the BatchGetRoles method.

Name Type Description
names repeated string (name of Role) Names of Roles
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRolesResponse Message

A response message of the BatchGetRoles method.

Name Type Description
roles repeated Role found Roles
missing repeated string (name of Role) list of not found Roles

ListRolesRequest Message

A request message of the ListRoles method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Roles than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of Role) A token identifying a page of results the server should return. Typically, this is the value of ListRolesResponse.next_page_token.
order_by string (orderBy of Role) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of Role) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListRolesResponse Message

A response message of the ListRoles method.

Name Type Description
roles repeated Role The list of Roles
prev_page_token string (cursor of Role) A token to retrieve previous page of results. Pass this value in the ListRolesRequest.page_token.
next_page_token string (cursor of Role) A token to retrieve next page of results. Pass this value in the ListRolesRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Roles across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchRoleRequest Message

A request message of the WatchRole method.

Name Type Description
name string (name of Role) Name of ntt.iam.v1alpha2.Role
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchRoleResponse Message

A response message of the WatchRole method.

Name Type Description
change RoleChange

WatchRolesRequest Message

A request message of the WatchRoles method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Roles than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of Role) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of Role) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of Role) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to Role that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to Role that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchRolesResponse Message

A response message of the WatchRoles method.

Name Type Description
role_changes repeated RoleChange Changes of Roles
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Roles will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchRolesResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Roles will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchRolesResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of Role) New token to retrieve previous page of results.
next_page_token string (cursor of Role) New token to retrieve next page of results.

CreateRoleRequest Message

A request message of the CreateRole method.

Name Type Description
role Role Role resource body
response_mask CreateRoleRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateRoleRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateRoleRequest Message

A request message of the UpdateRole method.

Name Type Description
role Role Role resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateRoleRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateRoleRequest.ResponseMask reduce message response size.

UpdateRoleRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state Role Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateRoleRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteRoleRequest Message

A request message of the DeleteRole method.

Name Type Description
name string (name of Role) Name of ntt.iam.v1alpha2.Role

RoleBinding Resource

RoleBinding in iam RBAC model is the way of granting access to a party (user, service account, etc) to edgelq resources. Creating RoleBinding requires user to answer 3 questions:

Who: with member field, e.g. “user:wile.e.coyote@customers.acme.com” What: specify scope (or parent), e.g.: projects/acme/roleBindings/<uuid> How: bind role and optional condition to grant access to resources within above scope

RoleBindings are additive, meaning that creating a new RoleBinding may only extend ability of given member to perform actions. In other words RoleBinding doesn’t affect other RoleBindings and [PermissionCheck][ntt.iam.v1alpha2.PermissionCheck] method needs to find any RoleBinding granting permission

Name patterns:

  • roleBindings/{role_binding}
  • projects/{project}/roleBindings/{role_binding}
  • organizations/{organization}/roleBindings/{role_binding}

Parent resources:

This section covers the methods and messages to interact with RoleBinding resource.

RoleBinding Methods

Here is the list of RoleBinding resource methods:

GetRoleBinding Method

GetRoleBinding

rpc GetRoleBinding(GetRoleBindingRequest) returns (RoleBinding)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.get

The equivalent REST API is:

GET /v1alpha2/{name=roleBindings/*} 

GET /v1alpha2/{name=projects/*/roleBindings/*} 

GET /v1alpha2/{name=organizations/*/roleBindings/*}

BatchGetRoleBindings Method

BatchGetRoleBindings

rpc BatchGetRoleBindings(BatchGetRoleBindingsRequest) returns (BatchGetRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.batchGet

The equivalent REST API is:

GET /v1alpha2/roleBindings:batchGet

ListRoleBindings Method

ListRoleBindings

rpc ListRoleBindings(ListRoleBindingsRequest) returns (ListRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.list

The equivalent REST API is:

GET /v1alpha2/roleBindings 

GET /v1alpha2/{parent=projects/*}/roleBindings 

GET /v1alpha2/{parent=organizations/*}/roleBindings

WatchRoleBinding Method

WatchRoleBinding

rpc WatchRoleBinding(WatchRoleBindingRequest) returns (WatchRoleBindingResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.watch

The equivalent REST API is:

POST /v1alpha2/{name=roleBindings/*}:watch 

POST /v1alpha2/{name=projects/*/roleBindings/*}:watch 

POST /v1alpha2/{name=organizations/*/roleBindings/*}:watch

WatchRoleBindings Method

WatchRoleBindings

rpc WatchRoleBindings(WatchRoleBindingsRequest) returns (WatchRoleBindingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.watch

The equivalent REST API is:

POST /v1alpha2/roleBindings:watch 

POST /v1alpha2/{parent=projects/*}/roleBindings:watch 

POST /v1alpha2/{parent=organizations/*}/roleBindings:watch

CreateRoleBinding Method

CreateRoleBinding

rpc CreateRoleBinding(CreateRoleBindingRequest) returns (RoleBinding)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.create

The equivalent REST API is:

POST /v1alpha2/roleBindings (BODY: role_binding)

POST /v1alpha2/{parent=projects/*}/roleBindings 

POST /v1alpha2/{parent=organizations/*}/roleBindings

UpdateRoleBinding Method

UpdateRoleBinding

rpc UpdateRoleBinding(UpdateRoleBindingRequest) returns (RoleBinding)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.update

The equivalent REST API is:

PUT /v1alpha2/{role_binding.name=roleBindings/*} (BODY: role_binding)

PUT /v1alpha2/{role_binding.name=projects/*/roleBindings/*} 

PUT /v1alpha2/{role_binding.name=organizations/*/roleBindings/*}

DeleteRoleBinding Method

DeleteRoleBinding

rpc DeleteRoleBinding(DeleteRoleBindingRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/roleBindings.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=roleBindings/*} 

DELETE /v1alpha2/{name=projects/*/roleBindings/*} 

DELETE /v1alpha2/{name=organizations/*/roleBindings/*}

RoleBinding Messages

Here is the list of RoleBinding resource messages:

RoleBinding Message

Name Type Description
name string (name of RoleBinding) Name of RoleBinding When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [\w.
role string (reference to Role) Role
member string Binding members Format of the string is one of: - “allUsers” (anyone) - “allAuthenticatedUsers” (anyone logged in) - “user:admin.super@example.com” - “serviceAccount:device_agent@watchdog.serviceaccounts.iam.edgelq.com” - “group:nice.group@example.com” - “domain:example.com” (anyone with exact email domain)
condition_binding ConditionBinding optional ConditionBinding TODO: Make it repeated and make sure backend will check all before verifying
ancestry_path repeated RoleBinding.Parent Internal field used by IAM controller to note role binding ancestry path
metadata Meta Metadata

RoleBinding.Parent Message

Provides information about inheritance of this role binding - if it was created from another role binding.

Name Type Description
parent string (reference to RoleBinding) Role bindings which have group as member have child for each service account and user in that group. All those role bindings have one common parent pointing at group role binding
member string Member of the parent role binding

GetRoleBindingRequest Message

A request message of the GetRoleBinding method.

Name Type Description
name string (name of RoleBinding) Name of ntt.iam.v1alpha2.RoleBinding
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRoleBindingsRequest Message

A request message of the BatchGetRoleBindings method.

Name Type Description
names repeated string (name of RoleBinding) Names of RoleBindings
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetRoleBindingsResponse Message

A response message of the BatchGetRoleBindings method.

Name Type Description
role_bindings repeated RoleBinding found RoleBindings
missing repeated string (name of RoleBinding) list of not found RoleBindings

ListRoleBindingsRequest Message

A request message of the ListRoleBindings method.

Name Type Description
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1alpha2.RoleBinding
page_size int32 Requested page size. Server may return fewer RoleBindings than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of RoleBinding) A token identifying a page of results the server should return. Typically, this is the value of ListRoleBindingsResponse.next_page_token.
order_by string (orderBy of RoleBinding) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of RoleBinding) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListRoleBindingsResponse Message

A response message of the ListRoleBindings method.

Name Type Description
role_bindings repeated RoleBinding The list of RoleBindings
prev_page_token string (cursor of RoleBinding) A token to retrieve previous page of results. Pass this value in the ListRoleBindingsRequest.page_token.
next_page_token string (cursor of RoleBinding) A token to retrieve next page of results. Pass this value in the ListRoleBindingsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total RoleBindings across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchRoleBindingRequest Message

A request message of the WatchRoleBinding method.

Name Type Description
name string (name of RoleBinding) Name of ntt.iam.v1alpha2.RoleBinding
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchRoleBindingResponse Message

A response message of the WatchRoleBinding method.

Name Type Description
change RoleBindingChange

WatchRoleBindingsRequest Message

A request message of the WatchRoleBindings method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1alpha2.RoleBinding
page_size int32 Requested page size. Server may return fewer RoleBindings than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of RoleBinding) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of RoleBinding) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of RoleBinding) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to RoleBinding that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to RoleBinding that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchRoleBindingsResponse Message

A response message of the WatchRoleBindings method.

Name Type Description
role_binding_changes repeated RoleBindingChange Changes of RoleBindings
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All RoleBindings will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchRoleBindingsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (RoleBindings will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchRoleBindingsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of RoleBinding) New token to retrieve previous page of results.
next_page_token string (cursor of RoleBinding) New token to retrieve next page of results.

CreateRoleBindingRequest Message

A request message of the CreateRoleBinding method.

Name Type Description
parent string (parent name of RoleBinding) Parent name of ntt.iam.v1alpha2.RoleBinding
role_binding RoleBinding RoleBinding resource body
response_mask CreateRoleBindingRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateRoleBindingRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateRoleBindingRequest Message

A request message of the UpdateRoleBinding method.

Name Type Description
role_binding RoleBinding RoleBinding resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateRoleBindingRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateRoleBindingRequest.ResponseMask reduce message response size.

UpdateRoleBindingRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state RoleBinding Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateRoleBindingRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteRoleBindingRequest Message

A request message of the DeleteRoleBinding method.

Name Type Description
name string (name of RoleBinding) Name of ntt.iam.v1alpha2.RoleBinding

ServiceAccount Resource

ServiceAccount Resource

Name patterns:

  • projects/{project}/regions/{region}/serviceAccounts/{service_account}

Parent resources:

This section covers the methods and messages to interact with ServiceAccount resource.

ServiceAccount Methods

Here is the list of ServiceAccount resource methods:

GetServiceAccount Method

GetServiceAccount

rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.get

The equivalent REST API is:

GET /v1alpha2/{name=projects/*/regions/*/serviceAccounts/*}

BatchGetServiceAccounts Method

BatchGetServiceAccounts

rpc BatchGetServiceAccounts(BatchGetServiceAccountsRequest) returns (BatchGetServiceAccountsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.batchGet

The equivalent REST API is:

GET /v1alpha2/serviceAccounts:batchGet

ListServiceAccounts Method

ListServiceAccounts

rpc ListServiceAccounts(ListServiceAccountsRequest) returns (ListServiceAccountsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.list

The equivalent REST API is:

GET /v1alpha2/{parent=projects/*/regions/*}/serviceAccounts

WatchServiceAccount Method

WatchServiceAccount

rpc WatchServiceAccount(WatchServiceAccountRequest) returns (WatchServiceAccountResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.watch

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/regions/*/serviceAccounts/*}:watch

WatchServiceAccounts Method

WatchServiceAccounts

rpc WatchServiceAccounts(WatchServiceAccountsRequest) returns (WatchServiceAccountsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.watch

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*/regions/*}/serviceAccounts:watch

CreateServiceAccount Method

CreateServiceAccount

rpc CreateServiceAccount(CreateServiceAccountRequest) returns (ServiceAccount)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.create

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*/regions/*}/serviceAccounts (BODY: service_account)

UpdateServiceAccount Method

UpdateServiceAccount

rpc UpdateServiceAccount(UpdateServiceAccountRequest) returns (ServiceAccount)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.update

The equivalent REST API is:

PUT /v1alpha2/{service_account.name=projects/*/regions/*/serviceAccounts/*} (BODY: service_account)

DeleteServiceAccount Method

DeleteServiceAccount

rpc DeleteServiceAccount(DeleteServiceAccountRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccounts.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=projects/*/regions/*/serviceAccounts/*}

ServiceAccount Messages

Here is the list of ServiceAccount resource messages:

ServiceAccount Message

Name Type Description
name string (name of ServiceAccount) Name of ServiceAccount When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-_]{0,55}[a-z0-9]
display_name string Display Name
email string Email
metadata Meta Additional meta information about service account

GetServiceAccountRequest Message

A request message of the GetServiceAccount method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1alpha2.ServiceAccount
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountsRequest Message

A request message of the BatchGetServiceAccounts method.

Name Type Description
names repeated string (name of ServiceAccount) Names of ServiceAccounts
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountsResponse Message

A response message of the BatchGetServiceAccounts method.

Name Type Description
service_accounts repeated ServiceAccount found ServiceAccounts
missing repeated string (name of ServiceAccount) list of not found ServiceAccounts

ListServiceAccountsRequest Message

A request message of the ListServiceAccounts method.

Name Type Description
parent string (parent name of ServiceAccount) Parent name of ntt.iam.v1alpha2.ServiceAccount
page_size int32 Requested page size. Server may return fewer ServiceAccounts than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of ServiceAccount) A token identifying a page of results the server should return. Typically, this is the value of ListServiceAccountsResponse.next_page_token.
order_by string (orderBy of ServiceAccount) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of ServiceAccount) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListServiceAccountsResponse Message

A response message of the ListServiceAccounts method.

Name Type Description
service_accounts repeated ServiceAccount The list of ServiceAccounts
prev_page_token string (cursor of ServiceAccount) A token to retrieve previous page of results. Pass this value in the ListServiceAccountsRequest.page_token.
next_page_token string (cursor of ServiceAccount) A token to retrieve next page of results. Pass this value in the ListServiceAccountsRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total ServiceAccounts across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchServiceAccountRequest Message

A request message of the WatchServiceAccount method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1alpha2.ServiceAccount
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchServiceAccountResponse Message

A response message of the WatchServiceAccount method.

Name Type Description
change ServiceAccountChange

WatchServiceAccountsRequest Message

A request message of the WatchServiceAccounts method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of ServiceAccount) Parent name of ntt.iam.v1alpha2.ServiceAccount
page_size int32 Requested page size. Server may return fewer ServiceAccounts than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of ServiceAccount) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of ServiceAccount) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of ServiceAccount) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to ServiceAccount that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to ServiceAccount that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchServiceAccountsResponse Message

A response message of the WatchServiceAccounts method.

Name Type Description
service_account_changes repeated ServiceAccountChange Changes of ServiceAccounts
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All ServiceAccounts will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchServiceAccountsResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (ServiceAccounts will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchServiceAccountsResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of ServiceAccount) New token to retrieve previous page of results.
next_page_token string (cursor of ServiceAccount) New token to retrieve next page of results.

CreateServiceAccountRequest Message

A request message of the CreateServiceAccount method.

Name Type Description
parent string (parent name of ServiceAccount) Parent name of ntt.iam.v1alpha2.ServiceAccount
service_account ServiceAccount ServiceAccount resource body
response_mask CreateServiceAccountRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateServiceAccountRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateServiceAccountRequest Message

A request message of the UpdateServiceAccount method.

Name Type Description
service_account ServiceAccount ServiceAccount resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateServiceAccountRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateServiceAccountRequest.ResponseMask reduce message response size.

UpdateServiceAccountRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state ServiceAccount Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateServiceAccountRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteServiceAccountRequest Message

A request message of the DeleteServiceAccount method.

Name Type Description
name string (name of ServiceAccount) Name of ntt.iam.v1alpha2.ServiceAccount

ServiceAccountKey Resource

Represents a key pair for the service account

Name patterns:

  • projects/{project}/regions/{region}/serviceAccounts/{service_account}/serviceAccountKeys/{service_account_key}

Parent resources:

This section covers the methods and messages to interact with ServiceAccountKey resource.

ServiceAccountKey Methods

Here is the list of ServiceAccountKey resource methods:

GetServiceAccountKey Method

GetServiceAccountKey

rpc GetServiceAccountKey(GetServiceAccountKeyRequest) returns (ServiceAccountKey)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.get

The equivalent REST API is:

GET /v1alpha2/{name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*}

BatchGetServiceAccountKeys Method

BatchGetServiceAccountKeys

rpc BatchGetServiceAccountKeys(BatchGetServiceAccountKeysRequest) returns (BatchGetServiceAccountKeysResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.batchGet

The equivalent REST API is:

GET /v1alpha2/serviceAccountKeys:batchGet

ListServiceAccountKeys Method

ListServiceAccountKeys

rpc ListServiceAccountKeys(ListServiceAccountKeysRequest) returns (ListServiceAccountKeysResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.list

The equivalent REST API is:

GET /v1alpha2/{parent=projects/*/regions/*/serviceAccounts/*}/serviceAccountKeys

WatchServiceAccountKey Method

WatchServiceAccountKey

rpc WatchServiceAccountKey(WatchServiceAccountKeyRequest) returns (WatchServiceAccountKeyResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.watch

The equivalent REST API is:

POST /v1alpha2/{name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*}:watch

WatchServiceAccountKeys Method

WatchServiceAccountKeys

rpc WatchServiceAccountKeys(WatchServiceAccountKeysRequest) returns (WatchServiceAccountKeysResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.watch

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*/regions/*/serviceAccounts/*}/serviceAccountKeys:watch

CreateServiceAccountKey Method

CreateServiceAccountKey

rpc CreateServiceAccountKey(CreateServiceAccountKeyRequest) returns (ServiceAccountKey)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.create

The equivalent REST API is:

POST /v1alpha2/{parent=projects/*/regions/*/serviceAccounts/*}/serviceAccountKeys (BODY: service_account_key)

UpdateServiceAccountKey Method

UpdateServiceAccountKey

rpc UpdateServiceAccountKey(UpdateServiceAccountKeyRequest) returns (ServiceAccountKey)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.update

The equivalent REST API is:

PUT /v1alpha2/{service_account_key.name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*} (BODY: service_account_key)

DeleteServiceAccountKey Method

DeleteServiceAccountKey

rpc DeleteServiceAccountKey(DeleteServiceAccountKeyRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/serviceAccountKeys.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=projects/*/regions/*/serviceAccounts/*/serviceAccountKeys/*}

ServiceAccountKey Messages

Here is the list of ServiceAccountKey resource messages:

ServiceAccountKey Message

Name Type Description
name string (name of ServiceAccountKey) Name of ServiceAccountKey When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [a-z][a-z0-9-]{0,28}[a-z0-9]
display_name string Display name
public_key_data string Public key contents
private_key_data string The private key of the pair. This field is only provided in CreateServiceAccountKey responses. Private keys are NOT stored on the server.
api_key string Api key is set if algorithm is equal to API_KEY and provided in CreateServiceAccountKey responses. They are not stored on the server, so caller is obliged to remember its value. If lost, its is necessary to create new key. Api key must be used in authorization header token when making request: - Authorization: “Bearer $API_KEY” Example for curl: $ curl -X GET -H “Authorization: Bearer $API_KEY” -s $URL
algorithm ServiceAccountKey.Algorithm The algorithm used to generate the key.
valid_not_before .google.protobuf.Timestamp The key is not valid before this timestamp.
valid_not_after .google.protobuf.Timestamp The key is not valid after this timestamp.
metadata Meta Metadata

GetServiceAccountKeyRequest Message

A request message of the GetServiceAccountKey method.

Name Type Description
name string (name of ServiceAccountKey) Name of ntt.iam.v1alpha2.ServiceAccountKey
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountKeysRequest Message

A request message of the BatchGetServiceAccountKeys method.

Name Type Description
names repeated string (name of ServiceAccountKey) Names of ServiceAccountKeys
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetServiceAccountKeysResponse Message

A response message of the BatchGetServiceAccountKeys method.

Name Type Description
service_account_keys repeated ServiceAccountKey found ServiceAccountKeys
missing repeated string (name of ServiceAccountKey) list of not found ServiceAccountKeys

ListServiceAccountKeysRequest Message

A request message of the ListServiceAccountKeys method.

Name Type Description
parent string (parent name of ServiceAccountKey) Parent name of ntt.iam.v1alpha2.ServiceAccountKey
page_size int32 Requested page size. Server may return fewer ServiceAccountKeys than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of ServiceAccountKey) A token identifying a page of results the server should return. Typically, this is the value of ListServiceAccountKeysResponse.next_page_token.
order_by string (orderBy of ServiceAccountKey) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of ServiceAccountKey) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListServiceAccountKeysResponse Message

A response message of the ListServiceAccountKeys method.

Name Type Description
service_account_keys repeated ServiceAccountKey The list of ServiceAccountKeys
prev_page_token string (cursor of ServiceAccountKey) A token to retrieve previous page of results. Pass this value in the ListServiceAccountKeysRequest.page_token.
next_page_token string (cursor of ServiceAccountKey) A token to retrieve next page of results. Pass this value in the ListServiceAccountKeysRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total ServiceAccountKeys across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchServiceAccountKeyRequest Message

A request message of the WatchServiceAccountKey method.

Name Type Description
name string (name of ServiceAccountKey) Name of ntt.iam.v1alpha2.ServiceAccountKey
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchServiceAccountKeyResponse Message

A response message of the WatchServiceAccountKey method.

Name Type Description
change ServiceAccountKeyChange

WatchServiceAccountKeysRequest Message

A request message of the WatchServiceAccountKeys method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
parent string (parent name of ServiceAccountKey) Parent name of ntt.iam.v1alpha2.ServiceAccountKey
page_size int32 Requested page size. Server may return fewer ServiceAccountKeys than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of ServiceAccountKey) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of ServiceAccountKey) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of ServiceAccountKey) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to ServiceAccountKey that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to ServiceAccountKey that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchServiceAccountKeysResponse Message

A response message of the WatchServiceAccountKeys method.

Name Type Description
service_account_key_changes repeated ServiceAccountKeyChange Changes of ServiceAccountKeys
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All ServiceAccountKeys will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchServiceAccountKeysResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (ServiceAccountKeys will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchServiceAccountKeysResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of ServiceAccountKey) New token to retrieve previous page of results.
next_page_token string (cursor of ServiceAccountKey) New token to retrieve next page of results.

CreateServiceAccountKeyRequest Message

A request message of the CreateServiceAccountKey method.

Name Type Description
parent string (parent name of ServiceAccountKey) Parent name of ntt.iam.v1alpha2.ServiceAccountKey
service_account_key ServiceAccountKey ServiceAccountKey resource body
response_mask CreateServiceAccountKeyRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateServiceAccountKeyRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateServiceAccountKeyRequest Message

A request message of the UpdateServiceAccountKey method.

Name Type Description
service_account_key ServiceAccountKey ServiceAccountKey resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateServiceAccountKeyRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateServiceAccountKeyRequest.ResponseMask reduce message response size.

UpdateServiceAccountKeyRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state ServiceAccountKey Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateServiceAccountKeyRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteServiceAccountKeyRequest Message

A request message of the DeleteServiceAccountKey method.

Name Type Description
name string (name of ServiceAccountKey) Name of ntt.iam.v1alpha2.ServiceAccountKey

ServiceAccountKey Enumerations

Here is the list of ServiceAccountKey resource enumerations:

ServiceAccountKey.Algorithm Enumeration

Name Description
KEY_ALGORITHM_UNSPECIFIED
RSA_1024
RSA_2048
RSA_4096
API_KEY

User Resource

User Resource

Name patterns:

  • users/{user}

This section covers the methods and messages to interact with User resource.

User Methods

Here is the list of User resource methods:

GetUser Method

GetUser

rpc GetUser(GetUserRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.get

The equivalent REST API is:

GET /v1alpha2/{name=users/*}

BatchGetUsers Method

BatchGetUsers

rpc BatchGetUsers(BatchGetUsersRequest) returns (BatchGetUsersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.batchGet

The equivalent REST API is:

GET /v1alpha2/users:batchGet

ListUsers Method

ListUsers

rpc ListUsers(ListUsersRequest) returns (ListUsersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.list

The equivalent REST API is:

GET /v1alpha2/users

WatchUser Method

WatchUser

rpc WatchUser(WatchUserRequest) returns (WatchUserResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.watch

The equivalent REST API is:

POST /v1alpha2/{name=users/*}:watch

WatchUsers Method

WatchUsers

rpc WatchUsers(WatchUsersRequest) returns (WatchUsersResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.watch

The equivalent REST API is:

POST /v1alpha2/users:watch

CreateUser Method

CreateUser

rpc CreateUser(CreateUserRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.create

The equivalent REST API is:

POST /v1alpha2/users (BODY: user)

UpdateUser Method

UpdateUser

rpc UpdateUser(UpdateUserRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.update

The equivalent REST API is:

PUT /v1alpha2/{user.name=users/*} (BODY: user)

DeleteUser Method

DeleteUser

rpc DeleteUser(DeleteUserRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.delete

The equivalent REST API is:

DELETE /v1alpha2/{name=users/*}

GetUserByEmail Method

GetUserByEmail

rpc GetUserByEmail(GetUserByEmailRequest) returns (User)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.getByEmail

The equivalent REST API is:

POST /v1alpha2:getByEmail

BatchGetUsersByEmail Method

BatchGetUsersByEmail

rpc BatchGetUsersByEmail(BatchGetUsersByEmailRequest) returns (BatchGetUsersByEmailResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.batchGetByEmail

The equivalent REST API is:

POST /v1alpha2/users:batchGetByEmail

GetMySettings Method

GetMySettings

rpc GetMySettings(GetMySettingsRequest) returns (GetMySettingsResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.getMySettings

The equivalent REST API is:

POST /v1alpha2/users:getMySettings

SetMySettings Method

SetMySettings

rpc SetMySettings(SetMySettingsRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.setMySettings

The equivalent REST API is:

POST /v1alpha2/users:setMySettings

RefreshUserFromIdToken Method

RefreshUserFromIdToken

rpc RefreshUserFromIdToken(RefreshUserFromIdTokenRequest) returns (RefreshUserFromIdTokenResponse)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.refreshUserFromIdToken

The equivalent REST API is:

POST /v1alpha2/users:refreshUserFromIdToken

ResendVerificationEmail Method

ResendVerificationEmail

rpc ResendVerificationEmail(ResendVerificationEmailRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.resendVerificationEmail

The equivalent REST API is:

POST /v1alpha2/users:resendVerificationEmail

IsUserVerified Method

IsUserVerified

rpc IsUserVerified(IsUserVerifiedRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.isUserVerified

The equivalent REST API is:

POST /v1alpha2/users:isUserVerified

ResetMFAIfRecoveryKeyUsed Method

ResetMFAIfRecoveryKeyUsed

rpc ResetMFAIfRecoveryKeyUsed(ResetMFAIfRecoveryKeyUsedRequest) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.resetMFAIfRecoveryKeyUsed

The equivalent REST API is:

POST /v1alpha2/users:resetMFAIfRecoveryKeyUsed

SetUsersNameInAuth0 Method

SetUsersNameInAuth0

rpc SetUsersNameInAuth0(SetUsersNameInAuth0Request) returns (Empty)

with the following messages:

Required Permissions:

  • services/iam.edgelq.com/permissions/users.setUsersNameInAuth0

The equivalent REST API is:

POST /v1alpha2/users:setUsersNameInAuth0

User Messages

Here is the list of User resource messages:

User Message

Name Type Description
name string (name of User) Name of User When creating a new instance, this field is optional and if not provided, it will be generated automatically. Last ID segment must conform to the following regex: [\w.@
full_name string Full Name
metadata Meta Metadata
email string Email
email_verified bool Is email verified
auth_info User.AuthInfo
settings map<string, string> User settings and preferences
refreshed_time .google.protobuf.Timestamp

User.AuthInfo Message

Name Type Description
provider string auth provider
id string auth provider id

GetUserRequest Message

A request message of the GetUser method.

Name Type Description
name string (name of User) Name of ntt.iam.v1alpha2.User
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetUsersRequest Message

A request message of the BatchGetUsers method.

Name Type Description
names repeated string (name of User) Names of Users
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

BatchGetUsersResponse Message

A response message of the BatchGetUsers method.

Name Type Description
users repeated User found Users
missing repeated string (name of User) list of not found Users

ListUsersRequest Message

A request message of the ListUsers method.

Name Type Description
page_size int32 Requested page size. Server may return fewer Users than requested. If unspecified, server will pick an appropriate default.
page_token string (cursor of User) A token identifying a page of results the server should return. Typically, this is the value of ListUsersResponse.next_page_token.
order_by string (orderBy of User) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination list of field path with order directive, either ‘asc’ or ‘desc’. If direction is not provided, ‘asc’ is assumed. e.g. “state.nested_field asc, state.something.else desc, theme”
filter string (filter of User) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
include_paging_info bool Indicates if list response should contain total count and offset (fields current_offset and total_results_count).

ListUsersResponse Message

A response message of the ListUsers method.

Name Type Description
users repeated User The list of Users
prev_page_token string (cursor of User) A token to retrieve previous page of results. Pass this value in the ListUsersRequest.page_token.
next_page_token string (cursor of User) A token to retrieve next page of results. Pass this value in the ListUsersRequest.page_token.
current_offset int32 Current offset from the first page or 0 if no page tokens were given, paging info was not requested or there was an error while trying to get it). Page index can be computed from offset and limit provided in a request.
total_results_count int32 Number of total Users across all pages or 0, if there are no items, paging info was not requested or there was an error while trying to get it.

WatchUserRequest Message

A request message of the WatchUser method.

Name Type Description
name string (name of User) Name of ntt.iam.v1alpha2.User
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask

WatchUserResponse Message

A response message of the WatchUser method.

Name Type Description
change UserChange

WatchUsersRequest Message

A request message of the WatchUsers method.

Name Type Description
type WatchType Type of a watch. Identifies how server stream data to a client, which fields in a request are allowed and which fields in response are relevant.
page_size int32 Requested page size. Server may return fewer Users than requested. If unspecified, server will pick an appropriate default. Can be populated only for stateful watch type.
page_token string (cursor of User) A token identifying a page of results the server should return. Can be populated only for stateful watch type.
order_by string (orderBy of User) Order By - https://cloud.google.com/apis/design/design_patterns#list_pagination Can be populated only for stateful watch type.
resume_token string A token identifying watch resume point from previous session. Can be populated only for stateless watch type.
starting_time .google.protobuf.Timestamp Point in the time from which we want to start getting updates. This field can be populated only for stateless watch type and if resume token is not known yet. If specified, initial snapshot will NOT be provided. It is assumed client can obtain it using separate means. Watch responses will contain resume tokens which should be used to resume broken connection.
filter string (filter of User) Filter - filter results by field criteria. Simplified SQL-like syntax with following operators: <=, >=, =, !=, <, >, LIKE, CONTAINS (aliases CONTAIN, HAS, HAVE), IN, IS [NOT] NULL
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view Changes to User that don’t affect any of masked fields won’t be sent back.
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask Changes to User that don’t affect any of masked fields won’t be sent back.
max_chunk_size int32 Maximum amount of changes in each response message. Query result response is divided on the server side into chunks with size of a specified amount to limit memory footprint of each message. Responses will hold information whether more elements will continue for the actual change. If unspecified, server will pick an appropriate default.

WatchUsersResponse Message

A response message of the WatchUsers method.

Name Type Description
user_changes repeated UserChange Changes of Users
is_current bool If request specified max_chunk_size (or this limit was enforced if stateless watch has been chosen), then responses with “full changeset” will be divided into chunks. Client should keep receiving messages and, once is_current has value true, combine this recent message with all previous ones where is_current is false. If this is the first is_current in a whole watch stream, then it means that client should have, at this moment, contain snapshot of the current situation (or more accurately, snapshot of situation at the moment of request). All Users will be of type Added/Current (depending on watch_type specified in the request). Further responses will be incremental - however messages may still be chunked and is_current logic still applies. is_current is always true for stateful watch if max_chunk_size was left to 0.
page_token_change WatchUsersResponse.PageTokenChange When present, PageTokens used for page navigation should be updated. Present only if is_current is true (last chunk).
resume_token string Token that can be used if current connection drops and client needs to reconnect. Populated only for stateless watch type. Present only if is_current is true (last chunk).
snapshot_size int64 Server may occasionally send information how many resources should client have in its state so far (response message without any changes, but with snapshot_size field specified). If client has different value than the one sent by the server, then it should be treated by a client as an error and should reconnect. If value is smaller then 0, then client should ignore this field as unpopulated. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will be never sent together with is_current, is_soft_reset and is_hard_reset flags.
is_soft_reset bool In case of internal issue server may send response message with this flag. It indicates that client should drop all changes from recent responses where is_current is false only! If last message had is_current set to true, client should do nothing and process normally. Resume token received before is still valid. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_hard_reset or snapshot_size.
is_hard_reset bool In case of internal issue server may send response message with this flag. After receiving, client should clear whole state (drop all changes received so far) as server will send new snapshot (Users will contains changes of type Current only). Any resume tokens should be discarded as well. This field should be checked only for stateless watch. In stateful those kind of errors are handled by the server side. Will never be sent along with is_current, is_soft_reset or snapshot_size.

WatchUsersResponse.PageTokenChange Message

Name Type Description
prev_page_token string (cursor of User) New token to retrieve previous page of results.
next_page_token string (cursor of User) New token to retrieve next page of results.

CreateUserRequest Message

A request message of the CreateUser method.

Name Type Description
user User User resource body
response_mask CreateUserRequest.ResponseMask Optional masking applied to response object to reduce message response size.

CreateUserRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields.

UpdateUserRequest Message

A request message of the UpdateUser method.

Name Type Description
user User User resource body
update_mask .google.protobuf.FieldMask FieldMask applied to request - change will be applied only for fields in the mask
cas UpdateUserRequest.CAS Conditional update applied to request if update should be executed only for specific resource state. If this field is populated, then server will fetch existing resource, compare with the one stored in the cas field (after applying field mask) and proceed with update only and only if they match. Otherwise RPC error Aborted will be returned.
allow_missing bool If set to true, and the resource is not found, a new resource will be created. In this situation, ‘field_mask’ is ignored. https://google.aip.dev/134#create-or-update
response_mask UpdateUserRequest.ResponseMask reduce message response size.

UpdateUserRequest.CAS Message

CAS - Compare and Swap. This object is used if user wants to make update conditional based upon previous resource version.

Name Type Description
conditional_state User Conditional desired state of a resource before update.
field_mask .google.protobuf.FieldMask Field paths from conditional state of resource server should check and compare.

UpdateUserRequest.ResponseMask Message

ResponseMask allows client to reduce response message size.

Name Type Description
skip_entire_response_body bool If this flag has value true, then response will contain just empty resource without any fields populated. Field body_mask is ignored if set.
updated_fields_only bool Include all fields that were actually updated during processing. Note this may be larger than update mask if some fields were computed additionally. Name is added as well.
body_mask .google.protobuf.FieldMask If this field is populated, then resource in response will contain only specific fields. If skip_entire_response_body is true, this field is ignored.

DeleteUserRequest Message

A request message of the DeleteUser method.

Name Type Description
name string (name of User) Name of ntt.iam.v1alpha2.User

GetUserByEmailRequest Message

Request message for method [GetUserByEmail][ntt.iam.v1alpha2.GetUserByEmail]

Name Type Description
email string reference of ntt.iam.v1alpha2.User
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
skip_cache bool If true, server will skip checking if query result is present in it’s cache

BatchGetUsersByEmailRequest Message

Request message for method [BatchGetUsersByEmail][ntt.iam.v1alpha2.BatchGetUsersByEmail]

Name Type Description
emails repeated string Emails of users
field_mask .google.protobuf.FieldMask A list of extra fields to be obtained for each response item on top of fields defined by request field view
view View View defines list of standard response fields present in response items. Additional fields can be amended by request field field_mask
skip_cache bool If true, server will skip checking if query result is present in it’s cache

BatchGetUsersByEmailResponse Message

Response message for method [BatchGetUsersByEmail][ntt.iam.v1alpha2.BatchGetUsersByEmail]

Name Type Description
users repeated User found Users
missing repeated string list of not found user emails

GetMySettingsRequest Message

Request message for method [GetMySettings][ntt.iam.v1alpha2.GetMySettings]

Name Type Description
keys repeated string list of keys to retrieve

GetMySettingsResponse Message

Response message for method [GetMySettings][ntt.iam.v1alpha2.GetMySettings]

Name Type Description
settings map<string, string> resulting settings

SetMySettingsRequest Message

Request message for method [SetMySettings][ntt.iam.v1alpha2.SetMySettings]

Name Type Description
settings map<string, string> Settings to update. Leave empty value to unset key

RefreshUserFromIdTokenRequest Message

Request message for method [RefreshUserFromIdToken][ntt.iam.v1alpha2.RefreshUserFromIdToken]

Name Type Description
id_token string JWT-encoded ID token

RefreshUserFromIdTokenResponse Message

Response message for method [RefreshUserFromIdToken][ntt.iam.v1alpha2.RefreshUserFromIdToken]

Name Type Description
none none none

ResendVerificationEmailRequest Message

Request message for method [ResendVerificationEmail][ntt.iam.v1alpha2.ResendVerificationEmail]

Name Type Description
none none none

IsUserVerifiedRequest Message

Request message for method [IsUserVerified][ntt.iam.v1alpha2.IsUserVerified]

Name Type Description
none none none

ResetMFAIfRecoveryKeyUsedRequest Message

Request message for method [ResetMFAIfRecoveryKeyUsed][ntt.iam.v1alpha2.ResetMFAIfRecoveryKeyUsed]

Name Type Description
none none none

SetUsersNameInAuth0Request Message

Request message for method [SetUsersNameInAuth0][ntt.iam.v1alpha2.SetUsersNameInAuth0]

Name Type Description
none none none

IAM Service Shared Methods and Messages

IAM Service Shared Messages

Here is the list of IAM service shared messages:

Actor Message

Actor is a party performing an action

Name Type Description
user string (reference to User)
service_account string (reference to ServiceAccount)

AttestationDomainChange Message

AttestationDomainChange is used by Watch notifications Responses to describe change of single AttestationDomain One of Added, Modified, Removed

Name Type Description
added AttestationDomainChange.Added Added is returned when watched document is added, either created or enters Query view
modified AttestationDomainChange.Modified Modified is returned when watched document is modified
current AttestationDomainChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed AttestationDomainChange.Removed Removed is returned when AttestationDomain is deleted or leaves Query view

AttestationDomainChange.Added Message

AttestationDomain has been added to query view

Name Type Description
attestation_domain AttestationDomain
view_index int32 Integer describing index of added AttestationDomain in resulting query view.

AttestationDomainChange.Current Message

AttestationDomain has been added or modified in a query view. Version used for stateless watching

Name Type Description
attestation_domain AttestationDomain

AttestationDomainChange.Modified Message

AttestationDomain changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of AttestationDomain) Name of modified AttestationDomain
attestation_domain AttestationDomain New version of AttestationDomain or masked difference, depending on mask_changes instrumentation of issued [WatchAttestationDomainRequest] or [WatchAttestationDomainsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified AttestationDomain. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying AttestationDomain new index in resulting query view.

AttestationDomainChange.Removed Message

Removed is returned when AttestationDomain is deleted or leaves Query view

Name Type Description
name string (name of AttestationDomain)
view_index int32 Integer specifying removed AttestationDomain index. Not populated in stateless watch type.

Check Message

Check contains

Name Type Description
object string Object resource name, e.g. projects/<project_id>/devices/<device_id>
permissions repeated string (name of Permission) Array of permissions to be verified

CheckResult Message

Name Type Description
object string Object resource name, e.g. projects/<project_id>/devices/<device_id>
granted_permissions repeated string (name of Permission) Granted Permissions
conditionally_granted_permissions repeated ConditionalGrant

ConditionBinding Message

ConditionBinding represents instantiantion of condi

Name Type Description
condition string (reference to Condition) Reference to Condition which may also be parameterized
parameters map<string, string> TODO: Deprecated, use params instead
params .google.protobuf.Struct Parameters in string form. Parameters must match [declarations][ntt.iam.v1alpha2.Condition.parameter_declarations]

ConditionChange Message

ConditionChange is used by Watch notifications Responses to describe change of single Condition One of Added, Modified, Removed

Name Type Description
added ConditionChange.Added Added is returned when watched document is added, either created or enters Query view
modified ConditionChange.Modified Modified is returned when watched document is modified
current ConditionChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ConditionChange.Removed Removed is returned when Condition is deleted or leaves Query view

ConditionChange.Added Message

Condition has been added to query view

Name Type Description
condition Condition
view_index int32 Integer describing index of added Condition in resulting query view.

ConditionChange.Current Message

Condition has been added or modified in a query view. Version used for stateless watching

Name Type Description
condition Condition

ConditionChange.Modified Message

Condition changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Condition) Name of modified Condition
condition Condition New version of Condition or masked difference, depending on mask_changes instrumentation of issued [WatchConditionRequest] or [WatchConditionsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Condition. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Condition new index in resulting query view.

ConditionChange.Removed Message

Removed is returned when Condition is deleted or leaves Query view

Name Type Description
name string (name of Condition)
view_index int32 Integer specifying removed Condition index. Not populated in stateless watch type.

ConditionalGrant Message

ConditionalGrant represents grant on repeated list of permissions if all of conditions is met.

Name Type Description
permissions repeated string (name of Permission)
condition_bindings repeated ConditionBinding

GroupChange Message

GroupChange is used by Watch notifications Responses to describe change of single Group One of Added, Modified, Removed

Name Type Description
added GroupChange.Added Added is returned when watched document is added, either created or enters Query view
modified GroupChange.Modified Modified is returned when watched document is modified
current GroupChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed GroupChange.Removed Removed is returned when Group is deleted or leaves Query view

GroupChange.Added Message

Group has been added to query view

Name Type Description
group Group
view_index int32 Integer describing index of added Group in resulting query view.

GroupChange.Current Message

Group has been added or modified in a query view. Version used for stateless watching

Name Type Description
group Group

GroupChange.Modified Message

Group changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Group) Name of modified Group
group Group New version of Group or masked difference, depending on mask_changes instrumentation of issued [WatchGroupRequest] or [WatchGroupsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Group. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Group new index in resulting query view.

GroupChange.Removed Message

Removed is returned when Group is deleted or leaves Query view

Name Type Description
name string (name of Group)
view_index int32 Integer specifying removed Group index. Not populated in stateless watch type.

GroupMemberChange Message

GroupMemberChange is used by Watch notifications Responses to describe change of single GroupMember One of Added, Modified, Removed

Name Type Description
added GroupMemberChange.Added Added is returned when watched document is added, either created or enters Query view
modified GroupMemberChange.Modified Modified is returned when watched document is modified
current GroupMemberChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed GroupMemberChange.Removed Removed is returned when GroupMember is deleted or leaves Query view

GroupMemberChange.Added Message

GroupMember has been added to query view

Name Type Description
group_member GroupMember
view_index int32 Integer describing index of added GroupMember in resulting query view.

GroupMemberChange.Current Message

GroupMember has been added or modified in a query view. Version used for stateless watching

Name Type Description
group_member GroupMember

GroupMemberChange.Modified Message

GroupMember changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of GroupMember) Name of modified GroupMember
group_member GroupMember New version of GroupMember or masked difference, depending on mask_changes instrumentation of issued [WatchGroupMemberRequest] or [WatchGroupMembersRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified GroupMember. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying GroupMember new index in resulting query view.

GroupMemberChange.Removed Message

Removed is returned when GroupMember is deleted or leaves Query view

Name Type Description
name string (name of GroupMember)
view_index int32 Integer specifying removed GroupMember index. Not populated in stateless watch type.

Invitation Message

Common invitation body. It’s used in Project/Organization Invitations

Name Type Description
invitee_email string Invitee Email address
inviter_actor Actor Inviter User
inviter_full_name string Denormalized data - TODO: remove it
inviter_email string Inviter Email
language_code string Invitation ISO language code. Defaults to “en-us” (American English).
roles repeated string (reference to Role) List of Roles to be granted on project when invitation is accepted
expiration_date .google.protobuf.Timestamp Expiration date
extras map<string, string> Extra custom fields to further customize invitation experience. Fields should be agreed between sender (usually UI) and documented in the template of email service provider.
state Invitation.State Status of Invitation

OrganizationChange Message

OrganizationChange is used by Watch notifications Responses to describe change of single Organization One of Added, Modified, Removed

Name Type Description
added OrganizationChange.Added Added is returned when watched document is added, either created or enters Query view
modified OrganizationChange.Modified Modified is returned when watched document is modified
current OrganizationChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed OrganizationChange.Removed Removed is returned when Organization is deleted or leaves Query view

OrganizationChange.Added Message

Organization has been added to query view

Name Type Description
organization Organization
view_index int32 Integer describing index of added Organization in resulting query view.

OrganizationChange.Current Message

Organization has been added or modified in a query view. Version used for stateless watching

Name Type Description
organization Organization

OrganizationChange.Modified Message

Organization changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Organization) Name of modified Organization
organization Organization New version of Organization or masked difference, depending on mask_changes instrumentation of issued [WatchOrganizationRequest] or [WatchOrganizationsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Organization. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Organization new index in resulting query view.

OrganizationChange.Removed Message

Removed is returned when Organization is deleted or leaves Query view

Name Type Description
name string (name of Organization)
view_index int32 Integer specifying removed Organization index. Not populated in stateless watch type.

OrganizationInvitationChange Message

OrganizationInvitationChange is used by Watch notifications Responses to describe change of single OrganizationInvitation One of Added, Modified, Removed

Name Type Description
added OrganizationInvitationChange.Added Added is returned when watched document is added, either created or enters Query view
modified OrganizationInvitationChange.Modified Modified is returned when watched document is modified
current OrganizationInvitationChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed OrganizationInvitationChange.Removed Removed is returned when OrganizationInvitation is deleted or leaves Query view

OrganizationInvitationChange.Added Message

OrganizationInvitation has been added to query view

Name Type Description
organization_invitation OrganizationInvitation
view_index int32 Integer describing index of added OrganizationInvitation in resulting query view.

OrganizationInvitationChange.Current Message

OrganizationInvitation has been added or modified in a query view. Version used for stateless watching

Name Type Description
organization_invitation OrganizationInvitation

OrganizationInvitationChange.Modified Message

OrganizationInvitation changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of OrganizationInvitation) Name of modified OrganizationInvitation
organization_invitation OrganizationInvitation New version of OrganizationInvitation or masked difference, depending on mask_changes instrumentation of issued [WatchOrganizationInvitationRequest] or [WatchOrganizationInvitationsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified OrganizationInvitation. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying OrganizationInvitation new index in resulting query view.

OrganizationInvitationChange.Removed Message

Removed is returned when OrganizationInvitation is deleted or leaves Query view

Name Type Description
name string (name of OrganizationInvitation)
view_index int32 Integer specifying removed OrganizationInvitation index. Not populated in stateless watch type.

PCR Message

Name Type Description
index uint32s
digest_hex string Hex-encoded digest string (without 0x prefix, e.g. “DEADBEEF”)
digest_alg DigestAlg
comment string User’s comments for this entry

PermissionChange Message

PermissionChange is used by Watch notifications Responses to describe change of single Permission One of Added, Modified, Removed

Name Type Description
added PermissionChange.Added Added is returned when watched document is added, either created or enters Query view
modified PermissionChange.Modified Modified is returned when watched document is modified
current PermissionChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed PermissionChange.Removed Removed is returned when Permission is deleted or leaves Query view

PermissionChange.Added Message

Permission has been added to query view

Name Type Description
permission Permission
view_index int32 Integer describing index of added Permission in resulting query view.

PermissionChange.Current Message

Permission has been added or modified in a query view. Version used for stateless watching

Name Type Description
permission Permission

PermissionChange.Modified Message

Permission changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Permission) Name of modified Permission
permission Permission New version of Permission or masked difference, depending on mask_changes instrumentation of issued [WatchPermissionRequest] or [WatchPermissionsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Permission. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Permission new index in resulting query view.

PermissionChange.Removed Message

Removed is returned when Permission is deleted or leaves Query view

Name Type Description
name string (name of Permission)
view_index int32 Integer specifying removed Permission index. Not populated in stateless watch type.

ProjectChange Message

ProjectChange is used by Watch notifications Responses to describe change of single Project One of Added, Modified, Removed

Name Type Description
added ProjectChange.Added Added is returned when watched document is added, either created or enters Query view
modified ProjectChange.Modified Modified is returned when watched document is modified
current ProjectChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ProjectChange.Removed Removed is returned when Project is deleted or leaves Query view

ProjectChange.Added Message

Project has been added to query view

Name Type Description
project Project
view_index int32 Integer describing index of added Project in resulting query view.

ProjectChange.Current Message

Project has been added or modified in a query view. Version used for stateless watching

Name Type Description
project Project

ProjectChange.Modified Message

Project changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Project) Name of modified Project
project Project New version of Project or masked difference, depending on mask_changes instrumentation of issued [WatchProjectRequest] or [WatchProjectsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Project. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Project new index in resulting query view.

ProjectChange.Removed Message

Removed is returned when Project is deleted or leaves Query view

Name Type Description
name string (name of Project)
view_index int32 Integer specifying removed Project index. Not populated in stateless watch type.

ProjectInvitationChange Message

ProjectInvitationChange is used by Watch notifications Responses to describe change of single ProjectInvitation One of Added, Modified, Removed

Name Type Description
added ProjectInvitationChange.Added Added is returned when watched document is added, either created or enters Query view
modified ProjectInvitationChange.Modified Modified is returned when watched document is modified
current ProjectInvitationChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ProjectInvitationChange.Removed Removed is returned when ProjectInvitation is deleted or leaves Query view

ProjectInvitationChange.Added Message

ProjectInvitation has been added to query view

Name Type Description
project_invitation ProjectInvitation
view_index int32 Integer describing index of added ProjectInvitation in resulting query view.

ProjectInvitationChange.Current Message

ProjectInvitation has been added or modified in a query view. Version used for stateless watching

Name Type Description
project_invitation ProjectInvitation

ProjectInvitationChange.Modified Message

ProjectInvitation changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of ProjectInvitation) Name of modified ProjectInvitation
project_invitation ProjectInvitation New version of ProjectInvitation or masked difference, depending on mask_changes instrumentation of issued [WatchProjectInvitationRequest] or [WatchProjectInvitationsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified ProjectInvitation. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying ProjectInvitation new index in resulting query view.

ProjectInvitationChange.Removed Message

Removed is returned when ProjectInvitation is deleted or leaves Query view

Name Type Description
name string (name of ProjectInvitation)
view_index int32 Integer specifying removed ProjectInvitation index. Not populated in stateless watch type.

RoleBindingChange Message

RoleBindingChange is used by Watch notifications Responses to describe change of single RoleBinding One of Added, Modified, Removed

Name Type Description
added RoleBindingChange.Added Added is returned when watched document is added, either created or enters Query view
modified RoleBindingChange.Modified Modified is returned when watched document is modified
current RoleBindingChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed RoleBindingChange.Removed Removed is returned when RoleBinding is deleted or leaves Query view

RoleBindingChange.Added Message

RoleBinding has been added to query view

Name Type Description
role_binding RoleBinding
view_index int32 Integer describing index of added RoleBinding in resulting query view.

RoleBindingChange.Current Message

RoleBinding has been added or modified in a query view. Version used for stateless watching

Name Type Description
role_binding RoleBinding

RoleBindingChange.Modified Message

RoleBinding changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of RoleBinding) Name of modified RoleBinding
role_binding RoleBinding New version of RoleBinding or masked difference, depending on mask_changes instrumentation of issued [WatchRoleBindingRequest] or [WatchRoleBindingsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified RoleBinding. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying RoleBinding new index in resulting query view.

RoleBindingChange.Removed Message

Removed is returned when RoleBinding is deleted or leaves Query view

Name Type Description
name string (name of RoleBinding)
view_index int32 Integer specifying removed RoleBinding index. Not populated in stateless watch type.

RoleChange Message

RoleChange is used by Watch notifications Responses to describe change of single Role One of Added, Modified, Removed

Name Type Description
added RoleChange.Added Added is returned when watched document is added, either created or enters Query view
modified RoleChange.Modified Modified is returned when watched document is modified
current RoleChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed RoleChange.Removed Removed is returned when Role is deleted or leaves Query view

RoleChange.Added Message

Role has been added to query view

Name Type Description
role Role
view_index int32 Integer describing index of added Role in resulting query view.

RoleChange.Current Message

Role has been added or modified in a query view. Version used for stateless watching

Name Type Description
role Role

RoleChange.Modified Message

Role changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of Role) Name of modified Role
role Role New version of Role or masked difference, depending on mask_changes instrumentation of issued [WatchRoleRequest] or [WatchRolesRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified Role. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying Role new index in resulting query view.

RoleChange.Removed Message

Removed is returned when Role is deleted or leaves Query view

Name Type Description
name string (name of Role)
view_index int32 Integer specifying removed Role index. Not populated in stateless watch type.

ServiceAccountChange Message

ServiceAccountChange is used by Watch notifications Responses to describe change of single ServiceAccount One of Added, Modified, Removed

Name Type Description
added ServiceAccountChange.Added Added is returned when watched document is added, either created or enters Query view
modified ServiceAccountChange.Modified Modified is returned when watched document is modified
current ServiceAccountChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ServiceAccountChange.Removed Removed is returned when ServiceAccount is deleted or leaves Query view

ServiceAccountChange.Added Message

ServiceAccount has been added to query view

Name Type Description
service_account ServiceAccount
view_index int32 Integer describing index of added ServiceAccount in resulting query view.

ServiceAccountChange.Current Message

ServiceAccount has been added or modified in a query view. Version used for stateless watching

Name Type Description
service_account ServiceAccount

ServiceAccountChange.Modified Message

ServiceAccount changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of ServiceAccount) Name of modified ServiceAccount
service_account ServiceAccount New version of ServiceAccount or masked difference, depending on mask_changes instrumentation of issued [WatchServiceAccountRequest] or [WatchServiceAccountsRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified ServiceAccount. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying ServiceAccount new index in resulting query view.

ServiceAccountChange.Removed Message

Removed is returned when ServiceAccount is deleted or leaves Query view

Name Type Description
name string (name of ServiceAccount)
view_index int32 Integer specifying removed ServiceAccount index. Not populated in stateless watch type.

ServiceAccountKeyChange Message

ServiceAccountKeyChange is used by Watch notifications Responses to describe change of single ServiceAccountKey One of Added, Modified, Removed

Name Type Description
added ServiceAccountKeyChange.Added Added is returned when watched document is added, either created or enters Query view
modified ServiceAccountKeyChange.Modified Modified is returned when watched document is modified
current ServiceAccountKeyChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed ServiceAccountKeyChange.Removed Removed is returned when ServiceAccountKey is deleted or leaves Query view

ServiceAccountKeyChange.Added Message

ServiceAccountKey has been added to query view

Name Type Description
service_account_key ServiceAccountKey
view_index int32 Integer describing index of added ServiceAccountKey in resulting query view.

ServiceAccountKeyChange.Current Message

ServiceAccountKey has been added or modified in a query view. Version used for stateless watching

Name Type Description
service_account_key ServiceAccountKey

ServiceAccountKeyChange.Modified Message

ServiceAccountKey changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of ServiceAccountKey) Name of modified ServiceAccountKey
service_account_key ServiceAccountKey New version of ServiceAccountKey or masked difference, depending on mask_changes instrumentation of issued [WatchServiceAccountKeyRequest] or [WatchServiceAccountKeysRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified ServiceAccountKey. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying ServiceAccountKey new index in resulting query view.

ServiceAccountKeyChange.Removed Message

Removed is returned when ServiceAccountKey is deleted or leaves Query view

Name Type Description
name string (name of ServiceAccountKey)
view_index int32 Integer specifying removed ServiceAccountKey index. Not populated in stateless watch type.

ServiceBusinessTier Message

ServiceBusinessTier binds specific service with specific business tier. It may be useful if two services use different tier in one organizational entity (project or organization).

Name Type Description
service string (name of Service) Service
business_tier BusinessTier Entity tier value for given service.

ServiceErrors Message

ServiceErrors is generic container wrapping errors with services.

Name Type Description
errors repeated ServiceErrors.Error Errors

ServiceErrors.Error Message

Name Type Description
service string (name of Service) Service for which there are error reports. May be skipped if error is cross-service or is about core EdgeLQ components.
message string Error message

UserChange Message

UserChange is used by Watch notifications Responses to describe change of single User One of Added, Modified, Removed

Name Type Description
added UserChange.Added Added is returned when watched document is added, either created or enters Query view
modified UserChange.Modified Modified is returned when watched document is modified
current UserChange.Current Current is returned in stateless watch when document enters query view or is modified within.
removed UserChange.Removed Removed is returned when User is deleted or leaves Query view

UserChange.Added Message

User has been added to query view

Name Type Description
user User
view_index int32 Integer describing index of added User in resulting query view.

UserChange.Current Message

User has been added or modified in a query view. Version used for stateless watching

Name Type Description
user User

UserChange.Modified Message

User changed some of it’s fields - contains either full document or masked change

Name Type Description
name string (name of User) Name of modified User
user User New version of User or masked difference, depending on mask_changes instrumentation of issued [WatchUserRequest] or [WatchUsersRequest]
field_mask .google.protobuf.FieldMask Used when mask_changes is set, contains field paths of modified properties.
previous_view_index int32 Previous view index specifies previous position of modified User. When modification doesn’t affect sorted order, value will remain identical to [view_index].
view_index int32 Integer specifying User new index in resulting query view.

UserChange.Removed Message

Removed is returned when User is deleted or leaves Query view

Name Type Description
name string (name of User)
view_index int32 Integer specifying removed User index. Not populated in stateless watch type.

IAM Service Shared Enumerations

Here is the list of IAM service shared enumerations:

BusinessTier Enumeration

BusinessTier indicates size of organizational entity (project or organization)

Name Description
UNDEFINED
LARGE
MEDIUM
SMALL
XSMALL

DigestAlg Enumeration

Name Description
SHA1
SHA256

Invitation.State Enumeration

Invitation FSM States

Name Description
STATE_UNSPECIFIED
PENDING
ACCEPTED
DECLINED
EXPIRED

TpmVersion Enumeration

Name Description
TPMVAGNOSTIC
TPMV12
TPMV20

VerifyRequest.AskForChallenge.ChallengeFormat Enumeration

Name Description
TPM20_CREDENTIAL Credential Protection as defined in section 24 of the TPM specification revision 2 part 1 See: https://trustedcomputinggroup.org/resource/tpm-library-specification/ Returned primitives are of type TPM2B_ID_OBJECT and TPM2B_ENCRYPTED_SECRET. NOTE: ECC is not supported. Reference implementation: github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM20, which uses github.com/google/go-tmp@v0.3.2/tmp2/credactivation/credential_activation.go:Generate
TPM12_EKBLOB Challenge as defined in section 15.1 of the TPM 1.2 commands spec See: https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf Returned primitives are of type TPM12_EKBLOB (with TPM_EK_BLOB_ACTIVATE) and bytes. Reference implementation: github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, which uses github.com/google/go-attestation@v0.3.2/attest/challenge.go:generateChallenge12
TSPI_EKBLOB TSPI_EKBLOB is a TPM1.2 challenge format accepted by TrouSerS daemon’s Tspi_TPM_ActivateIdentity function. As far as I can tell, it’s not documented except in the code. Returned primitives are of type TPM12_EKBLOB (with TPM_EK_BLOB_ACTIVATE) and bytes. Reference implementation: github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, which uses github.com/google/go-tspi@v0.3.0/verification/verification.go:GenerateChallengeEx