diff --git a/docs/dyn/iam_v1.locations.workforcePools.html b/docs/dyn/iam_v1.locations.workforcePools.html
index eea74c80e1f..e8b31d56b2e 100644
--- a/docs/dyn/iam_v1.locations.workforcePools.html
+++ b/docs/dyn/iam_v1.locations.workforcePools.html
@@ -139,7 +139,7 @@
Method Details
{ # Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.
"description": "A String", # A user-specified description of the pool. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
+ "disabled": True or False, # Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
"displayName": "A String", # A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}`
"parent": "A String", # Immutable. The resource name of the parent. Format: `organizations/{org-id}`.
@@ -228,7 +228,7 @@ Method Details
{ # Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.
"description": "A String", # A user-specified description of the pool. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
+ "disabled": True or False, # Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
"displayName": "A String", # A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}`
"parent": "A String", # Immutable. The resource name of the parent. Format: `organizations/{org-id}`.
@@ -316,7 +316,7 @@ Method Details
"workforcePools": [ # A list of pools.
{ # Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.
"description": "A String", # A user-specified description of the pool. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
+ "disabled": True or False, # Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
"displayName": "A String", # A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}`
"parent": "A String", # Immutable. The resource name of the parent. Format: `organizations/{org-id}`.
@@ -352,7 +352,7 @@ Method Details
{ # Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.
"description": "A String", # A user-specified description of the pool. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
+ "disabled": True or False, # Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
"displayName": "A String", # A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}`
"parent": "A String", # Immutable. The resource name of the parent. Format: `organizations/{org-id}`.
diff --git a/docs/dyn/iam_v1.locations.workforcePools.providers.html b/docs/dyn/iam_v1.locations.workforcePools.providers.html
index ff60db3708a..116cbf7b7e2 100644
--- a/docs/dyn/iam_v1.locations.workforcePools.providers.html
+++ b/docs/dyn/iam_v1.locations.workforcePools.providers.html
@@ -129,12 +129,16 @@ Method Details
"a_key": "A String",
},
"description": "A String", # A user-specified description of the provider. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
+ "disabled": True or False, # Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
"displayName": "A String", # A user-specified display name for the provider. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the provider. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
"oidc": { # Represents an OpenId Connect 1.0 identity provider. # An OpenId Connect 1.0 identity provider configuration.
"clientId": "A String", # Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.
"issuerUri": "A String", # Required. The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
+ "webSsoConfig": { # Configuration for web single sign-on for the OIDC provider. # Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
+ "assertionClaimsBehavior": "A String", # Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
+ "responseType": "A String", # Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.
+ },
},
"saml": { # Represents a SAML identity provider. # A SAML identity provider configuration.
"idpMetadataXml": "A String", # Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 14 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
@@ -227,12 +231,16 @@ Method Details
"a_key": "A String",
},
"description": "A String", # A user-specified description of the provider. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
+ "disabled": True or False, # Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
"displayName": "A String", # A user-specified display name for the provider. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the provider. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
"oidc": { # Represents an OpenId Connect 1.0 identity provider. # An OpenId Connect 1.0 identity provider configuration.
"clientId": "A String", # Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.
"issuerUri": "A String", # Required. The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
+ "webSsoConfig": { # Configuration for web single sign-on for the OIDC provider. # Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
+ "assertionClaimsBehavior": "A String", # Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
+ "responseType": "A String", # Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.
+ },
},
"saml": { # Represents a SAML identity provider. # A SAML identity provider configuration.
"idpMetadataXml": "A String", # Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 14 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
@@ -267,12 +275,16 @@ Method Details
"a_key": "A String",
},
"description": "A String", # A user-specified description of the provider. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
+ "disabled": True or False, # Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
"displayName": "A String", # A user-specified display name for the provider. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the provider. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
"oidc": { # Represents an OpenId Connect 1.0 identity provider. # An OpenId Connect 1.0 identity provider configuration.
"clientId": "A String", # Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.
"issuerUri": "A String", # Required. The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
+ "webSsoConfig": { # Configuration for web single sign-on for the OIDC provider. # Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
+ "assertionClaimsBehavior": "A String", # Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
+ "responseType": "A String", # Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.
+ },
},
"saml": { # Represents a SAML identity provider. # A SAML identity provider configuration.
"idpMetadataXml": "A String", # Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 14 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
@@ -312,12 +324,16 @@ Method Details
"a_key": "A String",
},
"description": "A String", # A user-specified description of the provider. Cannot exceed 256 characters.
- "disabled": True or False, # Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
+ "disabled": True or False, # Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
"displayName": "A String", # A user-specified display name for the provider. Cannot exceed 32 characters.
"name": "A String", # Output only. The resource name of the provider. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
"oidc": { # Represents an OpenId Connect 1.0 identity provider. # An OpenId Connect 1.0 identity provider configuration.
"clientId": "A String", # Required. The client ID. Must match the audience claim of the JWT issued by the identity provider.
"issuerUri": "A String", # Required. The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
+ "webSsoConfig": { # Configuration for web single sign-on for the OIDC provider. # Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
+ "assertionClaimsBehavior": "A String", # Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
+ "responseType": "A String", # Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.
+ },
},
"saml": { # Represents a SAML identity provider. # A SAML identity provider configuration.
"idpMetadataXml": "A String", # Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 14 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
diff --git a/googleapiclient/discovery_cache/documents/iam.v1.json b/googleapiclient/discovery_cache/documents/iam.v1.json
index 5b5517930be..f20f87b392d 100644
--- a/googleapiclient/discovery_cache/documents/iam.v1.json
+++ b/googleapiclient/discovery_cache/documents/iam.v1.json
@@ -2284,6 +2284,7 @@
]
},
"signBlob": {
+ "deprecated": true,
"description": "**Note:** This method is deprecated. Use the [`signBlob`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob) method in the IAM Service Account Credentials API instead. If you currently use this method, see the [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) for instructions. Signs a blob using the system-managed private key for a ServiceAccount.",
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signBlob",
"httpMethod": "POST",
@@ -2312,6 +2313,7 @@
]
},
"signJwt": {
+ "deprecated": true,
"description": "**Note:** This method is deprecated. Use the [`signJwt`](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signJwt) method in the IAM Service Account Credentials API instead. If you currently use this method, see the [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.",
"flatPath": "v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:signJwt",
"httpMethod": "POST",
@@ -2749,7 +2751,7 @@
}
}
},
- "revision": "20230406",
+ "revision": "20230511",
"rootUrl": "https://iam.googleapis.com/",
"schemas": {
"AdminAuditData": {
@@ -3051,6 +3053,41 @@
"issuerUri": {
"description": "Required. The OIDC issuer URI. Must be a valid URI using the 'https' scheme.",
"type": "string"
+ },
+ "webSsoConfig": {
+ "$ref": "GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig",
+ "description": "Required. Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser."
+ }
+ },
+ "type": "object"
+ },
+ "GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig": {
+ "description": "Configuration for web single sign-on for the OIDC provider.",
+ "id": "GoogleIamAdminV1WorkforcePoolProviderOidcWebSsoConfig",
+ "properties": {
+ "assertionClaimsBehavior": {
+ "description": "Required. The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.",
+ "enum": [
+ "ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED",
+ "ONLY_ID_TOKEN_CLAIMS"
+ ],
+ "enumDescriptions": [
+ "No assertion claims behavior specified.",
+ "Only include ID Token Claims."
+ ],
+ "type": "string"
+ },
+ "responseType": {
+ "description": "Required. The Response Type to request for in the OIDC Authorization Request for web sign-in.",
+ "enum": [
+ "RESPONSE_TYPE_UNSPECIFIED",
+ "ID_TOKEN"
+ ],
+ "enumDescriptions": [
+ "No Response Type specified.",
+ "The `response_type=id_token` selection uses the Implicit Flow for web sign-in."
+ ],
+ "type": "string"
}
},
"type": "object"
@@ -4089,7 +4126,7 @@
"type": "string"
},
"disabled": {
- "description": "Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.",
+ "description": "Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.",
"type": "boolean"
},
"displayName": {
@@ -4148,7 +4185,7 @@
"type": "string"
},
"disabled": {
- "description": "Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.",
+ "description": "Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.",
"type": "boolean"
},
"displayName": {
diff --git a/googleapiclient/discovery_cache/documents/iam.v2.json b/googleapiclient/discovery_cache/documents/iam.v2.json
index 03ce2707261..47bea667f87 100644
--- a/googleapiclient/discovery_cache/documents/iam.v2.json
+++ b/googleapiclient/discovery_cache/documents/iam.v2.json
@@ -293,7 +293,7 @@
}
}
},
- "revision": "20230406",
+ "revision": "20230511",
"rootUrl": "https://iam.googleapis.com/",
"schemas": {
"GoogleIamAdminV1AuditData": {
diff --git a/googleapiclient/discovery_cache/documents/iam.v2beta.json b/googleapiclient/discovery_cache/documents/iam.v2beta.json
index 5ab7c17e6bf..e651e20b465 100644
--- a/googleapiclient/discovery_cache/documents/iam.v2beta.json
+++ b/googleapiclient/discovery_cache/documents/iam.v2beta.json
@@ -293,7 +293,7 @@
}
}
},
- "revision": "20230406",
+ "revision": "20230511",
"rootUrl": "https://iam.googleapis.com/",
"schemas": {
"GoogleIamAdminV1AuditData": {