Remove generate_identity_binding_access_token (via synth). (#8486)

Author: yoshi-automation

iam/google/cloud/iam_credentials_v1/gapic/iam_credentials_client.py

@@ -557,128 +557,3 @@ def sign_jwt(
  return self._inner_api_calls["sign_jwt"](
  request, retry=retry, timeout=timeout, metadata=metadata
  )
-
- def generate_identity_binding_access_token(
- self,
- name,
- scope,
- jwt,
- retry=google.api_core.gapic_v1.method.DEFAULT,
- timeout=google.api_core.gapic_v1.method.DEFAULT,
- metadata=None,
- ):
- """
- Exchange a JWT signed by third party identity provider to an OAuth 2.0
- access token
-
- Example:
- >>> from google.cloud import iam_credentials_v1
- >>>
- >>> client = iam_credentials_v1.IAMCredentialsClient()
- >>>
- >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
- >>>
- >>> # TODO: Initialize `scope`:
- >>> scope = []
- >>>
- >>> # TODO: Initialize `jwt`:
- >>> jwt = ''
- >>>
- >>> response = client.generate_identity_binding_access_token(name, scope, jwt)
-
- Args:
- name (str): The resource name of the service account for which the credentials are
- requested, in the following format:
- ``projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}``.
- scope (list[str]): Code to identify the scopes to be included in the OAuth 2.0 access token.
- See https://developers.google.com/identity/protocols/googlescopes for more
- information.
- At least one value required.
- jwt (str): Required. Input token. Must be in JWT format according to RFC7523
- (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the
- header. Supported signing algorithms: RS256 (RS512, ES256, ES512 coming
- soon). Mandatory payload fields (along the lines of RFC 7523, section
- 3):
-
- - iss: issuer of the token. Must provide a discovery document at
- $iss/.well-known/openid-configuration . The document needs to be
- formatted according to section 4.2 of the OpenID Connect Discovery
- 1.0 specification.
- - iat: Issue time in seconds since epoch. Must be in the past.
- - exp: Expiration time in seconds since epoch. Must be less than 48
- hours after iat. We recommend to create tokens that last shorter than
- 6 hours to improve security unless business reasons mandate longer
- expiration times. Shorter token lifetimes are generally more secure
- since tokens that have been exfiltrated by attackers can be used for
- a shorter time. you can configure the maximum lifetime of the
- incoming token in the configuration of the mapper. The resulting
- Google token will expire within an hour or at "exp", whichever is
- earlier.
- - sub: JWT subject, identity asserted in the JWT.
- - aud: Configured in the mapper policy. By default the service account
- email.
-
- Claims from the incoming token can be transferred into the output token
- accoding to the mapper configuration. The outgoing claim size is
- limited. Outgoing claims size must be less than 4kB serialized as JSON
- without whitespace.
-
- Example header: { "alg": "RS256", "kid":
- "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss":
- "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704,
- "aud": "https://iamcredentials.googleapis.com/", "sub":
- "113475438248934895348", "my\_claims": { "additional\_claim": "value" }
- }
- retry (Optional[google.api_core.retry.Retry]): A retry object used
- to retry requests. If ``None`` is specified, requests will not
- be retried.
- timeout (Optional[float]): The amount of time, in seconds, to wait
- for the request to complete. Note that if ``retry`` is
- specified, the timeout applies to each individual attempt.
- metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
- that is provided to the method.
-
- Returns:
- A :class:`~google.cloud.iam_credentials_v1.types.GenerateIdentityBindingAccessTokenResponse` instance.
-
- Raises:
- google.api_core.exceptions.GoogleAPICallError: If the request
- failed for any reason.
- google.api_core.exceptions.RetryError: If the request failed due
- to a retryable error and retry attempts failed.
- ValueError: If the parameters are invalid.
- """
- # Wrap the transport method to add retry and timeout logic.
- if "generate_identity_binding_access_token" not in self._inner_api_calls:
- self._inner_api_calls[
- "generate_identity_binding_access_token"
- ] = google.api_core.gapic_v1.method.wrap_method(
- self.transport.generate_identity_binding_access_token,
- default_retry=self._method_configs[
- "GenerateIdentityBindingAccessToken"
- ].retry,
- default_timeout=self._method_configs[
- "GenerateIdentityBindingAccessToken"
- ].timeout,
- client_info=self._client_info,
- )
-
- request = common_pb2.GenerateIdentityBindingAccessTokenRequest(
- name=name, scope=scope, jwt=jwt
- )
- if metadata is None:
- metadata = []
- metadata = list(metadata)
- try:
- routing_header = [("name", name)]
- except AttributeError:
- pass
- else:
- routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
- routing_header
- )
- metadata.append(routing_metadata)
-
- return self._inner_api_calls["generate_identity_binding_access_token"](
- request, retry=retry, timeout=timeout, metadata=metadata
- )

iam/google/cloud/iam_credentials_v1/gapic/iam_credentials_client_config.py

@@ -37,11 +37,6 @@
  "retry_codes_name": "idempotent",
  "retry_params_name": "default",
  },
- "GenerateIdentityBindingAccessToken": {
- "timeout_millis": 60000,
- "retry_codes_name": "idempotent",
- "retry_params_name": "default",
- },
  },
  }
  }

iam/google/cloud/iam_credentials_v1/gapic/transports/iam_credentials_grpc_transport.py

@@ -154,17 +154,3 @@ def sign_jwt(self):
  deserialized response object.
  """
  return self._stubs["iam_credentials_stub"].SignJwt
-
- @property
- def generate_identity_binding_access_token(self):
- """Return the gRPC stub for :meth:`IAMCredentialsClient.generate_identity_binding_access_token`.
-
- Exchange a JWT signed by third party identity provider to an OAuth 2.0
- access token
-
- Returns:
- Callable: A callable which accepts the appropriate
- deserialized request object and returns a
- deserialized response object.
- """
- return self._stubs["iam_credentials_stub"].GenerateIdentityBindingAccessToken

iam/google/cloud/iam_credentials_v1/proto/common.proto

@@ -152,72 +152,3 @@ message GenerateIdTokenResponse {
  // The OpenId Connect ID token.
  string token = 1;
 }
-
-message GenerateIdentityBindingAccessTokenRequest {
- // The resource name of the service account for which the credentials
- // are requested, in the following format:
- // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
- string name = 1;
-
- // Code to identify the scopes to be included in the OAuth 2.0 access token.
- // See https://developers.google.com/identity/protocols/googlescopes for more
- // information.
- // At least one value required.
- repeated string scope = 2;
-
- // Required. Input token.
- // Must be in JWT format according to
- // RFC7523 (https://tools.ietf.org/html/rfc7523)
- // and must have 'kid' field in the header.
- // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
- // Mandatory payload fields (along the lines of RFC 7523, section 3):
- // - iss: issuer of the token. Must provide a discovery document at
- // $iss/.well-known/openid-configuration . The document needs to be
- // formatted according to section 4.2 of the OpenID Connect Discovery
- // 1.0 specification.
- // - iat: Issue time in seconds since epoch. Must be in the past.
- // - exp: Expiration time in seconds since epoch. Must be less than 48 hours
- // after iat. We recommend to create tokens that last shorter than 6
- // hours to improve security unless business reasons mandate longer
- // expiration times. Shorter token lifetimes are generally more secure
- // since tokens that have been exfiltrated by attackers can be used for
- // a shorter time. you can configure the maximum lifetime of the
- // incoming token in the configuration of the mapper.
- // The resulting Google token will expire within an hour or at "exp",
- // whichever is earlier.
- // - sub: JWT subject, identity asserted in the JWT.
- // - aud: Configured in the mapper policy. By default the service account
- // email.
- //
- // Claims from the incoming token can be transferred into the output token
- // accoding to the mapper configuration. The outgoing claim size is limited.
- // Outgoing claims size must be less than 4kB serialized as JSON without
- // whitespace.
- //
- // Example header:
- // {
- // "alg": "RS256",
- // "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
- // }
- // Example payload:
- // {
- // "iss": "https://accounts.google.com",
- // "iat": 1517963104,
- // "exp": 1517966704,
- // "aud": "https://iamcredentials.googleapis.com/",
- // "sub": "113475438248934895348",
- // "my_claims": {
- // "additional_claim": "value"
- // }
- // }
- string jwt = 3;
-}
-
-message GenerateIdentityBindingAccessTokenResponse {
- // The OAuth 2.0 access token.
- string access_token = 1;
-
- // Token expiration time.
- // The expiration time is always set.
- google.protobuf.Timestamp expire_time = 2;
-}