Thank youHashiConf Europe is a wrap. Watch this year’s sessions on-demand. Watch Now

Boundary Controller HTTP API

Role Service

List Roles
GET /v1/roles
Expand

Lists all Roles.

Request

Query Parameters

scope_id string
recursive boolean
filter string

Response

Successful Response

items object[]

Role contains all fields related to a Role resource

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Create Role
POST /v1/roles
Expand

Creates a single Role.

Request

Body Parameters

scope_id string

The ID of the Scope containing this Role.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Get Role
GET /v1/roles/{id}
Expand

Gets a single Role.

Request

Path Parameters

id string Required

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Delete Role
DELETE /v1/roles/{id}
Expand

Deletes a Role.

Request

Path Parameters

id string Required

Response

Successful Response

No content.
Update Role
PATCH /v1/roles/{id}
Expand

Updates a Role.

Request

Path Parameters

id string Required

Query Parameters

update_mask string

Body Parameters

scope_id string

The ID of the Scope containing this Role.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Add Role Grants
POST /v1/roles/{id}:add-grants
Expand

Adds grants to a Role

Request

Path Parameters

id string Required

Body Parameters

id string
version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_strings string[]

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Add Role Principals
POST /v1/roles/{id}:add-principals
Expand

Adds Users and/or Groups to a Role.

Request

Path Parameters

id string Required

Body Parameters

id string
version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

principal_ids string[]

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Remove Role Grants
POST /v1/roles/{id}:remove-grants
Expand

Removes grants from a Role.

Request

Path Parameters

id string Required

Body Parameters

id string
version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_strings string[]

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Remove Role Principals
POST /v1/roles/{id}:remove-principals
Expand

Removes the specified Users and/or Groups from a Role.

Request

Path Parameters

id string Required

Body Parameters

id string
version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

principal_ids string[]

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Set Role Grants
POST /v1/roles/{id}:set-grants
Expand

Set grants for a Role, removing any grants that are not specified in the request.

Request

Path Parameters

id string Required

Body Parameters

id string
version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_strings string[]

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]
Set Role Principals
POST /v1/roles/{id}:set-principals
Expand

Set Users and/or Groups to a Role, removing any principals that are not specified in the request.

Request

Path Parameters

id string Required

Body Parameters

id string
version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

principal_ids string[]

Response

Successful Response

id string

Output only. The ID of the Role.

scope_id string

The ID of the Scope containing this Role.

scope object

Output only. Scope information for this resource.

id string

Output only. The ID of the Scope.

type string

Output only. The type of the Scope.

name string

Output only. The name of the Scope, if any.

description string

Output only. The description of the Scope, if any.

parent_scope_id string

Output only. The ID of the parent Scope, if any. This field will be empty if this is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

Output only. The time this resource was created.

updated_time string

Output only. The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

grant_scope_id string

The Scope the grants will apply to. If the Role is at the global scope, this can be an org or project. If the Role is at an org scope, this can be a project within the org. It is invalid for this to be anything other than the Role's scope when the Role's scope is a project.

principal_ids string[]
principals object[]
id string

Output only. The ID of the principal.

type string

Output only. The type of the principal.

scope_id string

Output only. The Scope of the principal.

grant_strings string[]
grants object[]
raw string

Output only. The original user-supplied string.

canonical string

Output only. The canonically-formatted string.

json object

Output only. The JSON representation of the grant.

id string

Output only. The ID, if set.

type string

Output only. The type, if set.

actions string[]
authorized_actions string[]