feat: Add new GetIamPolicy, SetIamPolicy, and TestIamPermissions RPCs

Google APIs · copybara-github · commit 712043cb82fa · 2025-09-08T13:17:37.000-07:00
PiperOrigin-RevId: 804559167
diff --git a/google/storage/control/v2/BUILD.bazel b/google/storage/control/v2/BUILD.bazel
@@ -26,6 +26,8 @@ proto_library(
         "//google/api:field_info_proto",
         "//google/api:resource_proto",
         "//google/api:routing_proto",
+        "//google/iam/v1:iam_policy_proto",
+        "//google/iam/v1:policy_proto",
         "//google/longrunning:operations_proto",
         "@com_google_protobuf//:duration_proto",
         "@com_google_protobuf//:empty_proto",
@@ -38,6 +40,7 @@ proto_library_with_info(
     deps = [
         ":control_proto",
         "//google/cloud:common_resources_proto",
+        "//google/iam/v1:iam_policy_proto",
     ],
 )
 ##############################################################################
@@ -69,11 +72,13 @@ java_gapic_library(
     service_yaml = "storage_v2.yaml",
     test_deps = [
         ":control_java_grpc",
+        "//google/iam/v1:iam_java_grpc",
     ],
     transport = "grpc+rest",
     deps = [
         ":control_java_proto",
         "//google/api:api_java_proto",
+        "//google/iam/v1:iam_java_proto",
     ],
 )
 java_gapic_test(
@@ -111,6 +116,7 @@ go_proto_library(
     protos = [":control_proto"],
     deps = [
         "//google/api:annotations_go_proto",
+        "//google/iam/v1:iam_go_proto",
         "//google/longrunning:longrunning_go_proto",
     ],
 )
@@ -126,6 +132,7 @@ go_gapic_library(
     transport = "grpc+rest",
     deps = [
         ":control_go_proto",
+        "//google/iam/v1:iam_go_proto",
         "//google/longrunning:longrunning_go_proto",
         "@com_google_cloud_go_longrunning//:go_default_library",
         "@com_google_cloud_go_longrunning//autogen:go_default_library",
@@ -159,6 +166,7 @@ py_gapic_library(
     service_yaml = "storage_v2.yaml",
     transport = "grpc+rest",
     deps = [
+        "//google/iam/v1:iam_policy_py_proto",
     ],
     opt_args = [
         "python-gapic-namespace=google.cloud",
diff --git a/google/storage/control/v2/storage_control.proto b/google/storage/control/v2/storage_control.proto
@@ -22,6 +22,8 @@ import "google/api/field_behavior.proto";
 import "google/api/field_info.proto";
 import "google/api/resource.proto";
 import "google/api/routing.proto";
+import "google/iam/v1/iam_policy.proto";
+import "google/iam/v1/policy.proto";
 import "google/longrunning/operations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
@@ -306,6 +308,63 @@ service StorageControl {
     };
     option (google.api.method_signature) = "intelligence_config,update_mask";
   }
+
+  // Gets the IAM policy for a specified bucket.
+  // The `resource` field in the request should be
+  // `projects/_/buckets/{bucket}` for a bucket, or
+  // `projects/_/buckets/{bucket}/managedFolders/{managedFolder}`
+  // for a managed folder.
+  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest)
+      returns (google.iam.v1.Policy) {
+    option (google.api.routing) = {
+      routing_parameters { field: "resource" path_template: "{bucket=**}" }
+      routing_parameters {
+        field: "resource"
+        path_template: "{bucket=projects/*/buckets/*}/**"
+      }
+    };
+    option (google.api.method_signature) = "resource";
+  }
+
+  // Updates an IAM policy for the specified bucket.
+  // The `resource` field in the request should be
+  // `projects/_/buckets/{bucket}` for a bucket, or
+  // `projects/_/buckets/{bucket}/managedFolders/{managedFolder}`
+  // for a managed folder.
+  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest)
+      returns (google.iam.v1.Policy) {
+    option (google.api.routing) = {
+      routing_parameters { field: "resource" path_template: "{bucket=**}" }
+      routing_parameters {
+        field: "resource"
+        path_template: "{bucket=projects/*/buckets/*}/**"
+      }
+    };
+    option (google.api.method_signature) = "resource,policy";
+  }
+
+  // Tests a set of permissions on the given bucket, object, or managed folder
+  // to see which, if any, are held by the caller.
+  // The `resource` field in the request should be
+  // `projects/_/buckets/{bucket}` for a bucket,
+  // `projects/_/buckets/{bucket}/objects/{object}` for an object, or
+  // `projects/_/buckets/{bucket}/managedFolders/{managedFolder}`
+  // for a managed folder.
+  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest)
+      returns (google.iam.v1.TestIamPermissionsResponse) {
+    option (google.api.routing) = {
+      routing_parameters { field: "resource" path_template: "{bucket=**}" }
+      routing_parameters {
+        field: "resource"
+        path_template: "{bucket=projects/*/buckets/*}/objects/**"
+      }
+      routing_parameters {
+        field: "resource"
+        path_template: "{bucket=projects/*/buckets/*}/managedFolders/**"
+      }
+    };
+    option (google.api.method_signature) = "resource,permissions";
+  }
 }
 
 // Contains information about a pending rename operation.
