Synchronize new proto/yaml changes.

PiperOrigin-RevId: 212849152

3 files changed, 98 insertions, 9 deletions

diff --git a/google/iam/credentials/v1/common.proto b/google/iam/credentials/v1/common.proto
index b94f2105e..19997df00 100644
--- a/google/iam/credentials/v1/common.proto
+++ b/google/iam/credentials/v1/common.proto
@@ -30,8 +30,6 @@ message GenerateAccessTokenRequest {
   // The resource name of the service account for which the credentials
   // are requested, in the following format:
   // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  // Using `-` as a wildcard for the project will infer the project from
-  // the account.
   string name = 1;
 
   // The sequence of service accounts in a delegation chain. Each service
@@ -71,8 +69,6 @@ message SignBlobRequest {
   // The resource name of the service account for which the credentials
   // are requested, in the following format:
   // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  // Using `-` as a wildcard for the project will infer the project from
-  // the account.
   string name = 1;
 
   // The sequence of service accounts in a delegation chain. Each service
@@ -102,8 +98,6 @@ message SignJwtRequest {
   // The resource name of the service account for which the credentials
   // are requested, in the following format:
   // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  // Using `-` as a wildcard for the project will infer the project from
-  // the account.
   string name = 1;
 
   // The sequence of service accounts in a delegation chain. Each service
@@ -133,8 +127,6 @@ message GenerateIdTokenRequest {
   // The resource name of the service account for which the credentials
   // are requested, in the following format:
   // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  // Using `-` as a wildcard for the project will infer the project from
-  // the account.
   string name = 1;
 
   // The sequence of service accounts in a delegation chain. Each service
@@ -161,3 +153,72 @@ message GenerateIdTokenResponse {
   // The OpenId Connect ID token.
   string token = 1;
 }
+
+message GenerateIdentityBindingAccessTokenRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // Code to identify the scopes to be included in the OAuth 2.0 access token.
+  // See https://developers.google.com/identity/protocols/googlescopes for more
+  // information.
+  // At least one value required.
+  repeated string scope = 2;
+
+  // Required. Input token.
+  // Must be in JWT format according to
+  // RFC7523 (https://tools.ietf.org/html/rfc7523)
+  // and must have 'kid' field in the header.
+  // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+  // Mandatory payload fields (along the lines of RFC 7523, section 3):
+  // - iss: issuer of the token. Must provide a discovery document at
+  //        $iss/.well-known/openid-configuration . The document needs to be
+  //        formatted according to section 4.2 of the OpenID Connect Discovery
+  //        1.0 specification.
+  // - iat: Issue time in seconds since epoch. Must be in the past.
+  // - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+  //        after iat. We recommend to create tokens that last shorter than 6
+  //        hours to improve security unless business reasons mandate longer
+  //        expiration times. Shorter token lifetimes are generally more secure
+  //        since tokens that have been exfiltrated by attackers can be used for
+  //        a shorter time. you can configure the maximum lifetime of the
+  //        incoming token in the configuration of the mapper.
+  //        The resulting Google token will expire within an hour or at "exp",
+  //        whichever is earlier.
+  // - sub: JWT subject, identity asserted in the JWT.
+  // - aud: Configured in the mapper policy. By default the service account
+  //        email.
+  //
+  // Claims from the incoming token can be transferred into the output token
+  // accoding to the mapper configuration. The outgoing claim size is limited.
+  // Outgoing claims size must be less than 4kB serialized as JSON without
+  // whitespace.
+  //
+  // Example header:
+  // {
+  //   "alg": "RS256",
+  //   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+  // }
+  // Example payload:
+  // {
+  //   "iss": "https://accounts.google.com",
+  //   "iat": 1517963104,
+  //   "exp": 1517966704,
+  //   "aud": "https://iamcredentials.googleapis.com/",
+  //   "sub": "113475438248934895348",
+  //   "my_claims": {
+  //     "additional_claim": "value"
+  //   }
+  // }
+  string jwt = 3;
+}
+
+message GenerateIdentityBindingAccessTokenResponse {
+  // The OAuth 2.0 access token.
+  string access_token = 1;
+
+  // Token expiration time.
+  // The expiration time is always set.
+  google.protobuf.Timestamp expire_time = 2;
+}
diff --git a/google/iam/credentials/v1/iamcredentials.proto b/google/iam/credentials/v1/iamcredentials.proto
index 993bf5f68..4960d7203 100644
--- a/google/iam/credentials/v1/iamcredentials.proto
+++ b/google/iam/credentials/v1/iamcredentials.proto
@@ -64,4 +64,15 @@ service IAMCredentials {
       body: "*"
     };
   }
+
+  // Exchange a JWT signed by third party identity provider to an OAuth 2.0
+  // access token
+  rpc GenerateIdentityBindingAccessToken(
+      GenerateIdentityBindingAccessTokenRequest)
+      returns (GenerateIdentityBindingAccessTokenResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdentityBindingAccessToken"
+      body: "*"
+    };
+  }
 }
diff --git a/google/iam/credentials/v1/iamcredentials_gapic.yaml b/google/iam/credentials/v1/iamcredentials_gapic.yaml
index f9198fcfb..941dd64ec 100644
--- a/google/iam/credentials/v1/iamcredentials_gapic.yaml
+++ b/google/iam/credentials/v1/iamcredentials_gapic.yaml
@@ -123,4 +123,21 @@ interfaces:
     retry_params_name: default
     field_name_patterns:
       name: service_account
-    timeout_millis: 60000
\ No newline at end of file
+    timeout_millis: 60000
+  - name: GenerateIdentityBindingAccessToken
+    flattening:
+      groups:
+      - parameters:
+        - name
+        - scope
+        - jwt
+    required_fields:
+    - name
+    - scope
+    - jwt
+    request_object_method: true
+    retry_codes_name: idempotent
+    retry_params_name: default
+    field_name_patterns:
+      name: service_account
+    timeout_millis: 60000