// Copyright 2022 Luca Casonato. All rights reserved. MIT license. /** * Secret Manager API Client for Deno * ================================== * * Stores sensitive data such as API keys, passwords, and certificates. Provides convenience while improving security. * * Docs: https://cloud.google.com/secret-manager/ * Source: https://googleapis.deno.dev/v1/secretmanager:v1.ts */ import { auth, CredentialsClient, GoogleAuth, request } from "/_/base@v1/mod.ts"; export { auth, GoogleAuth }; export type { CredentialsClient }; /** * Stores sensitive data such as API keys, passwords, and certificates. * Provides convenience while improving security. */ export class SecretManager { #client: CredentialsClient | undefined; #baseUrl: string; constructor(client?: CredentialsClient, baseUrl: string = "https://secretmanager.googleapis.com/") { this.#client = client; this.#baseUrl = baseUrl; } /** * Gets information about a location. * * @param name Resource name for the location. */ async projectsLocationsGet(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); const data = await request(url.href, { client: this.#client, method: "GET", }); return data as Location; } /** * Lists information about the supported locations for this service. * * @param name The resource that owns the locations collection, if applicable. */ async projectsLocationsList(name: string, opts: ProjectsLocationsListOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }/locations`); if (opts.filter !== undefined) { url.searchParams.append("filter", String(opts.filter)); } if (opts.pageSize !== undefined) { url.searchParams.append("pageSize", String(opts.pageSize)); } if (opts.pageToken !== undefined) { url.searchParams.append("pageToken", String(opts.pageToken)); } const data = await request(url.href, { client: this.#client, method: "GET", }); return data as ListLocationsResponse; } /** * Creates a new SecretVersion containing secret data and attaches it to an * existing Secret. * * @param parent Required. The resource name of the Secret to associate with the SecretVersion in the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. */ async projectsLocationsSecretsAddVersion(parent: string, req: AddSecretVersionRequest): Promise { req = serializeAddSecretVersionRequest(req); const url = new URL(`${this.#baseUrl}v1/${ parent }:addVersion`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Creates a new Secret containing no SecretVersions. * * @param parent Required. The resource name of the project to associate with the Secret, in the format `projects/*` or `projects/*/locations/*`. */ async projectsLocationsSecretsCreate(parent: string, req: Secret, opts: ProjectsLocationsSecretsCreateOptions = {}): Promise { req = serializeSecret(req); const url = new URL(`${this.#baseUrl}v1/${ parent }/secrets`); if (opts.secretId !== undefined) { url.searchParams.append("secretId", String(opts.secretId)); } const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return deserializeSecret(data); } /** * Deletes a Secret. * * @param name Required. The resource name of the Secret to delete in the format `projects/*/secrets/*`. */ async projectsLocationsSecretsDelete(name: string, opts: ProjectsLocationsSecretsDeleteOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); if (opts.etag !== undefined) { url.searchParams.append("etag", String(opts.etag)); } const data = await request(url.href, { client: this.#client, method: "DELETE", }); return data as Empty; } /** * Gets metadata for a given Secret. * * @param name Required. The resource name of the Secret, in the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. */ async projectsLocationsSecretsGet(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializeSecret(data); } /** * Gets the access control policy for a secret. Returns empty policy if the * secret exists and does not have a policy set. * * @param resource REQUIRED: The resource for which the policy is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. */ async projectsLocationsSecretsGetIamPolicy(resource: string, opts: ProjectsLocationsSecretsGetIamPolicyOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ resource }:getIamPolicy`); if (opts["options.requestedPolicyVersion"] !== undefined) { url.searchParams.append("options.requestedPolicyVersion", String(opts["options.requestedPolicyVersion"])); } const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializePolicy(data); } /** * Lists Secrets. * * @param parent Required. The resource name of the project associated with the Secrets, in the format `projects/*` or `projects/*/locations/*` */ async projectsLocationsSecretsList(parent: string, opts: ProjectsLocationsSecretsListOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ parent }/secrets`); if (opts.filter !== undefined) { url.searchParams.append("filter", String(opts.filter)); } if (opts.pageSize !== undefined) { url.searchParams.append("pageSize", String(opts.pageSize)); } if (opts.pageToken !== undefined) { url.searchParams.append("pageToken", String(opts.pageToken)); } const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializeListSecretsResponse(data); } /** * Updates metadata of an existing Secret. * * @param name Output only. The resource name of the Secret in the format `projects/*/secrets/*`. */ async projectsLocationsSecretsPatch(name: string, req: Secret, opts: ProjectsLocationsSecretsPatchOptions = {}): Promise { req = serializeSecret(req); opts = serializeProjectsLocationsSecretsPatchOptions(opts); const url = new URL(`${this.#baseUrl}v1/${ name }`); if (opts.updateMask !== undefined) { url.searchParams.append("updateMask", String(opts.updateMask)); } const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "PATCH", body, }); return deserializeSecret(data); } /** * Sets the access control policy on the specified secret. Replaces any * existing policy. Permissions on SecretVersions are enforced according to * the policy set on the associated Secret. * * @param resource REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. */ async projectsLocationsSecretsSetIamPolicy(resource: string, req: SetIamPolicyRequest): Promise { req = serializeSetIamPolicyRequest(req); const url = new URL(`${this.#baseUrl}v1/${ resource }:setIamPolicy`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return deserializePolicy(data); } /** * Returns permissions that a caller has for the specified secret. If the * secret does not exist, this call returns an empty set of permissions, not a * NOT_FOUND error. Note: This operation is designed to be used for building * permission-aware UIs and command-line tools, not for authorization * checking. This operation may "fail open" without warning. * * @param resource REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. */ async projectsLocationsSecretsTestIamPermissions(resource: string, req: TestIamPermissionsRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ resource }:testIamPermissions`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as TestIamPermissionsResponse; } /** * Accesses a SecretVersion. This call returns the secret data. * `projects/*\/secrets/*\/versions/latest` is an alias to the most recently * created SecretVersion. * * @param name Required. The resource name of the SecretVersion in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. `projects/*/secrets/*/versions/latest` or `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most recently created SecretVersion. */ async projectsLocationsSecretsVersionsAccess(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:access`); const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializeAccessSecretVersionResponse(data); } /** * Destroys a SecretVersion. Sets the state of the SecretVersion to DESTROYED * and irrevocably destroys the secret data. * * @param name Required. The resource name of the SecretVersion to destroy in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. */ async projectsLocationsSecretsVersionsDestroy(name: string, req: DestroySecretVersionRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:destroy`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Disables a SecretVersion. Sets the state of the SecretVersion to DISABLED. * * @param name Required. The resource name of the SecretVersion to disable in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. */ async projectsLocationsSecretsVersionsDisable(name: string, req: DisableSecretVersionRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:disable`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Enables a SecretVersion. Sets the state of the SecretVersion to ENABLED. * * @param name Required. The resource name of the SecretVersion to enable in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. */ async projectsLocationsSecretsVersionsEnable(name: string, req: EnableSecretVersionRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:enable`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Gets metadata for a SecretVersion. * `projects/*\/secrets/*\/versions/latest` is an alias to the most recently * created SecretVersion. * * @param name Required. The resource name of the SecretVersion in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. `projects/*/secrets/*/versions/latest` or `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most recently created SecretVersion. */ async projectsLocationsSecretsVersionsGet(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); const data = await request(url.href, { client: this.#client, method: "GET", }); return data as SecretVersion; } /** * Lists SecretVersions. This call does not return secret data. * * @param parent Required. The resource name of the Secret associated with the SecretVersions to list, in the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. */ async projectsLocationsSecretsVersionsList(parent: string, opts: ProjectsLocationsSecretsVersionsListOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ parent }/versions`); if (opts.filter !== undefined) { url.searchParams.append("filter", String(opts.filter)); } if (opts.pageSize !== undefined) { url.searchParams.append("pageSize", String(opts.pageSize)); } if (opts.pageToken !== undefined) { url.searchParams.append("pageToken", String(opts.pageToken)); } const data = await request(url.href, { client: this.#client, method: "GET", }); return data as ListSecretVersionsResponse; } /** * Creates a new SecretVersion containing secret data and attaches it to an * existing Secret. * * @param parent Required. The resource name of the Secret to associate with the SecretVersion in the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. */ async projectsSecretsAddVersion(parent: string, req: AddSecretVersionRequest): Promise { req = serializeAddSecretVersionRequest(req); const url = new URL(`${this.#baseUrl}v1/${ parent }:addVersion`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Creates a new Secret containing no SecretVersions. * * @param parent Required. The resource name of the project to associate with the Secret, in the format `projects/*` or `projects/*/locations/*`. */ async projectsSecretsCreate(parent: string, req: Secret, opts: ProjectsSecretsCreateOptions = {}): Promise { req = serializeSecret(req); const url = new URL(`${this.#baseUrl}v1/${ parent }/secrets`); if (opts.secretId !== undefined) { url.searchParams.append("secretId", String(opts.secretId)); } const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return deserializeSecret(data); } /** * Deletes a Secret. * * @param name Required. The resource name of the Secret to delete in the format `projects/*/secrets/*`. */ async projectsSecretsDelete(name: string, opts: ProjectsSecretsDeleteOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); if (opts.etag !== undefined) { url.searchParams.append("etag", String(opts.etag)); } const data = await request(url.href, { client: this.#client, method: "DELETE", }); return data as Empty; } /** * Gets metadata for a given Secret. * * @param name Required. The resource name of the Secret, in the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. */ async projectsSecretsGet(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializeSecret(data); } /** * Gets the access control policy for a secret. Returns empty policy if the * secret exists and does not have a policy set. * * @param resource REQUIRED: The resource for which the policy is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. */ async projectsSecretsGetIamPolicy(resource: string, opts: ProjectsSecretsGetIamPolicyOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ resource }:getIamPolicy`); if (opts["options.requestedPolicyVersion"] !== undefined) { url.searchParams.append("options.requestedPolicyVersion", String(opts["options.requestedPolicyVersion"])); } const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializePolicy(data); } /** * Lists Secrets. * * @param parent Required. The resource name of the project associated with the Secrets, in the format `projects/*` or `projects/*/locations/*` */ async projectsSecretsList(parent: string, opts: ProjectsSecretsListOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ parent }/secrets`); if (opts.filter !== undefined) { url.searchParams.append("filter", String(opts.filter)); } if (opts.pageSize !== undefined) { url.searchParams.append("pageSize", String(opts.pageSize)); } if (opts.pageToken !== undefined) { url.searchParams.append("pageToken", String(opts.pageToken)); } const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializeListSecretsResponse(data); } /** * Updates metadata of an existing Secret. * * @param name Output only. The resource name of the Secret in the format `projects/*/secrets/*`. */ async projectsSecretsPatch(name: string, req: Secret, opts: ProjectsSecretsPatchOptions = {}): Promise { req = serializeSecret(req); opts = serializeProjectsSecretsPatchOptions(opts); const url = new URL(`${this.#baseUrl}v1/${ name }`); if (opts.updateMask !== undefined) { url.searchParams.append("updateMask", String(opts.updateMask)); } const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "PATCH", body, }); return deserializeSecret(data); } /** * Sets the access control policy on the specified secret. Replaces any * existing policy. Permissions on SecretVersions are enforced according to * the policy set on the associated Secret. * * @param resource REQUIRED: The resource for which the policy is being specified. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. */ async projectsSecretsSetIamPolicy(resource: string, req: SetIamPolicyRequest): Promise { req = serializeSetIamPolicyRequest(req); const url = new URL(`${this.#baseUrl}v1/${ resource }:setIamPolicy`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return deserializePolicy(data); } /** * Returns permissions that a caller has for the specified secret. If the * secret does not exist, this call returns an empty set of permissions, not a * NOT_FOUND error. Note: This operation is designed to be used for building * permission-aware UIs and command-line tools, not for authorization * checking. This operation may "fail open" without warning. * * @param resource REQUIRED: The resource for which the policy detail is being requested. See [Resource names](https://cloud.google.com/apis/design/resource_names) for the appropriate value for this field. */ async projectsSecretsTestIamPermissions(resource: string, req: TestIamPermissionsRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ resource }:testIamPermissions`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as TestIamPermissionsResponse; } /** * Accesses a SecretVersion. This call returns the secret data. * `projects/*\/secrets/*\/versions/latest` is an alias to the most recently * created SecretVersion. * * @param name Required. The resource name of the SecretVersion in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. `projects/*/secrets/*/versions/latest` or `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most recently created SecretVersion. */ async projectsSecretsVersionsAccess(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:access`); const data = await request(url.href, { client: this.#client, method: "GET", }); return deserializeAccessSecretVersionResponse(data); } /** * Destroys a SecretVersion. Sets the state of the SecretVersion to DESTROYED * and irrevocably destroys the secret data. * * @param name Required. The resource name of the SecretVersion to destroy in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. */ async projectsSecretsVersionsDestroy(name: string, req: DestroySecretVersionRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:destroy`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Disables a SecretVersion. Sets the state of the SecretVersion to DISABLED. * * @param name Required. The resource name of the SecretVersion to disable in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. */ async projectsSecretsVersionsDisable(name: string, req: DisableSecretVersionRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:disable`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Enables a SecretVersion. Sets the state of the SecretVersion to ENABLED. * * @param name Required. The resource name of the SecretVersion to enable in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. */ async projectsSecretsVersionsEnable(name: string, req: EnableSecretVersionRequest): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }:enable`); const body = JSON.stringify(req); const data = await request(url.href, { client: this.#client, method: "POST", body, }); return data as SecretVersion; } /** * Gets metadata for a SecretVersion. * `projects/*\/secrets/*\/versions/latest` is an alias to the most recently * created SecretVersion. * * @param name Required. The resource name of the SecretVersion in the format `projects/*/secrets/*/versions/*` or `projects/*/locations/*/secrets/*/versions/*`. `projects/*/secrets/*/versions/latest` or `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most recently created SecretVersion. */ async projectsSecretsVersionsGet(name: string): Promise { const url = new URL(`${this.#baseUrl}v1/${ name }`); const data = await request(url.href, { client: this.#client, method: "GET", }); return data as SecretVersion; } /** * Lists SecretVersions. This call does not return secret data. * * @param parent Required. The resource name of the Secret associated with the SecretVersions to list, in the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. */ async projectsSecretsVersionsList(parent: string, opts: ProjectsSecretsVersionsListOptions = {}): Promise { const url = new URL(`${this.#baseUrl}v1/${ parent }/versions`); if (opts.filter !== undefined) { url.searchParams.append("filter", String(opts.filter)); } if (opts.pageSize !== undefined) { url.searchParams.append("pageSize", String(opts.pageSize)); } if (opts.pageToken !== undefined) { url.searchParams.append("pageToken", String(opts.pageToken)); } const data = await request(url.href, { client: this.#client, method: "GET", }); return data as ListSecretVersionsResponse; } } /** * Response message for SecretManagerService.AccessSecretVersion. */ export interface AccessSecretVersionResponse { /** * The resource name of the SecretVersion in the format * `projects/*\/secrets/*\/versions/*` or * `projects/*\/locations/*\/secrets/*\/versions/*`. */ name?: string; /** * Secret payload */ payload?: SecretPayload; } function serializeAccessSecretVersionResponse(data: any): AccessSecretVersionResponse { return { ...data, payload: data["payload"] !== undefined ? serializeSecretPayload(data["payload"]) : undefined, }; } function deserializeAccessSecretVersionResponse(data: any): AccessSecretVersionResponse { return { ...data, payload: data["payload"] !== undefined ? deserializeSecretPayload(data["payload"]) : undefined, }; } /** * Request message for SecretManagerService.AddSecretVersion. */ export interface AddSecretVersionRequest { /** * Required. The secret payload of the SecretVersion. */ payload?: SecretPayload; } function serializeAddSecretVersionRequest(data: any): AddSecretVersionRequest { return { ...data, payload: data["payload"] !== undefined ? serializeSecretPayload(data["payload"]) : undefined, }; } function deserializeAddSecretVersionRequest(data: any): AddSecretVersionRequest { return { ...data, payload: data["payload"] !== undefined ? deserializeSecretPayload(data["payload"]) : undefined, }; } /** * Specifies the audit configuration for a service. The configuration * determines which permission types are logged, and what identities, if any, * are exempted from logging. An AuditConfig must have one or more * AuditLogConfigs. If there are AuditConfigs for both `allServices` and a * specific service, the union of the two AuditConfigs is used for that service: * the log_types specified in each AuditConfig are enabled, and the * exempted_members in each AuditLogConfig are exempted. Example Policy with * multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", * "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ * "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": * "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", * "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": * "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For * sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ * logging. It also exempts `jose@example.com` from DATA_READ logging, and * `aliya@example.com` from DATA_WRITE logging. */ export interface AuditConfig { /** * The configuration for logging of each type of permission. */ auditLogConfigs?: AuditLogConfig[]; /** * Specifies a service that will be enabled for audit logging. For example, * `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a * special value that covers all services. */ service?: string; } /** * Provides the configuration for logging a type of permissions. Example: { * "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ * "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" } ] } This enables * 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from * DATA_READ logging. */ export interface AuditLogConfig { /** * Specifies the identities that do not cause logging for this type of * permission. Follows the same format of Binding.members. */ exemptedMembers?: string[]; /** * The log type that this config enables. */ logType?: | "LOG_TYPE_UNSPECIFIED" | "ADMIN_READ" | "DATA_WRITE" | "DATA_READ"; } /** * A replication policy that replicates the Secret payload without any * restrictions. */ export interface Automatic { /** * Optional. The customer-managed encryption configuration of the Secret. If * no configuration is provided, Google-managed default encryption is used. * Updates to the Secret encryption configuration only apply to SecretVersions * added afterwards. They do not apply retroactively to existing * SecretVersions. */ customerManagedEncryption?: CustomerManagedEncryption; } /** * The replication status of a SecretVersion using automatic replication. Only * populated if the parent Secret has an automatic replication policy. */ export interface AutomaticStatus { /** * Output only. The customer-managed encryption status of the SecretVersion. * Only populated if customer-managed encryption is used. */ readonly customerManagedEncryption?: CustomerManagedEncryptionStatus; } /** * Associates `members`, or principals, with a `role`. */ export interface Binding { /** * The condition that is associated with this binding. If the condition * evaluates to `true`, then this binding applies to the current request. If * the condition evaluates to `false`, then this binding does not apply to the * current request. However, a different role binding might grant the same * role to one or more of the principals in this binding. To learn which * resources support conditions in their IAM policies, see the [IAM * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ condition?: Expr; /** * Specifies the principals requesting access for a Google Cloud resource. * `members` can have the following values: * `allUsers`: A special identifier * that represents anyone who is on the internet; with or without a Google * account. * `allAuthenticatedUsers`: A special identifier that represents * anyone who is authenticated with a Google account or a service account. * Does not include identities that come from external identity providers * (IdPs) through identity federation. * `user:{emailid}`: An email address * that represents a specific Google account. For example, `alice@example.com` * . * `serviceAccount:{emailid}`: An email address that represents a Google * service account. For example, `my-other-app@appspot.gserviceaccount.com`. * * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An * identifier for a [Kubernetes service * account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). * For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * * `group:{emailid}`: An email address that represents a Google group. For * example, `admins@example.com`. * `domain:{domain}`: The G Suite domain * (primary) that represents all the users of that domain. For example, * `google.com` or `example.com`. * * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: * A single identity in a workforce identity pool. * * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: * All workforce identities in a group. * * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: * All workforce identities with a specific attribute value. * * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: * All identities in a workforce identity pool. * * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: * A single identity in a workload identity pool. * * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: * A workload identity pool group. * * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: * All identities in a workload identity pool with a certain attribute. * * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: * All identities in a workload identity pool. * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique * identifier) representing a user that has been recently deleted. For * example, `alice@example.com?uid=123456789012345678901`. If the user is * recovered, this value reverts to `user:{emailid}` and the recovered user * retains the role in the binding. * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus * unique identifier) representing a service account that has been recently * deleted. For example, * `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If * the service account is undeleted, this value reverts to * `serviceAccount:{emailid}` and the undeleted service account retains the * role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email * address (plus unique identifier) representing a Google group that has been * recently deleted. For example, * `admins@example.com?uid=123456789012345678901`. If the group is recovered, * this value reverts to `group:{emailid}` and the recovered group retains the * role in the binding. * * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: * Deleted single identity in a workforce identity pool. For example, * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. */ members?: string[]; /** * Role that is assigned to the list of `members`, or principals. For * example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview * of the IAM roles and permissions, see the [IAM * documentation](https://cloud.google.com/iam/docs/roles-overview). For a * list of the available pre-defined roles, see * [here](https://cloud.google.com/iam/docs/understanding-roles). */ role?: string; } /** * Configuration for encrypting secret payloads using customer-managed * encryption keys (CMEK). */ export interface CustomerManagedEncryption { /** * Required. The resource name of the Cloud KMS CryptoKey used to encrypt * secret payloads. For secrets using the UserManaged replication policy type, * Cloud KMS CryptoKeys must reside in the same location as the replica * location. For secrets using the Automatic replication policy type, Cloud * KMS CryptoKeys must reside in `global`. The expected format is * `projects/*\/locations/*\/keyRings/*\/cryptoKeys/*`. */ kmsKeyName?: string; } /** * Describes the status of customer-managed encryption. */ export interface CustomerManagedEncryptionStatus { /** * Required. The resource name of the Cloud KMS CryptoKeyVersion used to * encrypt the secret payload, in the following format: * `projects/*\/locations/*\/keyRings/*\/cryptoKeys/*\/versions/*`. */ kmsKeyVersionName?: string; } /** * Request message for SecretManagerService.DestroySecretVersion. */ export interface DestroySecretVersionRequest { /** * Optional. Etag of the SecretVersion. The request succeeds if it matches * the etag of the currently stored secret version object. If the etag is * omitted, the request succeeds. */ etag?: string; } /** * Request message for SecretManagerService.DisableSecretVersion. */ export interface DisableSecretVersionRequest { /** * Optional. Etag of the SecretVersion. The request succeeds if it matches * the etag of the currently stored secret version object. If the etag is * omitted, the request succeeds. */ etag?: string; } /** * A generic empty message that you can re-use to avoid defining duplicated * empty messages in your APIs. A typical example is to use it as the request or * the response type of an API method. For instance: service Foo { rpc * Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } */ export interface Empty { } /** * Request message for SecretManagerService.EnableSecretVersion. */ export interface EnableSecretVersionRequest { /** * Optional. Etag of the SecretVersion. The request succeeds if it matches * the etag of the currently stored secret version object. If the etag is * omitted, the request succeeds. */ etag?: string; } /** * Represents a textual expression in the Common Expression Language (CEL) * syntax. CEL is a C-like expression language. The syntax and semantics of CEL * are documented at https://github.com/google/cel-spec. Example (Comparison): * title: "Summary size limit" description: "Determines if a summary is less * than 100 chars" expression: "document.summary.size() < 100" Example * (Equality): title: "Requestor is owner" description: "Determines if requestor * is the document owner" expression: "document.owner == * request.auth.claims.email" Example (Logic): title: "Public documents" * description: "Determine whether the document should be publicly visible" * expression: "document.type != 'private' && document.type != 'internal'" * Example (Data Manipulation): title: "Notification string" description: * "Create a notification string with a timestamp." expression: "'New message * received at ' + string(document.create_time)" The exact variables and * functions that may be referenced within an expression are determined by the * service that evaluates it. See the service documentation for additional * information. */ export interface Expr { /** * Optional. Description of the expression. This is a longer text which * describes the expression, e.g. when hovered over it in a UI. */ description?: string; /** * Textual representation of an expression in Common Expression Language * syntax. */ expression?: string; /** * Optional. String indicating the location of the expression for error * reporting, e.g. a file name and a position in the file. */ location?: string; /** * Optional. Title for the expression, i.e. a short string describing its * purpose. This can be used e.g. in UIs which allow to enter the expression. */ title?: string; } /** * The response message for Locations.ListLocations. */ export interface ListLocationsResponse { /** * A list of locations that matches the specified filter in the request. */ locations?: Location[]; /** * The standard List next-page token. */ nextPageToken?: string; } /** * Response message for SecretManagerService.ListSecrets. */ export interface ListSecretsResponse { /** * A token to retrieve the next page of results. Pass this value in * ListSecretsRequest.page_token to retrieve the next page. */ nextPageToken?: string; /** * The list of Secrets sorted in reverse by create_time (newest first). */ secrets?: Secret[]; /** * The total number of Secrets but 0 when the ListSecretsRequest.filter field * is set. */ totalSize?: number; } function serializeListSecretsResponse(data: any): ListSecretsResponse { return { ...data, secrets: data["secrets"] !== undefined ? data["secrets"].map((item: any) => (serializeSecret(item))) : undefined, }; } function deserializeListSecretsResponse(data: any): ListSecretsResponse { return { ...data, secrets: data["secrets"] !== undefined ? data["secrets"].map((item: any) => (deserializeSecret(item))) : undefined, }; } /** * Response message for SecretManagerService.ListSecretVersions. */ export interface ListSecretVersionsResponse { /** * A token to retrieve the next page of results. Pass this value in * ListSecretVersionsRequest.page_token to retrieve the next page. */ nextPageToken?: string; /** * The total number of SecretVersions but 0 when the * ListSecretsRequest.filter field is set. */ totalSize?: number; /** * The list of SecretVersions sorted in reverse by create_time (newest * first). */ versions?: SecretVersion[]; } /** * A resource that represents a Google Cloud location. */ export interface Location { /** * The friendly name for this location, typically a nearby city name. For * example, "Tokyo". */ displayName?: string; /** * Cross-service attributes for the location. For example * {"cloud.googleapis.com/region": "us-east1"} */ labels?: { [key: string]: string }; /** * The canonical id for this location. For example: `"us-east1"`. */ locationId?: string; /** * Service-specific metadata. For example the available capacity at the given * location. */ metadata?: { [key: string]: any }; /** * Resource name for the location, which may vary between implementations. * For example: `"projects/example-project/locations/us-east1"` */ name?: string; } /** * An Identity and Access Management (IAM) policy, which specifies access * controls for Google Cloud resources. A `Policy` is a collection of * `bindings`. A `binding` binds one or more `members`, or principals, to a * single `role`. Principals can be user accounts, service accounts, Google * groups, and domains (such as G Suite). A `role` is a named list of * permissions; each `role` can be an IAM predefined role or a user-created * custom role. For some types of Google Cloud resources, a `binding` can also * specify a `condition`, which is a logical expression that allows access to a * resource only if the expression evaluates to `true`. A condition can add * constraints based on attributes of the request, the resource, or both. To * learn which resources support conditions in their IAM policies, see the [IAM * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). * **JSON example:** ``` { "bindings": [ { "role": * "roles/resourcemanager.organizationAdmin", "members": [ * "user:mike@example.com", "group:admins@example.com", "domain:google.com", * "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": * "roles/resourcemanager.organizationViewer", "members": [ * "user:eve@example.com" ], "condition": { "title": "expirable access", * "description": "Does not grant access after Sep 2020", "expression": * "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": * "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: - members: * - user:mike@example.com - group:admins@example.com - domain:google.com - * serviceAccount:my-project-id@appspot.gserviceaccount.com role: * roles/resourcemanager.organizationAdmin - members: - user:eve@example.com * role: roles/resourcemanager.organizationViewer condition: title: expirable * access description: Does not grant access after Sep 2020 expression: * request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= * version: 3 ``` For a description of IAM and its features, see the [IAM * documentation](https://cloud.google.com/iam/docs/). */ export interface Policy { /** * Specifies cloud audit logging configuration for this policy. */ auditConfigs?: AuditConfig[]; /** * Associates a list of `members`, or principals, with a `role`. Optionally, * may specify a `condition` that determines how and when the `bindings` are * applied. Each of the `bindings` must contain at least one principal. The * `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of * these principals can be Google groups. Each occurrence of a principal * counts towards these limits. For example, if the `bindings` grant 50 * different roles to `user:alice@example.com`, and not to any other * principal, then you can add another 1,450 principals to the `bindings` in * the `Policy`. */ bindings?: Binding[]; /** * `etag` is used for optimistic concurrency control as a way to help prevent * simultaneous updates of a policy from overwriting each other. It is * strongly suggested that systems make use of the `etag` in the * read-modify-write cycle to perform policy updates in order to avoid race * conditions: An `etag` is returned in the response to `getIamPolicy`, and * systems are expected to put that etag in the request to `setIamPolicy` to * ensure that their change will be applied to the same version of the policy. * **Important:** If you use IAM Conditions, you must include the `etag` field * whenever you call `setIamPolicy`. If you omit this field, then IAM allows * you to overwrite a version `3` policy with a version `1` policy, and all of * the conditions in the version `3` policy are lost. */ etag?: Uint8Array; /** * Specifies the format of the policy. Valid values are `0`, `1`, and `3`. * Requests that specify an invalid value are rejected. Any operation that * affects conditional role bindings must specify version `3`. This * requirement applies to the following operations: * Getting a policy that * includes a conditional role binding * Adding a conditional role binding to * a policy * Changing a conditional role binding in a policy * Removing any * role binding, with or without a condition, from a policy that includes * conditions **Important:** If you use IAM Conditions, you must include the * `etag` field whenever you call `setIamPolicy`. If you omit this field, then * IAM allows you to overwrite a version `3` policy with a version `1` policy, * and all of the conditions in the version `3` policy are lost. If a policy * does not include any conditions, operations on that policy may specify any * valid version or leave the field unset. To learn which resources support * conditions in their IAM policies, see the [IAM * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ version?: number; } function serializePolicy(data: any): Policy { return { ...data, etag: data["etag"] !== undefined ? encodeBase64(data["etag"]) : undefined, }; } function deserializePolicy(data: any): Policy { return { ...data, etag: data["etag"] !== undefined ? decodeBase64(data["etag"] as string) : undefined, }; } /** * Additional options for SecretManager#projectsLocationsList. */ export interface ProjectsLocationsListOptions { /** * A filter to narrow down results to a preferred subset. The filtering * language accepts strings like `"displayName=tokyo"`, and is documented in * more detail in [AIP-160](https://google.aip.dev/160). */ filter?: string; /** * The maximum number of results to return. If not set, the service selects a * default. */ pageSize?: number; /** * A page token received from the `next_page_token` field in the response. * Send that page token to receive the subsequent page. */ pageToken?: string; } /** * Additional options for SecretManager#projectsLocationsSecretsCreate. */ export interface ProjectsLocationsSecretsCreateOptions { /** * Required. This must be unique within the project. A secret ID is a string * with a maximum length of 255 characters and can contain uppercase and * lowercase letters, numerals, and the hyphen (`-`) and underscore (`_`) * characters. */ secretId?: string; } /** * Additional options for SecretManager#projectsLocationsSecretsDelete. */ export interface ProjectsLocationsSecretsDeleteOptions { /** * Optional. Etag of the Secret. The request succeeds if it matches the etag * of the currently stored secret object. If the etag is omitted, the request * succeeds. */ etag?: string; } /** * Additional options for SecretManager#projectsLocationsSecretsGetIamPolicy. */ export interface ProjectsLocationsSecretsGetIamPolicyOptions { /** * Optional. The maximum policy version that will be used to format the * policy. Valid values are 0, 1, and 3. Requests specifying an invalid value * will be rejected. Requests for policies with any conditional role bindings * must specify version 3. Policies with no conditional role bindings may * specify any valid value or leave the field unset. The policy in the * response might use the policy version that you specified, or it might use a * lower policy version. For example, if you specify version 3, but the policy * has no conditional role bindings, the response uses version 1. To learn * which resources support conditions in their IAM policies, see the [IAM * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ ["options.requestedPolicyVersion"]?: number; } /** * Additional options for SecretManager#projectsLocationsSecretsList. */ export interface ProjectsLocationsSecretsListOptions { /** * Optional. Filter string, adhering to the rules in [List-operation * filtering](https://cloud.google.com/secret-manager/docs/filtering). List * only secrets matching the filter. If filter is empty, all secrets are * listed. */ filter?: string; /** * Optional. The maximum number of results to be returned in a single page. * If set to 0, the server decides the number of results to return. If the * number is greater than 25000, it is capped at 25000. */ pageSize?: number; /** * Optional. Pagination token, returned earlier via * ListSecretsResponse.next_page_token. */ pageToken?: string; } /** * Additional options for SecretManager#projectsLocationsSecretsPatch. */ export interface ProjectsLocationsSecretsPatchOptions { /** * Required. Specifies the fields to be updated. */ updateMask?: string /* FieldMask */; } function serializeProjectsLocationsSecretsPatchOptions(data: any): ProjectsLocationsSecretsPatchOptions { return { ...data, updateMask: data["updateMask"] !== undefined ? data["updateMask"] : undefined, }; } function deserializeProjectsLocationsSecretsPatchOptions(data: any): ProjectsLocationsSecretsPatchOptions { return { ...data, updateMask: data["updateMask"] !== undefined ? data["updateMask"] : undefined, }; } /** * Additional options for SecretManager#projectsLocationsSecretsVersionsList. */ export interface ProjectsLocationsSecretsVersionsListOptions { /** * Optional. Filter string, adhering to the rules in [List-operation * filtering](https://cloud.google.com/secret-manager/docs/filtering). List * only secret versions matching the filter. If filter is empty, all secret * versions are listed. */ filter?: string; /** * Optional. The maximum number of results to be returned in a single page. * If set to 0, the server decides the number of results to return. If the * number is greater than 25000, it is capped at 25000. */ pageSize?: number; /** * Optional. Pagination token, returned earlier via * ListSecretVersionsResponse.next_page_token][]. */ pageToken?: string; } /** * Additional options for SecretManager#projectsSecretsCreate. */ export interface ProjectsSecretsCreateOptions { /** * Required. This must be unique within the project. A secret ID is a string * with a maximum length of 255 characters and can contain uppercase and * lowercase letters, numerals, and the hyphen (`-`) and underscore (`_`) * characters. */ secretId?: string; } /** * Additional options for SecretManager#projectsSecretsDelete. */ export interface ProjectsSecretsDeleteOptions { /** * Optional. Etag of the Secret. The request succeeds if it matches the etag * of the currently stored secret object. If the etag is omitted, the request * succeeds. */ etag?: string; } /** * Additional options for SecretManager#projectsSecretsGetIamPolicy. */ export interface ProjectsSecretsGetIamPolicyOptions { /** * Optional. The maximum policy version that will be used to format the * policy. Valid values are 0, 1, and 3. Requests specifying an invalid value * will be rejected. Requests for policies with any conditional role bindings * must specify version 3. Policies with no conditional role bindings may * specify any valid value or leave the field unset. The policy in the * response might use the policy version that you specified, or it might use a * lower policy version. For example, if you specify version 3, but the policy * has no conditional role bindings, the response uses version 1. To learn * which resources support conditions in their IAM policies, see the [IAM * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ ["options.requestedPolicyVersion"]?: number; } /** * Additional options for SecretManager#projectsSecretsList. */ export interface ProjectsSecretsListOptions { /** * Optional. Filter string, adhering to the rules in [List-operation * filtering](https://cloud.google.com/secret-manager/docs/filtering). List * only secrets matching the filter. If filter is empty, all secrets are * listed. */ filter?: string; /** * Optional. The maximum number of results to be returned in a single page. * If set to 0, the server decides the number of results to return. If the * number is greater than 25000, it is capped at 25000. */ pageSize?: number; /** * Optional. Pagination token, returned earlier via * ListSecretsResponse.next_page_token. */ pageToken?: string; } /** * Additional options for SecretManager#projectsSecretsPatch. */ export interface ProjectsSecretsPatchOptions { /** * Required. Specifies the fields to be updated. */ updateMask?: string /* FieldMask */; } function serializeProjectsSecretsPatchOptions(data: any): ProjectsSecretsPatchOptions { return { ...data, updateMask: data["updateMask"] !== undefined ? data["updateMask"] : undefined, }; } function deserializeProjectsSecretsPatchOptions(data: any): ProjectsSecretsPatchOptions { return { ...data, updateMask: data["updateMask"] !== undefined ? data["updateMask"] : undefined, }; } /** * Additional options for SecretManager#projectsSecretsVersionsList. */ export interface ProjectsSecretsVersionsListOptions { /** * Optional. Filter string, adhering to the rules in [List-operation * filtering](https://cloud.google.com/secret-manager/docs/filtering). List * only secret versions matching the filter. If filter is empty, all secret * versions are listed. */ filter?: string; /** * Optional. The maximum number of results to be returned in a single page. * If set to 0, the server decides the number of results to return. If the * number is greater than 25000, it is capped at 25000. */ pageSize?: number; /** * Optional. Pagination token, returned earlier via * ListSecretVersionsResponse.next_page_token][]. */ pageToken?: string; } /** * Represents a Replica for this Secret. */ export interface Replica { /** * Optional. The customer-managed encryption configuration of the * User-Managed Replica. If no configuration is provided, Google-managed * default encryption is used. Updates to the Secret encryption configuration * only apply to SecretVersions added afterwards. They do not apply * retroactively to existing SecretVersions. */ customerManagedEncryption?: CustomerManagedEncryption; /** * The canonical IDs of the location to replicate data. For example: * `"us-east1"`. */ location?: string; } /** * Describes the status of a user-managed replica for the SecretVersion. */ export interface ReplicaStatus { /** * Output only. The customer-managed encryption status of the SecretVersion. * Only populated if customer-managed encryption is used. */ readonly customerManagedEncryption?: CustomerManagedEncryptionStatus; /** * Output only. The canonical ID of the replica location. For example: * `"us-east1"`. */ readonly location?: string; } /** * A policy that defines the replication and encryption configuration of data. */ export interface Replication { /** * The Secret will automatically be replicated without any restrictions. */ automatic?: Automatic; /** * The Secret will only be replicated into the locations specified. */ userManaged?: UserManaged; } /** * The replication status of a SecretVersion. */ export interface ReplicationStatus { /** * Describes the replication status of a SecretVersion with automatic * replication. Only populated if the parent Secret has an automatic * replication policy. */ automatic?: AutomaticStatus; /** * Describes the replication status of a SecretVersion with user-managed * replication. Only populated if the parent Secret has a user-managed * replication policy. */ userManaged?: UserManagedStatus; } /** * The rotation time and period for a Secret. At next_rotation_time, Secret * Manager will send a Pub/Sub notification to the topics configured on the * Secret. Secret.topics must be set to configure rotation. */ export interface Rotation { /** * Optional. Timestamp in UTC at which the Secret is scheduled to rotate. * Cannot be set to less than 300s (5 min) in the future and at most * 3153600000s (100 years). next_rotation_time MUST be set if rotation_period * is set. */ nextRotationTime?: Date; /** * Input only. The Duration between rotation notifications. Must be in * seconds and at least 3600s (1h) and at most 3153600000s (100 years). If * rotation_period is set, next_rotation_time must be set. next_rotation_time * will be advanced by this period when the service automatically sends * rotation notifications. */ rotationPeriod?: number /* Duration */; } function serializeRotation(data: any): Rotation { return { ...data, nextRotationTime: data["nextRotationTime"] !== undefined ? data["nextRotationTime"].toISOString() : undefined, rotationPeriod: data["rotationPeriod"] !== undefined ? data["rotationPeriod"] : undefined, }; } function deserializeRotation(data: any): Rotation { return { ...data, nextRotationTime: data["nextRotationTime"] !== undefined ? new Date(data["nextRotationTime"]) : undefined, rotationPeriod: data["rotationPeriod"] !== undefined ? data["rotationPeriod"] : undefined, }; } /** * A Secret is a logical secret whose value and versions can be accessed. A * Secret is made up of zero or more SecretVersions that represent the secret * data. */ export interface Secret { /** * Optional. Custom metadata about the secret. Annotations are distinct from * various forms of labels. Annotations exist to allow client tools to store * their own state information without requiring a database. Annotation keys * must be between 1 and 63 characters long, have a UTF-8 encoding of maximum * 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and * may have dashes (-), underscores (_), dots (.), and alphanumerics in * between these symbols. The total size of annotation keys and values must be * less than 16KiB. */ annotations?: { [key: string]: string }; /** * Output only. The time at which the Secret was created. */ readonly createTime?: Date; /** * Optional. The customer-managed encryption configuration of the * regionalized secrets. If no configuration is provided, Google-managed * default encryption is used. Updates to the Secret encryption configuration * only apply to SecretVersions added afterwards. They do not apply * retroactively to existing SecretVersions. */ customerManagedEncryption?: CustomerManagedEncryption; /** * Optional. Etag of the currently stored Secret. */ etag?: string; /** * Optional. Timestamp in UTC when the Secret is scheduled to expire. This is * always provided on output, regardless of what was sent on input. */ expireTime?: Date; /** * The labels assigned to this Secret. Label keys must be between 1 and 63 * characters long, have a UTF-8 encoding of maximum 128 bytes, and must * conform to the following PCRE regular expression: `\p{Ll}\p{Lo}{0,62}` * Label values must be between 0 and 63 characters long, have a UTF-8 * encoding of maximum 128 bytes, and must conform to the following PCRE * regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` No more than 64 labels * can be assigned to a given resource. */ labels?: { [key: string]: string }; /** * Output only. The resource name of the Secret in the format * `projects/*\/secrets/*`. */ readonly name?: string; /** * Optional. Immutable. The replication policy of the secret data attached to * the Secret. The replication policy cannot be changed after the Secret has * been created. */ replication?: Replication; /** * Optional. Rotation policy attached to the Secret. May be excluded if there * is no rotation policy. */ rotation?: Rotation; /** * Optional. A list of up to 10 Pub/Sub topics to which messages are * published when control plane operations are called on the secret or its * versions. */ topics?: Topic[]; /** * Input only. The TTL for the Secret. */ ttl?: number /* Duration */; /** * Optional. Mapping from version alias to version name. A version alias is a * string with a maximum length of 63 characters and can contain uppercase and * lowercase letters, numerals, and the hyphen (`-`) and underscore ('_') * characters. An alias string must start with a letter and cannot be the * string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a * given secret. Version-Alias pairs will be viewable via GetSecret and * modifiable via UpdateSecret. Access by alias is only be supported on * GetSecretVersion and AccessSecretVersion. */ versionAliases?: { [key: string]: bigint }; /** * Optional. Secret Version TTL after destruction request This is a part of * the Delayed secret version destroy feature. For secret with TTL>0, version * destruction doesn't happen immediately on calling destroy instead the * version goes to a disabled state and destruction happens after the TTL * expires. */ versionDestroyTtl?: number /* Duration */; } function serializeSecret(data: any): Secret { return { ...data, expireTime: data["expireTime"] !== undefined ? data["expireTime"].toISOString() : undefined, rotation: data["rotation"] !== undefined ? serializeRotation(data["rotation"]) : undefined, ttl: data["ttl"] !== undefined ? data["ttl"] : undefined, versionAliases: data["versionAliases"] !== undefined ? Object.fromEntries(Object.entries(data["versionAliases"]).map(([k, v]: [string, any]) => ([k, String(v)]))) : undefined, versionDestroyTtl: data["versionDestroyTtl"] !== undefined ? data["versionDestroyTtl"] : undefined, }; } function deserializeSecret(data: any): Secret { return { ...data, createTime: data["createTime"] !== undefined ? new Date(data["createTime"]) : undefined, expireTime: data["expireTime"] !== undefined ? new Date(data["expireTime"]) : undefined, rotation: data["rotation"] !== undefined ? deserializeRotation(data["rotation"]) : undefined, ttl: data["ttl"] !== undefined ? data["ttl"] : undefined, versionAliases: data["versionAliases"] !== undefined ? Object.fromEntries(Object.entries(data["versionAliases"]).map(([k, v]: [string, any]) => ([k, BigInt(v)]))) : undefined, versionDestroyTtl: data["versionDestroyTtl"] !== undefined ? data["versionDestroyTtl"] : undefined, }; } /** * A secret payload resource in the Secret Manager API. This contains the * sensitive secret payload that is associated with a SecretVersion. */ export interface SecretPayload { /** * The secret data. Must be no larger than 64KiB. */ data?: Uint8Array; /** * Optional. If specified, SecretManagerService will verify the integrity of * the received data on SecretManagerService.AddSecretVersion calls using the * crc32c checksum and store it to include in future * SecretManagerService.AccessSecretVersion responses. If a checksum is not * provided in the SecretManagerService.AddSecretVersion request, the * SecretManagerService will generate and store one for you. The CRC32C value * is encoded as a Int64 for compatibility, and can be safely downconverted to * uint32 in languages that support this type. * https://cloud.google.com/apis/design/design_patterns#integer_types */ dataCrc32c?: bigint; } function serializeSecretPayload(data: any): SecretPayload { return { ...data, data: data["data"] !== undefined ? encodeBase64(data["data"]) : undefined, dataCrc32c: data["dataCrc32c"] !== undefined ? String(data["dataCrc32c"]) : undefined, }; } function deserializeSecretPayload(data: any): SecretPayload { return { ...data, data: data["data"] !== undefined ? decodeBase64(data["data"] as string) : undefined, dataCrc32c: data["dataCrc32c"] !== undefined ? BigInt(data["dataCrc32c"]) : undefined, }; } /** * A secret version resource in the Secret Manager API. */ export interface SecretVersion { /** * Output only. True if payload checksum specified in SecretPayload object * has been received by SecretManagerService on * SecretManagerService.AddSecretVersion. */ readonly clientSpecifiedPayloadChecksum?: boolean; /** * Output only. The time at which the SecretVersion was created. */ readonly createTime?: Date; /** * Output only. The customer-managed encryption status of the SecretVersion. * Only populated if customer-managed encryption is used and Secret is a * regionalized secret. */ readonly customerManagedEncryption?: CustomerManagedEncryptionStatus; /** * Output only. The time this SecretVersion was destroyed. Only present if * state is DESTROYED. */ readonly destroyTime?: Date; /** * Output only. Etag of the currently stored SecretVersion. */ readonly etag?: string; /** * Output only. The resource name of the SecretVersion in the format * `projects/*\/secrets/*\/versions/*`. SecretVersion IDs in a Secret start at * 1 and are incremented for each subsequent version of the secret. */ readonly name?: string; /** * The replication status of the SecretVersion. */ replicationStatus?: ReplicationStatus; /** * Optional. Output only. Scheduled destroy time for secret version. This is * a part of the Delayed secret version destroy feature. For a Secret with a * valid version destroy TTL, when a secert version is destroyed, version is * moved to disabled state and it is scheduled for destruction Version is * destroyed only after the scheduled_destroy_time. */ readonly scheduledDestroyTime?: Date; /** * Output only. The current state of the SecretVersion. */ readonly state?: | "STATE_UNSPECIFIED" | "ENABLED" | "DISABLED" | "DESTROYED"; } /** * Request message for `SetIamPolicy` method. */ export interface SetIamPolicyRequest { /** * REQUIRED: The complete policy to be applied to the `resource`. The size of * the policy is limited to a few 10s of KB. An empty policy is a valid policy * but certain Google Cloud services (such as Projects) might reject them. */ policy?: Policy; /** * OPTIONAL: A FieldMask specifying which fields of the policy to modify. * Only the fields in the mask will be modified. If no mask is provided, the * following default mask is used: `paths: "bindings, etag"` */ updateMask?: string /* FieldMask */; } function serializeSetIamPolicyRequest(data: any): SetIamPolicyRequest { return { ...data, policy: data["policy"] !== undefined ? serializePolicy(data["policy"]) : undefined, updateMask: data["updateMask"] !== undefined ? data["updateMask"] : undefined, }; } function deserializeSetIamPolicyRequest(data: any): SetIamPolicyRequest { return { ...data, policy: data["policy"] !== undefined ? deserializePolicy(data["policy"]) : undefined, updateMask: data["updateMask"] !== undefined ? data["updateMask"] : undefined, }; } /** * Request message for `TestIamPermissions` method. */ export interface TestIamPermissionsRequest { /** * The set of permissions to check for the `resource`. Permissions with * wildcards (such as `*` or `storage.*`) are not allowed. For more * information see [IAM * Overview](https://cloud.google.com/iam/docs/overview#permissions). */ permissions?: string[]; } /** * Response message for `TestIamPermissions` method. */ export interface TestIamPermissionsResponse { /** * A subset of `TestPermissionsRequest.permissions` that the caller is * allowed. */ permissions?: string[]; } /** * A Pub/Sub topic which Secret Manager will publish to when control plane * events occur on this secret. */ export interface Topic { /** * Identifier. The resource name of the Pub/Sub topic that will be published * to, in the following format: `projects/*\/topics/*`. For publication to * succeed, the Secret Manager service agent must have the * `pubsub.topic.publish` permission on the topic. The Pub/Sub Publisher role * (`roles/pubsub.publisher`) includes this permission. */ name?: string; } /** * A replication policy that replicates the Secret payload into the locations * specified in Replication.UserManaged.replicas */ export interface UserManaged { /** * Required. The list of Replicas for this Secret. Cannot be empty. */ replicas?: Replica[]; } /** * The replication status of a SecretVersion using user-managed replication. * Only populated if the parent Secret has a user-managed replication policy. */ export interface UserManagedStatus { /** * Output only. The list of replica statuses for the SecretVersion. */ readonly replicas?: ReplicaStatus[]; } function decodeBase64(b64: string): Uint8Array { const binString = atob(b64); const size = binString.length; const bytes = new Uint8Array(size); for (let i = 0; i < size; i++) { bytes[i] = binString.charCodeAt(i); } return bytes; } const base64abc = ["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9","+","/"]; /** * CREDIT: https://gist.github.com/enepomnyaschih/72c423f727d395eeaa09697058238727 * Encodes a given Uint8Array, ArrayBuffer or string into RFC4648 base64 representation * @param data */ function encodeBase64(uint8: Uint8Array): string { let result = "", i; const l = uint8.length; for (i = 2; i < l; i += 3) { result += base64abc[uint8[i - 2] >> 2]; result += base64abc[((uint8[i - 2] & 0x03) << 4) | (uint8[i - 1] >> 4)]; result += base64abc[((uint8[i - 1] & 0x0f) << 2) | (uint8[i] >> 6)]; result += base64abc[uint8[i] & 0x3f]; } if (i === l + 1) { // 1 octet yet to write result += base64abc[uint8[i - 2] >> 2]; result += base64abc[(uint8[i - 2] & 0x03) << 4]; result += "=="; } if (i === l) { // 2 octets yet to write result += base64abc[uint8[i - 2] >> 2]; result += base64abc[((uint8[i - 2] & 0x03) << 4) | (uint8[i - 1] >> 4)]; result += base64abc[(uint8[i - 1] & 0x0f) << 2]; result += "="; } return result; }