Google Cloud IAM

Google Cloud IAM API

The Cloud IAM API enables management of identity and access control policies, service accounts, roles, and permissions for Google Cloud resources.

GitHub OpenAPI

Documentation

📖
Documentation
https://cloud.google.com/iam/docs/reference/rest
📖
Authentication
https://cloud.google.com/iam/docs/authentication
📖
GettingStarted
https://cloud.google.com/iam/docs/quickstarts

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/openapi/openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/json-schema/service-account.json

Other Resources

🔗
JSONLDContext
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/json-ld/context.jsonld
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/capabilities/openapi-permissions.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/capabilities/openapi-roles.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/capabilities/openapi-service-account-keys.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/google-cloud-iam/refs/heads/main/capabilities/openapi-service-accounts.yaml

OpenAPI Specification

openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Google Cloud IAM API
  description: >-
    The Cloud IAM API enables management of identity and access control
    policies, service accounts, roles, and permissions for Google Cloud
    resources.
  version: 1.0.0
  contact:
    name: Google Cloud
    url: https://cloud.google.com/iam
servers:
  - url: https://iam.googleapis.com/v1
    description: Google Cloud IAM Production
paths:
  /projects/{projectId}/serviceAccounts:
    get:
      operationId: listServiceAccounts
      summary: Google Cloud IAM List service accounts
      description: Lists every service account in a project.
      tags:
        - Service Accounts
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
        - name: pageSize
          in: query
          schema:
            type: integer
        - name: pageToken
          in: query
          schema:
            type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  accounts:
                    type: array
                    items:
                      $ref: '#/components/schemas/ServiceAccount'
                  nextPageToken:
                    type: string
    post:
      operationId: createServiceAccount
      summary: Google Cloud IAM Create a service account
      description: Creates a new service account in a project.
      tags:
        - Service Accounts
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                accountId:
                  type: string
                serviceAccount:
                  $ref: '#/components/schemas/ServiceAccount'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServiceAccount'
  /projects/{projectId}/serviceAccounts/{serviceAccountEmail}:
    get:
      operationId: getServiceAccount
      summary: Google Cloud IAM Get a service account
      description: Retrieves a specific service account.
      tags:
        - Service Accounts
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
        - name: serviceAccountEmail
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServiceAccount'
    patch:
      operationId: patchServiceAccount
      summary: Google Cloud IAM Update a service account
      description: Updates a service account.
      tags:
        - Service Accounts
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
        - name: serviceAccountEmail
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ServiceAccount'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServiceAccount'
    delete:
      operationId: deleteServiceAccount
      summary: Google Cloud IAM Delete a service account
      description: Deletes a service account.
      tags:
        - Service Accounts
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
        - name: serviceAccountEmail
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Successful response
  /projects/{projectId}/serviceAccounts/{serviceAccountEmail}/keys:
    get:
      operationId: listServiceAccountKeys
      summary: Google Cloud IAM List service account keys
      description: Lists every key for a service account.
      tags:
        - Service Account Keys
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
        - name: serviceAccountEmail
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  keys:
                    type: array
                    items:
                      $ref: '#/components/schemas/ServiceAccountKey'
    post:
      operationId: createServiceAccountKey
      summary: Google Cloud IAM Create a service account key
      description: Creates a new key for a service account.
      tags:
        - Service Account Keys
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
        - name: serviceAccountEmail
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                privateKeyType:
                  type: string
                  enum:
                    - TYPE_UNSPECIFIED
                    - TYPE_PKCS12_FILE
                    - TYPE_GOOGLE_CREDENTIALS_FILE
                keyAlgorithm:
                  type: string
                  enum:
                    - KEY_ALG_UNSPECIFIED
                    - KEY_ALG_RSA_1024
                    - KEY_ALG_RSA_2048
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServiceAccountKey'
  /roles:
    get:
      operationId: listRoles
      summary: Google Cloud IAM List roles
      description: Lists predefined roles.
      tags:
        - Roles
      parameters:
        - name: pageSize
          in: query
          schema:
            type: integer
        - name: pageToken
          in: query
          schema:
            type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  roles:
                    type: array
                    items:
                      $ref: '#/components/schemas/Role'
                  nextPageToken:
                    type: string
  /projects/{projectId}/roles:
    get:
      operationId: listProjectRoles
      summary: Google Cloud IAM List project roles
      description: Lists custom roles in a project.
      tags:
        - Roles
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  roles:
                    type: array
                    items:
                      $ref: '#/components/schemas/Role'
    post:
      operationId: createProjectRole
      summary: Google Cloud IAM Create a custom role
      description: Creates a new custom role in a project.
      tags:
        - Roles
      parameters:
        - name: projectId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                roleId:
                  type: string
                role:
                  $ref: '#/components/schemas/Role'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Role'
  /permissions:queryTestablePermissions:
    post:
      operationId: queryTestablePermissions
      summary: Google Cloud IAM Query testable permissions
      description: Lists permissions that can be tested on a resource.
      tags:
        - Permissions
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                fullResourceName:
                  type: string
                pageSize:
                  type: integer
                pageToken:
                  type: string
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  permissions:
                    type: array
                    items:
                      type: object
                      properties:
                        name:
                          type: string
                        stage:
                          type: string
components:
  schemas:
    ServiceAccount:
      type: object
      properties:
        name:
          type: string
          description: Resource name of the service account.
        projectId:
          type: string
          description: ID of the project that owns the service account.
        uniqueId:
          type: string
          description: Unique numeric ID of the service account.
        email:
          type: string
          format: email
          description: Email address of the service account.
        displayName:
          type: string
          description: Human-readable name for the service account.
        description:
          type: string
          description: Description of the service account.
        disabled:
          type: boolean
          description: Whether the service account is disabled.
        etag:
          type: string
          description: Entity tag for optimistic concurrency control.
    ServiceAccountKey:
      type: object
      properties:
        name:
          type: string
          description: Resource name of the key.
        privateKeyType:
          type: string
          description: Type of the private key data.
        keyAlgorithm:
          type: string
          description: Algorithm and size of the key.
        privateKeyData:
          type: string
          description: Private key data (base64-encoded).
        validAfterTime:
          type: string
          format: date-time
          description: Timestamp after which the key is valid.
        validBeforeTime:
          type: string
          format: date-time
          description: Timestamp before which the key is valid.
        keyOrigin:
          type: string
          description: Origin of the key.
        keyType:
          type: string
          description: Type of the key.
    Role:
      type: object
      properties:
        name:
          type: string
          description: Resource name of the role.
        title:
          type: string
          description: Human-readable title of the role.
        description:
          type: string
          description: Description of the role.
        includedPermissions:
          type: array
          items:
            type: string
          description: Permissions included in the role.
        stage:
          type: string
          enum:
            - ALPHA
            - BETA
            - GA
            - DEPRECATED
          description: Launch stage of the role.
        deleted:
          type: boolean
          description: Whether the role has been deleted.
        etag:
          type: string
          description: Entity tag for optimistic concurrency control.
  securitySchemes:
    oauth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://accounts.google.com/o/oauth2/auth
          tokenUrl: https://oauth2.googleapis.com/token
          scopes:
            https://www.googleapis.com/auth/iam: Manage IAM resources
            https://www.googleapis.com/auth/cloud-platform: Full access to Google Cloud
tags:
  - name: Permissions
  - name: Roles
  - name: Service Account Keys
  - name: Service Accounts