class ProjectsServiceAccounts extends Resource (View source)

The "serviceAccounts" collection of methods.

Typical usage is:

 $iamService = new Google\Service\Iam(...);
 $serviceAccounts = $iamService->projects_serviceAccounts;

Methods

create(string $name, CreateServiceAccountRequest $postBody, array $optParams = [])

Creates a ServiceAccount. (serviceAccounts.create)

delete(string $name, array $optParams = [])

Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

disable(string $name, DisableServiceAccountRequest $postBody, array $optParams = [])

Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount. (serviceAccounts.disable)

enable(string $name, EnableServiceAccountRequest $postBody, array $optParams = [])

Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account. (serviceAccounts.enable)

get(string $name, array $optParams = [])

Gets a ServiceAccount. (serviceAccounts.get)

getIamPolicy(string $resource, array $optParams = [])

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account. This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

listProjectsServiceAccounts(string $name, array $optParams = [])

Lists every ServiceAccount that belongs to a specific project.

patch(string $name, PatchServiceAccountRequest $postBody, array $optParams = [])

Patches a ServiceAccount. (serviceAccounts.patch)

setIamPolicy(string $resource, SetIamPolicyRequest $postBody, array $optParams = [])

Sets the IAM policy that is attached to a ServiceAccount. Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps: 1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy. For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

signBlob(string $name, SignBlobRequest $postBody, array $optParams = [])

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount. (serviceAccounts.signBlob)

signJwt(string $name, SignJwtRequest $postBody, array $optParams = [])

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount. (serviceAccounts.signJwt)

testIamPermissions(string $resource, TestIamPermissionsRequest $postBody, array $optParams = [])

Tests whether the caller has the specified permissions on a ServiceAccount.

undelete(string $name, UndeleteServiceAccountRequest $postBody, array $optParams = [])

Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

update(string $name, ServiceAccount $postBody, array $optParams = [])

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field. (serviceAccounts.update)

Details

ServiceAccount create(string $name, CreateServiceAccountRequest $postBody, array $optParams = [])

Creates a ServiceAccount. (serviceAccounts.create)

Parameters

string $name

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

CreateServiceAccountRequest $postBody
array $optParams

Optional parameters.

Return Value

ServiceAccount

IamEmpty delete(string $name, array $optParams = [])

Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

(serviceAccounts.delete)

Parameters

string $name

Required. The resource name of the service account. Use one of the following formats: projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

array $optParams

Optional parameters.

Return Value

IamEmpty

IamEmpty disable(string $name, DisableServiceAccountRequest $postBody, array $optParams = [])

Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount. (serviceAccounts.disable)

Parameters

string $name

The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}

  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
DisableServiceAccountRequest $postBody
array $optParams

Optional parameters.

Return Value

IamEmpty

IamEmpty enable(string $name, EnableServiceAccountRequest $postBody, array $optParams = [])

Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account. (serviceAccounts.enable)

Parameters

string $name

The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}

  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
EnableServiceAccountRequest $postBody
array $optParams

Optional parameters.

Return Value

IamEmpty

ServiceAccount get(string $name, array $optParams = [])

Gets a ServiceAccount. (serviceAccounts.get)

Parameters

string $name

Required. The resource name of the service account. Use one of the following formats: projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

array $optParams

Optional parameters.

Return Value

ServiceAccount

Policy getIamPolicy(string $resource, array $optParams = [])

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account. This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

(serviceAccounts.getIamPolicy)

Parameters

string $resource

REQUIRED: The resource for which the policy is being requested. See Resource names for the appropriate value for this field.

array $optParams

Optional parameters.

Return Value

Policy

ListServiceAccountsResponse listProjectsServiceAccounts(string $name, array $optParams = [])

Lists every ServiceAccount that belongs to a specific project.

(serviceAccounts.listProjectsServiceAccounts)

Parameters

string $name

Required. The resource name of the project associated with the service accounts, such as projects/my-project-123.

array $optParams

Optional parameters.

Return Value

ListServiceAccountsResponse

ServiceAccount patch(string $name, PatchServiceAccountRequest $postBody, array $optParams = [])

Patches a ServiceAccount. (serviceAccounts.patch)

Parameters

string $name

The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}

  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
PatchServiceAccountRequest $postBody
array $optParams

Optional parameters.

Return Value

ServiceAccount

Policy setIamPolicy(string $resource, SetIamPolicyRequest $postBody, array $optParams = [])

Sets the IAM policy that is attached to a ServiceAccount. Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps: 1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy. For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

(serviceAccounts.setIamPolicy)

Parameters

string $resource

REQUIRED: The resource for which the policy is being specified. See Resource names for the appropriate value for this field.

SetIamPolicyRequest $postBody
array $optParams

Optional parameters.

Return Value

Policy

SignBlobResponse signBlob(string $name, SignBlobRequest $postBody, array $optParams = [])

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount. (serviceAccounts.signBlob)

Parameters

string $name

Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account. Use one of the following formats: projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

SignBlobRequest $postBody
array $optParams

Optional parameters.

Return Value

SignBlobResponse

SignJwtResponse signJwt(string $name, SignJwtRequest $postBody, array $optParams = [])

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount. (serviceAccounts.signJwt)

Parameters

string $name

Required. Deprecated. Migrate to Service Account Credentials API. The resource name of the service account. Use one of the following formats: projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

SignJwtRequest $postBody
array $optParams

Optional parameters.

Return Value

SignJwtResponse

TestIamPermissionsResponse testIamPermissions(string $resource, TestIamPermissionsRequest $postBody, array $optParams = [])

Tests whether the caller has the specified permissions on a ServiceAccount.

(serviceAccounts.testIamPermissions)

Parameters

string $resource

REQUIRED: The resource for which the policy detail is being requested. See Resource names for the appropriate value for this field.

TestIamPermissionsRequest $postBody
array $optParams

Optional parameters.

Return Value

TestIamPermissionsResponse

UndeleteServiceAccountResponse undelete(string $name, UndeleteServiceAccountRequest $postBody, array $optParams = [])

Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort.

After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed. (serviceAccounts.undelete)

Parameters

string $name

The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}

  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
UndeleteServiceAccountRequest $postBody
array $optParams

Optional parameters.

Return Value

UndeleteServiceAccountResponse

ServiceAccount update(string $name, ServiceAccount $postBody, array $optParams = [])

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field. (serviceAccounts.update)

Parameters

string $name

The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}

  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
ServiceAccount $postBody
array $optParams

Optional parameters.

Return Value

ServiceAccount