feat(storagetransfer): update the API

yoshi-automation · yoshi-automation · commit bd54d5e47617 · 2025-05-21T01:37:41.000Z
#### storagetransfer:v1

The following keys were added:
- schemas.AzureBlobStorageData.properties.federatedIdentityConfig.$ref
- schemas.AzureBlobStorageData.properties.federatedIdentityConfig.description
- schemas.FederatedIdentityConfig.description
- schemas.FederatedIdentityConfig.id
- schemas.FederatedIdentityConfig.properties.clientId.description
- schemas.FederatedIdentityConfig.properties.clientId.type
- schemas.FederatedIdentityConfig.properties.tenantId.description
- schemas.FederatedIdentityConfig.properties.tenantId.type
- schemas.FederatedIdentityConfig.type
- schemas.TransferJob.properties.serviceAccount.description
- schemas.TransferJob.properties.serviceAccount.type

The following keys were changed:
- schemas.HttpData.properties.listUrl.description
- schemas.ObjectConditions.description
diff --git a/discovery/storagetransfer-v1.json b/discovery/storagetransfer-v1.json
@@ -632,7 +632,7 @@
       }
     }
   },
-  "revision": "20250426",
+  "revision": "20250510",
   "rootUrl": "https://storagetransfer.googleapis.com/",
   "schemas": {
     "AgentPool": {
@@ -764,6 +764,10 @@
           "description": "Optional. The Resource name of a secret in Secret Manager. The Azure SAS token must be stored in Secret Manager in JSON format: { \"sas_token\" : \"SAS_TOKEN\" } GoogleServiceAccount must be granted `roles/secretmanager.secretAccessor` for the resource. See [Configure access to a source: Microsoft Azure Blob Storage] (https://cloud.google.com/storage-transfer/docs/source-microsoft-azure#secret_manager) for more information. If `credentials_secret` is specified, do not specify azure_credentials. Format: `projects/{project_number}/secrets/{secret_name}`",
           "type": "string"
         },
+        "federatedIdentityConfig": {
+          "$ref": "FederatedIdentityConfig",
+          "description": "Optional. Federated identity config of a user registered Azure application. If `federated_identity_config` is specified, do not specify azure_credentials or credentials_secret."
+        },
         "path": {
           "description": "Root path to transfer objects. Must be an empty string or full path name that ends with a '/'. This field is treated as an object prefix. As such, it should generally not begin with a '/'.",
           "type": "string"
@@ -932,6 +936,21 @@
       },
       "type": "object"
     },
+    "FederatedIdentityConfig": {
+      "description": "Identities of a user registered Azure application that enables identity federation to trust tokens issued by the user's Google service account. For more information about Azure application and identity federation, see [Register an application with the Microsoft identity platform] (https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) Azure RBAC roles then need be assigned to the Azure application to authorize access to the user's Azure data source. For more information about Azure RBAC roles for blobs, see [Manage Access Rights with RBAC] (https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#manage-access-rights-with-rbac)",
+      "id": "FederatedIdentityConfig",
+      "properties": {
+        "clientId": {
+          "description": "Required. Client (application) ID of the application with federated credentials.",
+          "type": "string"
+        },
+        "tenantId": {
+          "description": "Required. Tenant (directory) ID of the application with federated credentials.",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "GcsData": {
       "description": "In a GcsData resource, an object's name is the Cloud Storage object's name and its \"last modification time\" refers to the object's `updated` property of Cloud Storage objects, which changes when the content or the metadata of the object is updated.",
       "id": "GcsData",
@@ -982,7 +1001,7 @@
       "id": "HttpData",
       "properties": {
         "listUrl": {
-          "description": "Required. The URL that points to the file that stores the object list entries. This file must allow public access. Currently, only URLs with HTTP and HTTPS schemes are supported.",
+          "description": "Required. The URL that points to the file that stores the object list entries. This file must allow public access. The URL is either an HTTP/HTTPS address (e.g. `https://example.com/urllist.tsv`) or a Cloud Storage path (e.g. `gs://my-bucket/urllist.tsv`).",
           "type": "string"
         }
       },
@@ -1277,7 +1296,7 @@
       "type": "object"
     },
     "ObjectConditions": {
-      "description": "Conditions that determine which objects are transferred. Applies only to Cloud Data Sources such as S3, Azure, and Cloud Storage. The \"last modification time\" refers to the time of the last change to the object's content or metadata — specifically, this is the `updated` property of Cloud Storage objects, the `LastModified` field of S3 objects, and the `Last-Modified` header of Azure blobs. Transfers with a PosixFilesystem source or destination don't support `ObjectConditions`.",
+      "description": "Conditions that determine which objects are transferred. Applies only to Cloud Data Sources such as S3, Azure, and Cloud Storage. The \"last modification time\" refers to the time of the last change to the object's content or metadata — specifically, this is the `updated` property of Cloud Storage objects, the `LastModified` field of S3 objects, and the `Last-Modified` header of Azure blobs. For S3 objects, the `LastModified` value is the time the object begins uploading. If the object meets your \"last modification time\" criteria, but has not finished uploading, the object is not transferred. See [Transfer from Amazon S3 to Cloud Storage](https://cloud.google.com/storage-transfer/docs/create-transfers/agentless/s3#transfer_options) for more information. Transfers with a PosixFilesystem source or destination don't support `ObjectConditions`.",
       "id": "ObjectConditions",
       "properties": {
         "excludePrefixes": {
@@ -1724,6 +1743,10 @@
           "$ref": "Schedule",
           "description": "Specifies schedule for the transfer job. This is an optional field. When the field is not set, the job never executes a transfer, unless you invoke RunTransferJob or update the job to have a non-empty schedule."
         },
+        "serviceAccount": {
+          "description": "Optional. The service account to be used to access resources in the consumer project in the transfer job. We accept `email` or `uniqueId` for the service account. Service account format is projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID} See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken#path-parameters for details. Caller requires the following IAM permission on the specified service account: `iam.serviceAccounts.actAs`. project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com requires the following IAM permission on the specified service account: `iam.serviceAccounts.getAccessToken`",
+          "type": "string"
+        },
         "status": {
           "description": "Status of the job. This value MUST be specified for `CreateTransferJobRequests`. **Note:** The effect of the new job status takes place during a subsequent job run. For example, if you change the job status from ENABLED to DISABLED, and an operation spawned by the transfer is running, the status change would not affect the current operation.",
           "enum": [
diff --git a/src/apis/storagetransfer/v1.ts b/src/apis/storagetransfer/v1.ts
@@ -240,6 +240,10 @@ export namespace storagetransfer_v1 {
      * Optional. The Resource name of a secret in Secret Manager. The Azure SAS token must be stored in Secret Manager in JSON format: { "sas_token" : "SAS_TOKEN" \} GoogleServiceAccount must be granted `roles/secretmanager.secretAccessor` for the resource. See [Configure access to a source: Microsoft Azure Blob Storage] (https://cloud.google.com/storage-transfer/docs/source-microsoft-azure#secret_manager) for more information. If `credentials_secret` is specified, do not specify azure_credentials. Format: `projects/{project_number\}/secrets/{secret_name\}`
      */
     credentialsSecret?: string | null;
+    /**
+     * Optional. Federated identity config of a user registered Azure application. If `federated_identity_config` is specified, do not specify azure_credentials or credentials_secret.
+     */
+    federatedIdentityConfig?: Schema$FederatedIdentityConfig;
     /**
      * Root path to transfer objects. Must be an empty string or full path name that ends with a '/'. This field is treated as an object prefix. As such, it should generally not begin with a '/'.
      */
@@ -339,6 +343,19 @@ export namespace storagetransfer_v1 {
      */
     name?: string | null;
   }
+  /**
+   * Identities of a user registered Azure application that enables identity federation to trust tokens issued by the user's Google service account. For more information about Azure application and identity federation, see [Register an application with the Microsoft identity platform] (https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) Azure RBAC roles then need be assigned to the Azure application to authorize access to the user's Azure data source. For more information about Azure RBAC roles for blobs, see [Manage Access Rights with RBAC] (https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#manage-access-rights-with-rbac)
+   */
+  export interface Schema$FederatedIdentityConfig {
+    /**
+     * Required. Client (application) ID of the application with federated credentials.
+     */
+    clientId?: string | null;
+    /**
+     * Required. Tenant (directory) ID of the application with federated credentials.
+     */
+    tenantId?: string | null;
+  }
   /**
    * In a GcsData resource, an object's name is the Cloud Storage object's name and its "last modification time" refers to the object's `updated` property of Cloud Storage objects, which changes when the content or the metadata of the object is updated.
    */
@@ -383,7 +400,7 @@ export namespace storagetransfer_v1 {
    */
   export interface Schema$HttpData {
     /**
-     * Required. The URL that points to the file that stores the object list entries. This file must allow public access. Currently, only URLs with HTTP and HTTPS schemes are supported.
+     * Required. The URL that points to the file that stores the object list entries. This file must allow public access. The URL is either an HTTP/HTTPS address (e.g. `https://example.com/urllist.tsv`) or a Cloud Storage path (e.g. `gs://my-bucket/urllist.tsv`).
      */
     listUrl?: string | null;
   }
@@ -502,7 +519,7 @@ export namespace storagetransfer_v1 {
     pubsubTopic?: string | null;
   }
   /**
-   * Conditions that determine which objects are transferred. Applies only to Cloud Data Sources such as S3, Azure, and Cloud Storage. The "last modification time" refers to the time of the last change to the object's content or metadata — specifically, this is the `updated` property of Cloud Storage objects, the `LastModified` field of S3 objects, and the `Last-Modified` header of Azure blobs. Transfers with a PosixFilesystem source or destination don't support `ObjectConditions`.
+   * Conditions that determine which objects are transferred. Applies only to Cloud Data Sources such as S3, Azure, and Cloud Storage. The "last modification time" refers to the time of the last change to the object's content or metadata — specifically, this is the `updated` property of Cloud Storage objects, the `LastModified` field of S3 objects, and the `Last-Modified` header of Azure blobs. For S3 objects, the `LastModified` value is the time the object begins uploading. If the object meets your "last modification time" criteria, but has not finished uploading, the object is not transferred. See [Transfer from Amazon S3 to Cloud Storage](https://cloud.google.com/storage-transfer/docs/create-transfers/agentless/s3#transfer_options) for more information. Transfers with a PosixFilesystem source or destination don't support `ObjectConditions`.
    */
   export interface Schema$ObjectConditions {
     /**
@@ -827,6 +844,10 @@ export namespace storagetransfer_v1 {
      * Specifies schedule for the transfer job. This is an optional field. When the field is not set, the job never executes a transfer, unless you invoke RunTransferJob or update the job to have a non-empty schedule.
      */
     schedule?: Schema$Schedule;
+    /**
+     * Optional. The service account to be used to access resources in the consumer project in the transfer job. We accept `email` or `uniqueId` for the service account. Service account format is projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID\} See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken#path-parameters for details. Caller requires the following IAM permission on the specified service account: `iam.serviceAccounts.actAs`. project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com requires the following IAM permission on the specified service account: `iam.serviceAccounts.getAccessToken`
+     */
+    serviceAccount?: string | null;
     /**
      * Status of the job. This value MUST be specified for `CreateTransferJobRequests`. **Note:** The effect of the new job status takes place during a subsequent job run. For example, if you change the job status from ENABLED to DISABLED, and an operation spawned by the transfer is running, the status change would not affect the current operation.
      */
