Identity and Access Management (IAM) API

Manages identity and access control for Google Cloud resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls. Enabling this API also enables the IAM Service Account Credentials API (iamcredentials.googleapis.com). However, disabling this API doesn't disable the IAM Service Account Credentials API.

Service: iam.googleapis.com

The Service nameiam.googleapis.com is needed to create RPC client stubs.

google.iam.admin.v1.IAM

Methods
CreateRole Creates a new customRole.
CreateServiceAccount Creates aServiceAccount.
CreateServiceAccountKey Creates aServiceAccountKey.
DeleteRole Deletes a customRole.
DeleteServiceAccount Deletes aServiceAccount.
DeleteServiceAccountKey Deletes aServiceAccountKey.
DisableServiceAccount Disables aServiceAccount immediately.
DisableServiceAccountKey Disable aServiceAccountKey.
EnableServiceAccount Enables aServiceAccount that was disabled byDisableServiceAccount.
EnableServiceAccountKey Enable aServiceAccountKey.
GetIamPolicy Gets the IAM policy that is attached to aServiceAccount.
GetRole Gets the definition of aRole.
GetServiceAccount Gets aServiceAccount.
GetServiceAccountKey Gets aServiceAccountKey.
LintPolicy Lints, or validates, an IAM policy.
ListRoles Lists every predefinedRole that IAM supports, or every custom role that is defined for an organization or project.
ListServiceAccountKeys Lists everyServiceAccountKey for a service account.
ListServiceAccounts Lists everyServiceAccount that belongs to a specific project.
PatchServiceAccount Patches aServiceAccount.
QueryAuditableServices Returns a list of services that allow you to opt into audit logs that are not generated by default.
QueryGrantableRoles Lists roles that can be granted on a Google Cloud resource.
QueryTestablePermissions Lists every permission that you can test on a resource.
SetIamPolicy Sets the IAM policy that is attached to aServiceAccount.
SignBlob
(deprecated)		 Signs a blob using the system-managed private key for aServiceAccount.
SignJwt
(deprecated)		 Signs a JSON Web Token (JWT) using the system-managed private key for aServiceAccount.
TestIamPermissions Tests whether the caller has the specified permissions on aServiceAccount.
UndeleteRole Undeletes a customRole.
UndeleteServiceAccount Restores a deletedServiceAccount.
UpdateRole Updates the definition of a customRole.
UpdateServiceAccountNote: We are in the process of deprecating this method.
UploadServiceAccountKey Uploads the public key portion of a key pair that you manage, and associates the public key with aServiceAccount.

google.iam.admin.v1.OauthClients

Methods
CreateOauthClient Creates a newOauthClient.
CreateOauthClientCredential Creates a newOauthClientCredential.
DeleteOauthClient Deletes anOauthClient.
DeleteOauthClientCredential Deletes anOauthClientCredential.
GetOauthClient Gets an individualOauthClient.
GetOauthClientCredential Gets an individualOauthClientCredential.
ListOauthClientCredentials Lists allOauthClientCredentials in anOauthClient.
ListOauthClients Lists all non-deletedOauthClients in a project.
UndeleteOauthClient Undeletes anOauthClient, as long as it was deleted fewer than 30 days ago.
UpdateOauthClient Updates an existingOauthClient.
UpdateOauthClientCredential Updates an existingOauthClientCredential.

google.iam.admin.v1.WorkforcePools

Methods
CreateWorkforcePool Creates a newWorkforcePool.
CreateWorkforcePoolProvider Creates a newWorkforcePoolProvider in aWorkforcePool.
CreateWorkforcePoolProviderKey Creates a newWorkforcePoolProviderKey in aWorkforcePoolProvider.
CreateWorkforcePoolProviderScimTenant Gemini Enterprise only.
CreateWorkforcePoolProviderScimToken Gemini Enterprise only.
DeleteWorkforcePool Deletes aWorkforcePool.
DeleteWorkforcePoolProvider Deletes aWorkforcePoolProvider.
DeleteWorkforcePoolProviderKey Deletes aWorkforcePoolProviderKey.
DeleteWorkforcePoolProviderScimTenant Gemini Enterprise only.
DeleteWorkforcePoolProviderScimToken Gemini Enterprise only.
DeleteWorkforcePoolSubject Deletes aWorkforcePoolSubject.
GetIamPolicy Gets IAM policies on aWorkforcePool.
GetWorkforcePool Gets an individualWorkforcePool.
GetWorkforcePoolProvider Gets an individualWorkforcePoolProvider.
GetWorkforcePoolProviderKey Gets aWorkforcePoolProviderKey.
GetWorkforcePoolProviderScimTenant Gemini Enterprise only.
GetWorkforcePoolProviderScimToken Gemini Enterprise only.
ListWorkforcePoolProviderKeys Lists all non-deletedWorkforcePoolProviderKeys in aWorkforcePoolProvider.
ListWorkforcePoolProviderScimTenants Gemini Enterprise only.
ListWorkforcePoolProviderScimTokens Gemini Enterprise only.
ListWorkforcePoolProviders Lists all non-deletedWorkforcePoolProviders in aWorkforcePool.
ListWorkforcePools Lists all non-deletedWorkforcePools under the specified parent.
SetIamPolicy Sets IAM policies on aWorkforcePool.
TestIamPermissions Returns the caller's permissions on theWorkforcePool.
UndeleteWorkforcePool Undeletes aWorkforcePool, as long as it was deleted fewer than 30 days ago.
UndeleteWorkforcePoolProvider Undeletes aWorkforcePoolProvider, as long as it was deleted fewer than 30 days ago.
UndeleteWorkforcePoolProviderKey Undeletes aWorkforcePoolProviderKey, as long as it was deleted fewer than 30 days ago.
UndeleteWorkforcePoolProviderScimTenant Gemini Enterprise only.
UndeleteWorkforcePoolProviderScimToken Gemini Enterprise only.
UndeleteWorkforcePoolSubject Undeletes aWorkforcePoolSubject, as long as it was deleted fewer than 30 days ago.
UpdateWorkforcePool Updates an existingWorkforcePool.
UpdateWorkforcePoolProvider Updates an existingWorkforcePoolProvider.
UpdateWorkforcePoolProviderScimTenant Gemini Enterprise only.
UpdateWorkforcePoolProviderScimToken Gemini Enterprise only.

google.iam.v1.WorkloadIdentityPools

Methods
AddAttestationRule Add anAttestationRule on aWorkloadIdentityPoolManagedIdentity.
CreateWorkloadIdentityPool Creates a newWorkloadIdentityPool.
CreateWorkloadIdentityPoolManagedIdentity Creates a newWorkloadIdentityPoolManagedIdentity in aWorkloadIdentityPoolNamespace.
CreateWorkloadIdentityPoolNamespace Creates a newWorkloadIdentityPoolNamespace in aWorkloadIdentityPool.
CreateWorkloadIdentityPoolProvider Creates a newWorkloadIdentityPoolProvider in aWorkloadIdentityPool.
CreateWorkloadIdentityPoolProviderKey Create a newWorkloadIdentityPoolProviderKey in aWorkloadIdentityPoolProvider.
DeleteWorkloadIdentityPool Deletes aWorkloadIdentityPool.
DeleteWorkloadIdentityPoolManagedIdentity Deletes aWorkloadIdentityPoolManagedIdentity.
DeleteWorkloadIdentityPoolNamespace Deletes aWorkloadIdentityPoolNamespace.
DeleteWorkloadIdentityPoolProvider Deletes aWorkloadIdentityPoolProvider.
DeleteWorkloadIdentityPoolProviderKey Deletes anWorkloadIdentityPoolProviderKey.
GetIamPolicy Gets the IAM policy of aWorkloadIdentityPool.
GetWorkloadIdentityPool Gets an individualWorkloadIdentityPool.
GetWorkloadIdentityPoolManagedIdentity Gets an individualWorkloadIdentityPoolManagedIdentity.
GetWorkloadIdentityPoolNamespace Gets an individualWorkloadIdentityPoolNamespace.
GetWorkloadIdentityPoolProvider Gets an individualWorkloadIdentityPoolProvider.
GetWorkloadIdentityPoolProviderKey Gets an individualWorkloadIdentityPoolProviderKey.
ListAttestationRules List allAttestationRule on aWorkloadIdentityPoolManagedIdentity.
ListWorkloadIdentityPoolManagedIdentities Lists all non-deletedWorkloadIdentityPoolManagedIdentitys in a namespace.
ListWorkloadIdentityPoolNamespaces Lists all non-deletedWorkloadIdentityPoolNamespaces in a workload identity pool.
ListWorkloadIdentityPoolProviderKeys Lists all non-deletedWorkloadIdentityPoolProviderKeys in a project.
ListWorkloadIdentityPoolProviders Lists all non-deletedWorkloadIdentityPoolProviders in aWorkloadIdentityPool.
ListWorkloadIdentityPools Lists all non-deletedWorkloadIdentityPools in a project.
RemoveAttestationRule Remove anAttestationRule on aWorkloadIdentityPoolManagedIdentity.
SetAttestationRules Set allAttestationRule on aWorkloadIdentityPoolManagedIdentity.
SetIamPolicy Sets the IAM policies on aWorkloadIdentityPool
TestIamPermissions Returns the caller's permissions on aWorkloadIdentityPool
UndeleteWorkloadIdentityPool Undeletes aWorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.
UndeleteWorkloadIdentityPoolManagedIdentity Undeletes aWorkloadIdentityPoolManagedIdentity, as long as it was deleted fewer than 30 days ago.
UndeleteWorkloadIdentityPoolNamespace Undeletes aWorkloadIdentityPoolNamespace, as long as it was deleted fewer than 30 days ago.
UndeleteWorkloadIdentityPoolProvider Undeletes aWorkloadIdentityPoolProvider, as long as it was deleted fewer than 30 days ago.
UndeleteWorkloadIdentityPoolProviderKey Undeletes anWorkloadIdentityPoolProviderKey, as long as it was deleted fewer than 30 days ago.
UpdateWorkloadIdentityPool Updates an existingWorkloadIdentityPool.
UpdateWorkloadIdentityPoolManagedIdentity Updates an existingWorkloadIdentityPoolManagedIdentity in aWorkloadIdentityPoolNamespace.
UpdateWorkloadIdentityPoolNamespace Updates an existingWorkloadIdentityPoolNamespace in aWorkloadIdentityPool.
UpdateWorkloadIdentityPoolProvider Updates an existingWorkloadIdentityPoolProvider.

google.iam.v1beta.WorkloadIdentityPools

Methods
CreateWorkloadIdentityPool Creates a newWorkloadIdentityPool.
CreateWorkloadIdentityPoolProvider Creates a newWorkloadIdentityPoolProvider in aWorkloadIdentityPool.
DeleteWorkloadIdentityPool Deletes aWorkloadIdentityPool.
DeleteWorkloadIdentityPoolProvider Deletes aWorkloadIdentityPoolProvider.
GetWorkloadIdentityPool Gets an individualWorkloadIdentityPool.
GetWorkloadIdentityPoolProvider Gets an individualWorkloadIdentityPoolProvider.
ListWorkloadIdentityPoolProviders Lists all non-deletedWorkloadIdentityPoolProviders in aWorkloadIdentityPool.
ListWorkloadIdentityPools Lists all non-deletedWorkloadIdentityPools in a project.
UndeleteWorkloadIdentityPool Undeletes aWorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.
UndeleteWorkloadIdentityPoolProvider Undeletes aWorkloadIdentityPoolProvider, as long as it was deleted fewer than 30 days ago.
UpdateWorkloadIdentityPool Updates an existingWorkloadIdentityPool.
UpdateWorkloadIdentityPoolProvider Updates an existingWorkloadIdentityPoolProvider.

google.iam.v2.Policies

Methods
CreatePolicy Creates a policy.
DeletePolicy Deletes a policy.
GetPolicy Gets a policy.
ListPolicies Retrieves the policies of the specified kind that are attached to a resource.
UpdatePolicy Updates the specified policy.

google.iam.v2beta.Policies

Methods
CreatePolicy Creates a policy.
DeletePolicy Deletes a policy.
GetPolicy Gets a policy.
ListPolicies Retrieves the policies of the specified kind that are attached to a resource.
UpdatePolicy Updates the specified policy.

google.iam.v3.AccessPolicies

Methods

google.iam.v3.PolicyBindings

Methods
CreatePolicyBinding Creates a policy binding and returns a long-running operation.
DeletePolicyBinding Deletes a policy binding and returns a long-running operation.
GetPolicyBinding Gets a policy binding.
ListPolicyBindings Lists policy bindings.
SearchTargetPolicyBindings Search policy bindings by target.
UpdatePolicyBinding Updates a policy binding and returns a long-running operation.

google.iam.v3.PrincipalAccessBoundaryPolicies

Methods
CreatePrincipalAccessBoundaryPolicy Creates a principal access boundary policy, and returns a long running operation.
DeletePrincipalAccessBoundaryPolicy Deletes a principal access boundary policy.
GetPrincipalAccessBoundaryPolicy Gets a principal access boundary policy.
ListPrincipalAccessBoundaryPolicies Lists principal access boundary policies.
SearchPrincipalAccessBoundaryPolicyBindings Returns all policy bindings that bind a specific policy if a user has searchPolicyBindings permission on that policy.
UpdatePrincipalAccessBoundaryPolicy Updates a principal access boundary policy.

google.iam.v3beta.AccessPolicies

Methods
CreateAccessPolicy Creates an access policy, and returns a long running operation.
DeleteAccessPolicy Deletes an access policy.
GetAccessPolicy Gets an access policy.
ListAccessPolicies Lists access policies.
SearchAccessPolicyBindings Returns all policy bindings that bind a specific policy if a user has searchPolicyBindings permission on that policy.
UpdateAccessPolicy Updates an access policy.

google.iam.v3beta.PolicyBindings

Methods
CreatePolicyBinding Creates a policy binding and returns a long-running operation.
DeletePolicyBinding Deletes a policy binding and returns a long-running operation.
GetPolicyBinding Gets a policy binding.
ListPolicyBindings Lists policy bindings.
SearchTargetPolicyBindings Search policy bindings by target.
UpdatePolicyBinding Updates a policy binding and returns a long-running operation.

google.iam.v3beta.PrincipalAccessBoundaryPolicies

Methods
CreatePrincipalAccessBoundaryPolicy Creates a principal access boundary policy, and returns a long running operation.
DeletePrincipalAccessBoundaryPolicy Deletes a principal access boundary policy.
GetPrincipalAccessBoundaryPolicy Gets a principal access boundary policy.
ListPrincipalAccessBoundaryPolicies Lists principal access boundary policies.
SearchPrincipalAccessBoundaryPolicyBindings Returns all policy bindings that bind a specific policy if a user has searchPolicyBindings permission on that policy.
UpdatePrincipalAccessBoundaryPolicy Updates a principal access boundary policy.

google.longrunning.Operations

Methods
GetOperation Gets the latest state of a long-running operation.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-18 UTC.