Identity and Access Management (IAM) API . organizations . roles

Instance Methods

close()

Close httplib2 connections.

create(parent, body=None, x__xgafv=None)

Creates a new custom Role.

delete(name, etag=None, x__xgafv=None)

Deletes a custom Role. When you delete a custom role, the following changes occur immediately: * You cannot bind a principal to the custom role in an IAM Policy. * Existing bindings to the custom role are not changed, but they have no effect. * By default, the response from ListRoles does not include the custom role. A deleted custom role still counts toward the [custom role limit](https://cloud.google.com/iam/help/limits) until it is permanently deleted. You have 7 days to undelete the custom role. After 7 days, the following changes occur: * The custom role is permanently deleted and cannot be recovered. * If an IAM policy contains a binding to the custom role, the binding is permanently removed. * The custom role no longer counts toward your custom role limit.

get(name, x__xgafv=None)

Gets the definition of a Role.

list(parent, pageSize=None, pageToken=None, showDeleted=None, view=None, x__xgafv=None)

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

list_next()

Retrieves the next page of results.

patch(name, body=None, updateMask=None, x__xgafv=None)

Updates the definition of a custom Role.

undelete(name, body=None, x__xgafv=None)

Undeletes a custom Role.

Method Details

close()
Close httplib2 connections.
create(parent, body=None, x__xgafv=None)
Creates a new custom Role.

Args:
  parent: string, The `parent` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles). Each resource type's `parent` value format is described below: * [projects.roles.create](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/create): `projects/{PROJECT_ID}`. This method creates project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizations.roles.create](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles/create): `organizations/{ORGANIZATION_ID}`. This method creates organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. (required)
  body: object, The request body.
    The object takes the form of:

{ # The request to create a new role.
  "role": { # A role in the Identity and Access Management API. # The Role resource to create.
    "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
    "description": "A String", # Optional. A human-readable description for the role.
    "etag": "A String", # Used to perform a consistent read-modify-write.
    "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
      "A String",
    ],
    "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
    "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
    "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
  },
  "roleId": "A String", # The role ID to use for this role. A role ID may contain alphanumeric characters, underscores (`_`), and periods (`.`). It must contain a minimum of 3 characters and a maximum of 64 characters.
}

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A role in the Identity and Access Management API.
  "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  "description": "A String", # Optional. A human-readable description for the role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
  "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
    "A String",
  ],
  "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
  "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
  "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
}
delete(name, etag=None, x__xgafv=None)
Deletes a custom Role. When you delete a custom role, the following changes occur immediately: * You cannot bind a principal to the custom role in an IAM Policy. * Existing bindings to the custom role are not changed, but they have no effect. * By default, the response from ListRoles does not include the custom role. A deleted custom role still counts toward the [custom role limit](https://cloud.google.com/iam/help/limits) until it is permanently deleted. You have 7 days to undelete the custom role. After 7 days, the following changes occur: * The custom role is permanently deleted and cannot be recovered. * If an IAM policy contains a binding to the custom role, the binding is permanently removed. * The custom role no longer counts toward your custom role limit.

Args:
  name: string, The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.delete](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/delete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [organizations.roles.delete](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles/delete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method deletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. (required)
  etag: string, Used to perform a consistent read-modify-write.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A role in the Identity and Access Management API.
  "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  "description": "A String", # Optional. A human-readable description for the role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
  "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
    "A String",
  ],
  "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
  "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
  "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
}
get(name, x__xgafv=None)
Gets the definition of a Role.

Args:
  name: string, The `name` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles), or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/roles/get): `roles/{ROLE_NAME}`. This method returns results from all [predefined roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles/{ROLE_NAME}` * [projects.roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [organizations.roles.get](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles/get): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method returns only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A role in the Identity and Access Management API.
  "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  "description": "A String", # Optional. A human-readable description for the role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
  "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
    "A String",
  ],
  "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
  "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
  "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
}
list(parent, pageSize=None, pageToken=None, showDeleted=None, view=None, x__xgafv=None)
Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

Args:
  parent: string, The `parent` parameter's value depends on the target resource for the request, namely [roles](https://cloud.google.com/iam/docs/reference/rest/v1/roles), [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles), or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles). Each resource type's `parent` value format is described below: * [roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/roles/list): An empty string. This method doesn't require a resource; it simply returns all [predefined roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) in IAM. Example request URL: `https://iam.googleapis.com/v1/roles` * [projects.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/list): `projects/{PROJECT_ID}`. This method lists all project-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles` * [organizations.roles.list](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles/list): `organizations/{ORGANIZATION_ID}`. This method lists all organization-level [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles). Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. (required)
  pageSize: integer, Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
  pageToken: string, Optional pagination token returned in an earlier ListRolesResponse.
  showDeleted: boolean, Include Roles that have been deleted.
  view: string, Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field.
    Allowed values
      BASIC - Omits the `included_permissions` field. This is the default value.
      FULL - Returns all fields.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # The response containing the roles defined under a resource.
  "nextPageToken": "A String", # To retrieve the next page of results, set `ListRolesRequest.page_token` to this value.
  "roles": [ # The Roles defined on this resource.
    { # A role in the Identity and Access Management API.
      "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
      "description": "A String", # Optional. A human-readable description for the role.
      "etag": "A String", # Used to perform a consistent read-modify-write.
      "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
        "A String",
      ],
      "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
      "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
      "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
    },
  ],
}
list_next()
Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call 'execute()' on to request the next
          page. Returns None if there are no more items in the collection.
        
patch(name, body=None, updateMask=None, x__xgafv=None)
Updates the definition of a custom Role.

Args:
  name: string, The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.patch](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/patch): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [organizations.roles.patch](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles/patch): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method updates only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. (required)
  body: object, The request body.
    The object takes the form of:

{ # A role in the Identity and Access Management API.
  "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  "description": "A String", # Optional. A human-readable description for the role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
  "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
    "A String",
  ],
  "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
  "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
  "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
}

  updateMask: string, A mask describing which fields in the Role have changed.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A role in the Identity and Access Management API.
  "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  "description": "A String", # Optional. A human-readable description for the role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
  "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
    "A String",
  ],
  "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
  "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
  "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
}
undelete(name, body=None, x__xgafv=None)
Undeletes a custom Role.

Args:
  name: string, The `name` parameter's value depends on the target resource for the request, namely [projects](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles) or [organizations](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles). Each resource type's `name` value format is described below: * [projects.roles.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/undelete): `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the project level. Example request URL: `https://iam.googleapis.com/v1/projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID}` * [organizations.roles.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles/undelete): `organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}`. This method undeletes only [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that have been created at the organization level. Example request URL: `https://iam.googleapis.com/v1/organizations/{ORGANIZATION_ID}/roles/{CUSTOM_ROLE_ID}` Note: Wildcard (*) values are invalid; you must specify a complete project ID or organization ID. (required)
  body: object, The request body.
    The object takes the form of:

{ # The request to undelete an existing role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
}

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A role in the Identity and Access Management API.
  "deleted": True or False, # The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
  "description": "A String", # Optional. A human-readable description for the role.
  "etag": "A String", # Used to perform a consistent read-modify-write.
  "includedPermissions": [ # The names of the permissions this role grants when bound in an IAM policy.
    "A String",
  ],
  "name": "A String", # The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
  "stage": "A String", # The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
  "title": "A String", # Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
}