Remove generate_identity_binding_access_token (via synth). (#8486)

packages/google-cloud-iam/google/cloud/iam_credentials_v1/gapic/iam_credentials_client.py

@@ -557,128 +557,3 @@ def sign_jwt(
         return self._inner_api_calls["sign_jwt"](
             request, retry=retry, timeout=timeout, metadata=metadata
         )
-
-    def generate_identity_binding_access_token(
-        self,
-        name,
-        scope,
-        jwt,
-        retry=google.api_core.gapic_v1.method.DEFAULT,
-        timeout=google.api_core.gapic_v1.method.DEFAULT,
-        metadata=None,
-    ):
-        """
-        Exchange a JWT signed by third party identity provider to an OAuth 2.0
-        access token
-
-        Example:
-            >>> from google.cloud import iam_credentials_v1
-            >>>
-            >>> client = iam_credentials_v1.IAMCredentialsClient()
-            >>>
-            >>> name = client.service_account_path('[PROJECT]', '[SERVICE_ACCOUNT]')
-            >>>
-            >>> # TODO: Initialize `scope`:
-            >>> scope = []
-            >>>
-            >>> # TODO: Initialize `jwt`:
-            >>> jwt = ''
-            >>>
-            >>> response = client.generate_identity_binding_access_token(name, scope, jwt)
-
-        Args:
-            name (str): The resource name of the service account for which the credentials are
-                requested, in the following format:
-                ``projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}``.
-            scope (list[str]): Code to identify the scopes to be included in the OAuth 2.0 access token.
-                See https://developers.google.com/identity/protocols/googlescopes for more
-                information.
-                At least one value required.
-            jwt (str): Required. Input token. Must be in JWT format according to RFC7523
-                (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the
-                header. Supported signing algorithms: RS256 (RS512, ES256, ES512 coming
-                soon). Mandatory payload fields (along the lines of RFC 7523, section
-                3):
-
-                -  iss: issuer of the token. Must provide a discovery document at
-                   $iss/.well-known/openid-configuration . The document needs to be
-                   formatted according to section 4.2 of the OpenID Connect Discovery
-                   1.0 specification.
-                -  iat: Issue time in seconds since epoch. Must be in the past.
-                -  exp: Expiration time in seconds since epoch. Must be less than 48
-                   hours after iat. We recommend to create tokens that last shorter than
-                   6 hours to improve security unless business reasons mandate longer
-                   expiration times. Shorter token lifetimes are generally more secure
-                   since tokens that have been exfiltrated by attackers can be used for
-                   a shorter time. you can configure the maximum lifetime of the
-                   incoming token in the configuration of the mapper. The resulting
-                   Google token will expire within an hour or at "exp", whichever is
-                   earlier.
-                -  sub: JWT subject, identity asserted in the JWT.
-                -  aud: Configured in the mapper policy. By default the service account
-                   email.
-
-                Claims from the incoming token can be transferred into the output token
-                accoding to the mapper configuration. The outgoing claim size is
-                limited. Outgoing claims size must be less than 4kB serialized as JSON
-                without whitespace.
-
-                Example header: { "alg": "RS256", "kid":
-                "92a4265e14ab04d4d228a48d10d4ca31610936f8" } Example payload: { "iss":
-                "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704,
-                "aud": "https://iamcredentials.googleapis.com/", "sub":
-                "113475438248934895348", "my\_claims": { "additional\_claim": "value" }
-                }
-            retry (Optional[google.api_core.retry.Retry]):  A retry object used
-                to retry requests. If ``None`` is specified, requests will not
-                be retried.
-            timeout (Optional[float]): The amount of time, in seconds, to wait
-                for the request to complete. Note that if ``retry`` is
-                specified, the timeout applies to each individual attempt.
-            metadata (Optional[Sequence[Tuple[str, str]]]): Additional metadata
-                that is provided to the method.
-
-        Returns:
-            A :class:`~google.cloud.iam_credentials_v1.types.GenerateIdentityBindingAccessTokenResponse` instance.
-
-        Raises:
-            google.api_core.exceptions.GoogleAPICallError: If the request
-                    failed for any reason.
-            google.api_core.exceptions.RetryError: If the request failed due
-                    to a retryable error and retry attempts failed.
-            ValueError: If the parameters are invalid.
-        """
-        # Wrap the transport method to add retry and timeout logic.
-        if "generate_identity_binding_access_token" not in self._inner_api_calls:
-            self._inner_api_calls[
-                "generate_identity_binding_access_token"
-            ] = google.api_core.gapic_v1.method.wrap_method(
-                self.transport.generate_identity_binding_access_token,
-                default_retry=self._method_configs[
-                    "GenerateIdentityBindingAccessToken"
-                ].retry,
-                default_timeout=self._method_configs[
-                    "GenerateIdentityBindingAccessToken"
-                ].timeout,
-                client_info=self._client_info,
-            )
-
-        request = common_pb2.GenerateIdentityBindingAccessTokenRequest(
-            name=name, scope=scope, jwt=jwt
-        )
-        if metadata is None:
-            metadata = []
-        metadata = list(metadata)
-        try:
-            routing_header = [("name", name)]
-        except AttributeError:
-            pass
-        else:
-            routing_metadata = google.api_core.gapic_v1.routing_header.to_grpc_metadata(
-                routing_header
-            )
-            metadata.append(routing_metadata)
-
-        return self._inner_api_calls["generate_identity_binding_access_token"](
-            request, retry=retry, timeout=timeout, metadata=metadata
-        )

packages/google-cloud-iam/google/cloud/iam_credentials_v1/gapic/iam_credentials_client_config.py

@@ -37,11 +37,6 @@
                     "retry_codes_name": "idempotent",
                     "retry_params_name": "default",
                 },
-                "GenerateIdentityBindingAccessToken": {
-                    "timeout_millis": 60000,
-                    "retry_codes_name": "idempotent",
-                    "retry_params_name": "default",
-                },
             },
         }
     }

packages/google-cloud-iam/google/cloud/iam_credentials_v1/gapic/transports/iam_credentials_grpc_transport.py

@@ -154,17 +154,3 @@ def sign_jwt(self):
                 deserialized response object.
         """
         return self._stubs["iam_credentials_stub"].SignJwt
-
-    @property
-    def generate_identity_binding_access_token(self):
-        """Return the gRPC stub for :meth:`IAMCredentialsClient.generate_identity_binding_access_token`.
-
-        Exchange a JWT signed by third party identity provider to an OAuth 2.0
-        access token
-
-        Returns:
-            Callable: A callable which accepts the appropriate
-                deserialized request object and returns a
-                deserialized response object.
-        """
-        return self._stubs["iam_credentials_stub"].GenerateIdentityBindingAccessToken

packages/google-cloud-iam/google/cloud/iam_credentials_v1/proto/common.proto

@@ -152,72 +152,3 @@ message GenerateIdTokenResponse {
   // The OpenId Connect ID token.
   string token = 1;
 }
-
-message GenerateIdentityBindingAccessTokenRequest {
-  // The resource name of the service account for which the credentials
-  // are requested, in the following format:
-  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
-  string name = 1;
-
-  // Code to identify the scopes to be included in the OAuth 2.0 access token.
-  // See https://developers.google.com/identity/protocols/googlescopes for more
-  // information.
-  // At least one value required.
-  repeated string scope = 2;
-
-  // Required. Input token.
-  // Must be in JWT format according to
-  // RFC7523 (https://tools.ietf.org/html/rfc7523)
-  // and must have 'kid' field in the header.
-  // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
-  // Mandatory payload fields (along the lines of RFC 7523, section 3):
-  // - iss: issuer of the token. Must provide a discovery document at
-  //        $iss/.well-known/openid-configuration . The document needs to be
-  //        formatted according to section 4.2 of the OpenID Connect Discovery
-  //        1.0 specification.
-  // - iat: Issue time in seconds since epoch. Must be in the past.
-  // - exp: Expiration time in seconds since epoch. Must be less than 48 hours
-  //        after iat. We recommend to create tokens that last shorter than 6
-  //        hours to improve security unless business reasons mandate longer
-  //        expiration times. Shorter token lifetimes are generally more secure
-  //        since tokens that have been exfiltrated by attackers can be used for
-  //        a shorter time. you can configure the maximum lifetime of the
-  //        incoming token in the configuration of the mapper.
-  //        The resulting Google token will expire within an hour or at "exp",
-  //        whichever is earlier.
-  // - sub: JWT subject, identity asserted in the JWT.
-  // - aud: Configured in the mapper policy. By default the service account
-  //        email.
-  //
-  // Claims from the incoming token can be transferred into the output token
-  // accoding to the mapper configuration. The outgoing claim size is limited.
-  // Outgoing claims size must be less than 4kB serialized as JSON without
-  // whitespace.
-  //
-  // Example header:
-  // {
-  //   "alg": "RS256",
-  //   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
-  // }
-  // Example payload:
-  // {
-  //   "iss": "https://accounts.google.com",
-  //   "iat": 1517963104,
-  //   "exp": 1517966704,
-  //   "aud": "https://iamcredentials.googleapis.com/",
-  //   "sub": "113475438248934895348",
-  //   "my_claims": {
-  //     "additional_claim": "value"
-  //   }
-  // }
-  string jwt = 3;
-}
-
-message GenerateIdentityBindingAccessTokenResponse {
-  // The OAuth 2.0 access token.
-  string access_token = 1;
-
-  // Token expiration time.
-  // The expiration time is always set.
-  google.protobuf.Timestamp expire_time = 2;
-}