vendor: Update vendoring for the exec client and server implementations

Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

vendor/cloud.google.com/go/iam/admin/apiv1/doc.go

@@ -0,0 +1,35 @@
+// Copyright 2017, Google Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// AUTO-GENERATED CODE. DO NOT EDIT.
+
+// Package admin is an experimental, auto-generated package for the
+// admin API.
+//
+// Manages identity and access control for Google Cloud Platform resources,
+// including the creation of service accounts, which you can use to
+// authenticate to Google and make API calls.
+package admin // import "cloud.google.com/go/iam/admin/apiv1"
+
+import (
+	"golang.org/x/net/context"
+	"google.golang.org/grpc/metadata"
+)
+
+func insertXGoog(ctx context.Context, val string) context.Context {
+	md, _ := metadata.FromContext(ctx)
+	md = md.Copy()
+	md["x-goog-api-client"] = []string{val}
+	return metadata.NewContext(ctx, md)
+}

vendor/cloud.google.com/go/iam/admin/apiv1/iam_client.go

@@ -0,0 +1,490 @@
+// Copyright 2017, Google Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// AUTO-GENERATED CODE. DO NOT EDIT.
+
+package admin
+
+import (
+	"math"
+	"time"
+
+	"cloud.google.com/go/internal/version"
+	gax "github.com/googleapis/gax-go"
+	"golang.org/x/net/context"
+	"google.golang.org/api/iterator"
+	"google.golang.org/api/option"
+	"google.golang.org/api/transport"
+	adminpb "google.golang.org/genproto/googleapis/iam/admin/v1"
+	iampb "google.golang.org/genproto/googleapis/iam/v1"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+)
+
+var (
+	iamProjectPathTemplate        = gax.MustCompilePathTemplate("projects/{project}")
+	iamServiceAccountPathTemplate = gax.MustCompilePathTemplate("projects/{project}/serviceAccounts/{service_account}")
+	iamKeyPathTemplate            = gax.MustCompilePathTemplate("projects/{project}/serviceAccounts/{service_account}/keys/{key}")
+)
+
+// IamCallOptions contains the retry settings for each method of IamClient.
+type IamCallOptions struct {
+	ListServiceAccounts     []gax.CallOption
+	GetServiceAccount       []gax.CallOption
+	CreateServiceAccount    []gax.CallOption
+	UpdateServiceAccount    []gax.CallOption
+	DeleteServiceAccount    []gax.CallOption
+	ListServiceAccountKeys  []gax.CallOption
+	GetServiceAccountKey    []gax.CallOption
+	CreateServiceAccountKey []gax.CallOption
+	DeleteServiceAccountKey []gax.CallOption
+	SignBlob                []gax.CallOption
+	GetIamPolicy            []gax.CallOption
+	SetIamPolicy            []gax.CallOption
+	TestIamPermissions      []gax.CallOption
+	QueryGrantableRoles     []gax.CallOption
+}
+
+func defaultIamClientOptions() []option.ClientOption {
+	return []option.ClientOption{
+		option.WithEndpoint("iam.googleapis.com:443"),
+		option.WithScopes(
+			"https://www.googleapis.com/auth/cloud-platform",
+			"https://www.googleapis.com/auth/iam",
+		),
+	}
+}
+
+func defaultIamCallOptions() *IamCallOptions {
+	retry := map[[2]string][]gax.CallOption{
+		{"default", "idempotent"}: {
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.DeadlineExceeded,
+					codes.Unavailable,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.3,
+				})
+			}),
+		},
+		{"default", "non_idempotent"}: {
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unavailable,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.3,
+				})
+			}),
+		},
+	}
+	return &IamCallOptions{
+		ListServiceAccounts:     retry[[2]string{"default", "idempotent"}],
+		GetServiceAccount:       retry[[2]string{"default", "idempotent"}],
+		CreateServiceAccount:    retry[[2]string{"default", "non_idempotent"}],
+		UpdateServiceAccount:    retry[[2]string{"default", "idempotent"}],
+		DeleteServiceAccount:    retry[[2]string{"default", "idempotent"}],
+		ListServiceAccountKeys:  retry[[2]string{"default", "idempotent"}],
+		GetServiceAccountKey:    retry[[2]string{"default", "idempotent"}],
+		CreateServiceAccountKey: retry[[2]string{"default", "non_idempotent"}],
+		DeleteServiceAccountKey: retry[[2]string{"default", "idempotent"}],
+		SignBlob:                retry[[2]string{"default", "non_idempotent"}],
+		GetIamPolicy:            retry[[2]string{"default", "non_idempotent"}],
+		SetIamPolicy:            retry[[2]string{"default", "non_idempotent"}],
+		TestIamPermissions:      retry[[2]string{"default", "non_idempotent"}],
+		QueryGrantableRoles:     retry[[2]string{"default", "non_idempotent"}],
+	}
+}
+
+// IamClient is a client for interacting with Google Identity and Access Management (IAM) API.
+type IamClient struct {
+	// The connection to the service.
+	conn *grpc.ClientConn
+
+	// The gRPC API client.
+	iamClient adminpb.IAMClient
+
+	// The call options for this service.
+	CallOptions *IamCallOptions
+
+	// The metadata to be sent with each request.
+	xGoogHeader string
+}
+
+// NewIamClient creates a new iam client.
+//
+// Creates and manages service account objects.
+//
+// Service account is an account that belongs to your project instead
+// of to an individual end user. It is used to authenticate calls
+// to a Google API.
+//
+// To create a service account, specify the `project_id` and `account_id`
+// for the account.  The `account_id` is unique within the project, and used
+// to generate the service account email address and a stable
+// `unique_id`.
+//
+// All other methods can identify accounts using the format
+// `projects/{project}/serviceAccounts/{account}`.
+// Using `-` as a wildcard for the project will infer the project from
+// the account. The `account` value can be the `email` address or the
+// `unique_id` of the service account.
+func NewIamClient(ctx context.Context, opts ...option.ClientOption) (*IamClient, error) {
+	conn, err := transport.DialGRPC(ctx, append(defaultIamClientOptions(), opts...)...)
+	if err != nil {
+		return nil, err
+	}
+	c := &IamClient{
+		conn:        conn,
+		CallOptions: defaultIamCallOptions(),
+
+		iamClient: adminpb.NewIAMClient(conn),
+	}
+	c.SetGoogleClientInfo()
+	return c, nil
+}
+
+// Connection returns the client's connection to the API service.
+func (c *IamClient) Connection() *grpc.ClientConn {
+	return c.conn
+}
+
+// Close closes the connection to the API service. The user should invoke this when
+// the client is no longer required.
+func (c *IamClient) Close() error {
+	return c.conn.Close()
+}
+
+// SetGoogleClientInfo sets the name and version of the application in
+// the `x-goog-api-client` header passed on each request. Intended for
+// use by Google-written clients.
+func (c *IamClient) SetGoogleClientInfo(keyval ...string) {
+	kv := append([]string{"gl-go", version.Go()}, keyval...)
+	kv = append(kv, "gapic", version.Repo, "gax", gax.Version, "grpc", "")
+	c.xGoogHeader = gax.XGoogHeader(kv...)
+}
+
+// IamProjectPath returns the path for the project resource.
+func IamProjectPath(project string) string {
+	path, err := iamProjectPathTemplate.Render(map[string]string{
+		"project": project,
+	})
+	if err != nil {
+		panic(err)
+	}
+	return path
+}
+
+// IamServiceAccountPath returns the path for the service account resource.
+func IamServiceAccountPath(project, serviceAccount string) string {
+	path, err := iamServiceAccountPathTemplate.Render(map[string]string{
+		"project":         project,
+		"service_account": serviceAccount,
+	})
+	if err != nil {
+		panic(err)
+	}
+	return path
+}
+
+// IamKeyPath returns the path for the key resource.
+func IamKeyPath(project, serviceAccount, key string) string {
+	path, err := iamKeyPathTemplate.Render(map[string]string{
+		"project":         project,
+		"service_account": serviceAccount,
+		"key":             key,
+	})
+	if err != nil {
+		panic(err)
+	}
+	return path
+}
+
+// ListServiceAccounts lists [ServiceAccounts][google.iam.admin.v1.ServiceAccount] for a project.
+func (c *IamClient) ListServiceAccounts(ctx context.Context, req *adminpb.ListServiceAccountsRequest) *ServiceAccountIterator {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	it := &ServiceAccountIterator{}
+	it.InternalFetch = func(pageSize int, pageToken string) ([]*adminpb.ServiceAccount, string, error) {
+		var resp *adminpb.ListServiceAccountsResponse
+		req.PageToken = pageToken
+		if pageSize > math.MaxInt32 {
+			req.PageSize = math.MaxInt32
+		} else {
+			req.PageSize = int32(pageSize)
+		}
+		err := gax.Invoke(ctx, func(ctx context.Context) error {
+			var err error
+			resp, err = c.iamClient.ListServiceAccounts(ctx, req)
+			return err
+		}, c.CallOptions.ListServiceAccounts...)
+		if err != nil {
+			return nil, "", err
+		}
+		return resp.Accounts, resp.NextPageToken, nil
+	}
+	fetch := func(pageSize int, pageToken string) (string, error) {
+		items, nextPageToken, err := it.InternalFetch(pageSize, pageToken)
+		if err != nil {
+			return "", err
+		}
+		it.items = append(it.items, items...)
+		return nextPageToken, nil
+	}
+	it.pageInfo, it.nextFunc = iterator.NewPageInfo(fetch, it.bufLen, it.takeBuf)
+	return it
+}
+
+// GetServiceAccount gets a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+func (c *IamClient) GetServiceAccount(ctx context.Context, req *adminpb.GetServiceAccountRequest) (*adminpb.ServiceAccount, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.ServiceAccount
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.GetServiceAccount(ctx, req)
+		return err
+	}, c.CallOptions.GetServiceAccount...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// CreateServiceAccount creates a [ServiceAccount][google.iam.admin.v1.ServiceAccount]
+// and returns it.
+func (c *IamClient) CreateServiceAccount(ctx context.Context, req *adminpb.CreateServiceAccountRequest) (*adminpb.ServiceAccount, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.ServiceAccount
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.CreateServiceAccount(ctx, req)
+		return err
+	}, c.CallOptions.CreateServiceAccount...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// UpdateServiceAccount updates a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+//
+// Currently, only the following fields are updatable:
+// `display_name` .
+// The `etag` is mandatory.
+func (c *IamClient) UpdateServiceAccount(ctx context.Context, req *adminpb.ServiceAccount) (*adminpb.ServiceAccount, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.ServiceAccount
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.UpdateServiceAccount(ctx, req)
+		return err
+	}, c.CallOptions.UpdateServiceAccount...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// DeleteServiceAccount deletes a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+func (c *IamClient) DeleteServiceAccount(ctx context.Context, req *adminpb.DeleteServiceAccountRequest) error {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		_, err = c.iamClient.DeleteServiceAccount(ctx, req)
+		return err
+	}, c.CallOptions.DeleteServiceAccount...)
+	return err
+}
+
+// ListServiceAccountKeys lists [ServiceAccountKeys][google.iam.admin.v1.ServiceAccountKey].
+func (c *IamClient) ListServiceAccountKeys(ctx context.Context, req *adminpb.ListServiceAccountKeysRequest) (*adminpb.ListServiceAccountKeysResponse, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.ListServiceAccountKeysResponse
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.ListServiceAccountKeys(ctx, req)
+		return err
+	}, c.CallOptions.ListServiceAccountKeys...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// GetServiceAccountKey gets the [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
+// by key id.
+func (c *IamClient) GetServiceAccountKey(ctx context.Context, req *adminpb.GetServiceAccountKeyRequest) (*adminpb.ServiceAccountKey, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.ServiceAccountKey
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.GetServiceAccountKey(ctx, req)
+		return err
+	}, c.CallOptions.GetServiceAccountKey...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// CreateServiceAccountKey creates a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey]
+// and returns it.
+func (c *IamClient) CreateServiceAccountKey(ctx context.Context, req *adminpb.CreateServiceAccountKeyRequest) (*adminpb.ServiceAccountKey, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.ServiceAccountKey
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.CreateServiceAccountKey(ctx, req)
+		return err
+	}, c.CallOptions.CreateServiceAccountKey...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// DeleteServiceAccountKey deletes a [ServiceAccountKey][google.iam.admin.v1.ServiceAccountKey].
+func (c *IamClient) DeleteServiceAccountKey(ctx context.Context, req *adminpb.DeleteServiceAccountKeyRequest) error {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		_, err = c.iamClient.DeleteServiceAccountKey(ctx, req)
+		return err
+	}, c.CallOptions.DeleteServiceAccountKey...)
+	return err
+}
+
+// SignBlob signs a blob using a service account's system-managed private key.
+func (c *IamClient) SignBlob(ctx context.Context, req *adminpb.SignBlobRequest) (*adminpb.SignBlobResponse, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.SignBlobResponse
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.SignBlob(ctx, req)
+		return err
+	}, c.CallOptions.SignBlob...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// getIamPolicy returns the IAM access control policy for a
+// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+func (c *IamClient) getIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest) (*iampb.Policy, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *iampb.Policy
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.GetIamPolicy(ctx, req)
+		return err
+	}, c.CallOptions.GetIamPolicy...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// setIamPolicy sets the IAM access control policy for a
+// [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+func (c *IamClient) setIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest) (*iampb.Policy, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *iampb.Policy
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.SetIamPolicy(ctx, req)
+		return err
+	}, c.CallOptions.SetIamPolicy...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// TestIamPermissions tests the specified permissions against the IAM access control policy
+// for a [ServiceAccount][google.iam.admin.v1.ServiceAccount].
+func (c *IamClient) TestIamPermissions(ctx context.Context, req *iampb.TestIamPermissionsRequest) (*iampb.TestIamPermissionsResponse, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *iampb.TestIamPermissionsResponse
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.TestIamPermissions(ctx, req)
+		return err
+	}, c.CallOptions.TestIamPermissions...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// QueryGrantableRoles queries roles that can be granted on a particular resource.
+// A role is grantable if it can be used as the role in a binding for a policy
+// for that resource.
+func (c *IamClient) QueryGrantableRoles(ctx context.Context, req *adminpb.QueryGrantableRolesRequest) (*adminpb.QueryGrantableRolesResponse, error) {
+	ctx = insertXGoog(ctx, c.xGoogHeader)
+	var resp *adminpb.QueryGrantableRolesResponse
+	err := gax.Invoke(ctx, func(ctx context.Context) error {
+		var err error
+		resp, err = c.iamClient.QueryGrantableRoles(ctx, req)
+		return err
+	}, c.CallOptions.QueryGrantableRoles...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// ServiceAccountIterator manages a stream of *adminpb.ServiceAccount.
+type ServiceAccountIterator struct {
+	items    []*adminpb.ServiceAccount
+	pageInfo *iterator.PageInfo
+	nextFunc func() error
+
+	// InternalFetch is for use by the Google Cloud Libraries only.
+	// It is not part of the stable interface of this package.
+	//
+	// InternalFetch returns results from a single call to the underlying RPC.
+	// The number of results is no greater than pageSize.
+	// If there are no more results, nextPageToken is empty and err is nil.
+	InternalFetch func(pageSize int, pageToken string) (results []*adminpb.ServiceAccount, nextPageToken string, err error)
+}
+
+// PageInfo supports pagination. See the google.golang.org/api/iterator package for details.
+func (it *ServiceAccountIterator) PageInfo() *iterator.PageInfo {
+	return it.pageInfo
+}
+
+// Next returns the next result. Its second return value is iterator.Done if there are no more
+// results. Once Next returns Done, all subsequent calls will return Done.
+func (it *ServiceAccountIterator) Next() (*adminpb.ServiceAccount, error) {
+	var item *adminpb.ServiceAccount
+	if err := it.nextFunc(); err != nil {
+		return item, err
+	}
+	item = it.items[0]
+	it.items = it.items[1:]
+	return item, nil
+}
+
+func (it *ServiceAccountIterator) bufLen() int {
+	return len(it.items)
+}
+
+func (it *ServiceAccountIterator) takeBuf() interface{} {
+	b := it.items
+	it.items = nil
+	return b
+}

vendor/cloud.google.com/go/iam/admin/apiv1/iam_client_example_test.go

@@ -0,0 +1,250 @@
+// Copyright 2017, Google Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// AUTO-GENERATED CODE. DO NOT EDIT.
+
+package admin_test
+
+import (
+	"cloud.google.com/go/iam/admin/apiv1"
+	"golang.org/x/net/context"
+	adminpb "google.golang.org/genproto/googleapis/iam/admin/v1"
+	iampb "google.golang.org/genproto/googleapis/iam/v1"
+)
+
+func ExampleNewIamClient() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use client.
+	_ = c
+}
+
+func ExampleIamClient_ListServiceAccounts() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.ListServiceAccountsRequest{
+	// TODO: Fill request struct fields.
+	}
+	it := c.ListServiceAccounts(ctx, req)
+	for {
+		resp, err := it.Next()
+		if err != nil {
+			// TODO: Handle error.
+			break
+		}
+		// TODO: Use resp.
+		_ = resp
+	}
+}
+
+func ExampleIamClient_GetServiceAccount() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.GetServiceAccountRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.GetServiceAccount(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_CreateServiceAccount() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.CreateServiceAccountRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.CreateServiceAccount(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_UpdateServiceAccount() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.ServiceAccount{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.UpdateServiceAccount(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_DeleteServiceAccount() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.DeleteServiceAccountRequest{
+	// TODO: Fill request struct fields.
+	}
+	err = c.DeleteServiceAccount(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+}
+
+func ExampleIamClient_ListServiceAccountKeys() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.ListServiceAccountKeysRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.ListServiceAccountKeys(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_GetServiceAccountKey() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.GetServiceAccountKeyRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.GetServiceAccountKey(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_CreateServiceAccountKey() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.CreateServiceAccountKeyRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.CreateServiceAccountKey(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_DeleteServiceAccountKey() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.DeleteServiceAccountKeyRequest{
+	// TODO: Fill request struct fields.
+	}
+	err = c.DeleteServiceAccountKey(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+}
+
+func ExampleIamClient_SignBlob() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.SignBlobRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.SignBlob(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_TestIamPermissions() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &iampb.TestIamPermissionsRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.TestIamPermissions(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}
+
+func ExampleIamClient_QueryGrantableRoles() {
+	ctx := context.Background()
+	c, err := admin.NewIamClient(ctx)
+	if err != nil {
+		// TODO: Handle error.
+	}
+
+	req := &adminpb.QueryGrantableRolesRequest{
+	// TODO: Fill request struct fields.
+	}
+	resp, err := c.QueryGrantableRoles(ctx, req)
+	if err != nil {
+		// TODO: Handle error.
+	}
+	// TODO: Use resp.
+	_ = resp
+}

vendor/cloud.google.com/go/iam/admin/apiv1/policy_methods.go

@@ -0,0 +1,52 @@
+// Copyright 2016 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This is handwritten code. These methods are implemented by hand so they can use
+// the iam.Policy type.
+
+package admin
+
+import (
+	"cloud.google.com/go/iam"
+	"golang.org/x/net/context"
+	iampb "google.golang.org/genproto/googleapis/iam/v1"
+)
+
+// GetIamPolicy returns the IAM access control policy for a ServiceAccount.
+func (c *IamClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest) (*iam.Policy, error) {
+	policy, err := c.getIamPolicy(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	return &iam.Policy{InternalProto: policy}, nil
+}
+
+// SetIamPolicyRequest is the request type for the SetIamPolicy method.
+type SetIamPolicyRequest struct {
+	Resource string
+	Policy   *iam.Policy
+}
+
+// SetIamPolicy sets the IAM access control policy for a ServiceAccount.
+func (c *IamClient) SetIamPolicy(ctx context.Context, req *SetIamPolicyRequest) (*iam.Policy, error) {
+	preq := &iampb.SetIamPolicyRequest{
+		Resource: req.Resource,
+		Policy:   req.Policy.InternalProto,
+	}
+	policy, err := c.setIamPolicy(ctx, preq)
+	if err != nil {
+		return nil, err
+	}
+	return &iam.Policy{InternalProto: policy}, nil
+}

vendor/cloud.google.com/go/iam/iam.go

@@ -0,0 +1,199 @@
+// Copyright 2016 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package iam supports the resource-specific operations of Google Cloud
+// IAM (Identity and Access Management) for the Google Cloud Libraries.
+// See https://cloud.google.com/iam for more about IAM.
+//
+// Users of the Google Cloud Libraries will typically not use this package
+// directly. Instead they will begin with some resource that supports IAM, like
+// a pubsub topic, and call its IAM method to get a Handle for that resource.
+package iam
+
+import (
+	"golang.org/x/net/context"
+	pb "google.golang.org/genproto/googleapis/iam/v1"
+	"google.golang.org/grpc"
+)
+
+// A Handle provides IAM operations for a resource.
+type Handle struct {
+	c        pb.IAMPolicyClient
+	resource string
+}
+
+// InternalNewHandle is for use by the Google Cloud Libraries only.
+//
+// InternalNewHandle returns a Handle for resource.
+// The conn parameter refers to a server that must support the IAMPolicy service.
+func InternalNewHandle(conn *grpc.ClientConn, resource string) *Handle {
+	return &Handle{
+		c:        pb.NewIAMPolicyClient(conn),
+		resource: resource,
+	}
+}
+
+// Policy retrieves the IAM policy for the resource.
+func (h *Handle) Policy(ctx context.Context) (*Policy, error) {
+	proto, err := h.c.GetIamPolicy(ctx, &pb.GetIamPolicyRequest{Resource: h.resource})
+	if err != nil {
+		return nil, err
+	}
+	return &Policy{InternalProto: proto}, nil
+}
+
+// SetPolicy replaces the resource's current policy with the supplied Policy.
+//
+// If policy was created from a prior call to Get, then the modification will
+// only succeed if the policy has not changed since the Get.
+func (h *Handle) SetPolicy(ctx context.Context, policy *Policy) error {
+	_, err := h.c.SetIamPolicy(ctx, &pb.SetIamPolicyRequest{
+		Resource: h.resource,
+		Policy:   policy.InternalProto,
+	})
+	return err
+}
+
+// TestPermissions returns the subset of permissions that the caller has on the resource.
+func (h *Handle) TestPermissions(ctx context.Context, permissions []string) ([]string, error) {
+	res, err := h.c.TestIamPermissions(ctx, &pb.TestIamPermissionsRequest{
+		Resource:    h.resource,
+		Permissions: permissions,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return res.Permissions, nil
+}
+
+// A RoleName is a name representing a collection of permissions.
+type RoleName string
+
+// Common role names.
+const (
+	Owner  RoleName = "roles/owner"
+	Editor RoleName = "roles/editor"
+	Viewer RoleName = "roles/viewer"
+)
+
+const (
+	// AllUsers is a special member that denotes all users, even unauthenticated ones.
+	AllUsers = "allUsers"
+
+	// AllAuthenticatedUsers is a special member that denotes all authenticated users.
+	AllAuthenticatedUsers = "allAuthenticatedUsers"
+)
+
+// A Policy is a list of Bindings representing roles
+// granted to members.
+//
+// The zero Policy is a valid policy with no bindings.
+type Policy struct {
+	// TODO(jba): when type aliases are available, put Policy into an internal package
+	// and provide an exported alias here.
+
+	// This field is exported for use by the Google Cloud Libraries only.
+	// It may become unexported in a future release.
+	InternalProto *pb.Policy
+}
+
+// Members returns the list of members with the supplied role.
+// The return value should not be modified. Use Add and Remove
+// to modify the members of a role.
+func (p *Policy) Members(r RoleName) []string {
+	b := p.binding(r)
+	if b == nil {
+		return nil
+	}
+	return b.Members
+}
+
+// HasRole reports whether member has role r.
+func (p *Policy) HasRole(member string, r RoleName) bool {
+	return memberIndex(member, p.binding(r)) >= 0
+}
+
+// Add adds member member to role r if it is not already present.
+// A new binding is created if there is no binding for the role.
+func (p *Policy) Add(member string, r RoleName) {
+	b := p.binding(r)
+	if b == nil {
+		if p.InternalProto == nil {
+			p.InternalProto = &pb.Policy{}
+		}
+		p.InternalProto.Bindings = append(p.InternalProto.Bindings, &pb.Binding{
+			Role:    string(r),
+			Members: []string{member},
+		})
+		return
+	}
+	if memberIndex(member, b) < 0 {
+		b.Members = append(b.Members, member)
+		return
+	}
+}
+
+// Remove removes member from role r if it is present.
+func (p *Policy) Remove(member string, r RoleName) {
+	b := p.binding(r)
+	i := memberIndex(member, b)
+	if i < 0 {
+		return
+	}
+	// Order doesn't matter, so move the last member into the
+	// removed spot and shrink the slice.
+	// TODO(jba): worry about multiple copies of m?
+	last := len(b.Members) - 1
+	b.Members[i] = b.Members[last]
+	b.Members[last] = ""
+	b.Members = b.Members[:last]
+}
+
+// Roles returns the names of all the roles that appear in the Policy.
+func (p *Policy) Roles() []RoleName {
+	if p.InternalProto == nil {
+		return nil
+	}
+	var rns []RoleName
+	for _, b := range p.InternalProto.Bindings {
+		rns = append(rns, RoleName(b.Role))
+	}
+	return rns
+}
+
+// binding returns the Binding for the suppied role, or nil if there isn't one.
+func (p *Policy) binding(r RoleName) *pb.Binding {
+	if p.InternalProto == nil {
+		return nil
+	}
+	for _, b := range p.InternalProto.Bindings {
+		if b.Role == string(r) {
+			return b
+		}
+	}
+	return nil
+}
+
+// memberIndex returns the index of m in b's Members, or -1 if not found.
+func memberIndex(m string, b *pb.Binding) int {
+	if b == nil {
+		return -1
+	}
+	for i, mm := range b.Members {
+		if mm == m {
+			return i
+		}
+	}
+	return -1
+}

vendor/cloud.google.com/go/iam/iam_test.go

@@ -0,0 +1,86 @@
+// Copyright 2016 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package iam
+
+import (
+	"fmt"
+	"reflect"
+	"sort"
+	"testing"
+)
+
+func TestPolicy(t *testing.T) {
+	p := &Policy{}
+
+	add := func(member string, role RoleName) {
+		p.Add(member, role)
+	}
+	remove := func(member string, role RoleName) {
+		p.Remove(member, role)
+	}
+
+	if msg, ok := checkMembers(p, Owner, nil); !ok {
+		t.Fatal(msg)
+	}
+	add("m1", Owner)
+	if msg, ok := checkMembers(p, Owner, []string{"m1"}); !ok {
+		t.Fatal(msg)
+	}
+	add("m2", Owner)
+	if msg, ok := checkMembers(p, Owner, []string{"m1", "m2"}); !ok {
+		t.Fatal(msg)
+	}
+	add("m1", Owner) // duplicate adds ignored
+	if msg, ok := checkMembers(p, Owner, []string{"m1", "m2"}); !ok {
+		t.Fatal(msg)
+	}
+	// No other roles populated yet.
+	if msg, ok := checkMembers(p, Viewer, nil); !ok {
+		t.Fatal(msg)
+	}
+	remove("m1", Owner)
+	if msg, ok := checkMembers(p, Owner, []string{"m2"}); !ok {
+		t.Fatal(msg)
+	}
+	if msg, ok := checkMembers(p, Viewer, nil); !ok {
+		t.Fatal(msg)
+	}
+	remove("m3", Owner) // OK to remove non-existent member.
+	if msg, ok := checkMembers(p, Owner, []string{"m2"}); !ok {
+		t.Fatal(msg)
+	}
+	remove("m2", Owner)
+	if msg, ok := checkMembers(p, Owner, []string{}); !ok {
+		t.Fatal(msg)
+	}
+	if got, want := p.Roles(), []RoleName{Owner}; !reflect.DeepEqual(got, want) {
+		t.Fatalf("roles: got %v, want %v", got, want)
+	}
+}
+
+func checkMembers(p *Policy, role RoleName, wantMembers []string) (string, bool) {
+	gotMembers := p.Members(role)
+	sort.Strings(gotMembers)
+	sort.Strings(wantMembers)
+	if !reflect.DeepEqual(gotMembers, wantMembers) {
+		return fmt.Sprintf("got %v, want %v", gotMembers, wantMembers), false
+	}
+	for _, m := range wantMembers {
+		if !p.HasRole(m, role) {
+			return fmt.Sprintf("member %q should have role %s but does not", m, role), false
+		}
+	}
+	return "", true
+}